diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:11:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:11:40 +0000 |
commit | 7731832751ab9f3c6ddeb66f186d3d7fa1934a6d (patch) | |
tree | e91015872543a59be2aad26c2fea02e41b57005d /contrib/slapd-modules | |
parent | Initial commit. (diff) | |
download | openldap-7731832751ab9f3c6ddeb66f186d3d7fa1934a6d.tar.xz openldap-7731832751ab9f3c6ddeb66f186d3d7fa1934a6d.zip |
Adding upstream version 2.4.57+dfsg.upstream/2.4.57+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'contrib/slapd-modules')
116 files changed, 35715 insertions, 0 deletions
diff --git a/contrib/slapd-modules/README b/contrib/slapd-modules/README new file mode 100644 index 0000000..d9ff34d --- /dev/null +++ b/contrib/slapd-modules/README @@ -0,0 +1,61 @@ +Copyright 2008-2021 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +This directory contains native-API slapd modules (overlays etc): + +acl (plugins) + Plugins implementing access rules. Currently one plugin + which implements access control based on posixGroup membership. + +addpartial (overlay) + Treat Add requests as Modify requests if the entry exists. + +allop (overlay) + Return operational attributes for root DSE even when not + requested, since some clients expect this. + +autogroup (overlay) + Automated updates of group memberships. + +cloak (overlay) + Hide specific attributes unless explicitely requested + +comp_match (plugin) + Component Matching rules (RFC 3687). + +denyop (overlay) + Deny selected operations, returning unwillingToPerform. + +dsaschema (plugin) + Permit loading DSA-specific schema, including operational attrs. + +lastbind (overlay) + Record the last successful authentication on an entry. + +lastmod (overlay) + Track the time of the last write operation to a database. + +nops (overlay) + Remove null operations, e.g. changing a value to same as before. + +nssov (listener overlay) + Handle NSS lookup requests through a local Unix Domain socket. + +passwd (plugins) + Support additional password mechanisms. + Currently Kerberos, Netscape MTA-MD5 and RADIUS. + +proxyOld (plugin) + Proxy Authorization compatibility with obsolete internet-draft. + +smbk5pwd (overlay) + Make the PasswordModify Extended Operation update Kerberos + keys and Samba password hashes as well as userPassword. + +trace (overlay) + Trace overlay invocation. + +$OpenLDAP$ diff --git a/contrib/slapd-modules/acl/Makefile b/contrib/slapd-modules/acl/Makefile new file mode 100644 index 0000000..40a8e9e --- /dev/null +++ b/contrib/slapd-modules/acl/Makefile @@ -0,0 +1,50 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = posixgroup.la gssacl.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +posixgroup.la: posixgroup.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +gssacl.la: gssacl.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/acl/README.gssacl b/contrib/slapd-modules/acl/README.gssacl new file mode 100644 index 0000000..368b178 --- /dev/null +++ b/contrib/slapd-modules/acl/README.gssacl @@ -0,0 +1,32 @@ +This directory contains native slapd plugins that implement access rules. + +gssacl.c contains a simple example that implements access control +based on GSS naming extensions attributes. + +To use the acl-gssacl plugin, add: + +moduleload acl-gssacl.so + +to your slapd configuration file. +It is configured using + +access to <what> + by dynacl/gss/<attribute>.[.{base,regex,expand}]=<valpat> {<level>|<priv(s)>} + +The default is "exact"; in case of "expand", "<valpat>" results from +the expansion of submatches in the "<what>" portion. "<level>|<priv(s)>" +describe the level of privilege this rule can assume. + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \ + -o acl-gssacl.so gssacl.c + + +--- +Copyright 2011 PADL Software Pty Ltd. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + diff --git a/contrib/slapd-modules/acl/README.posixgroup b/contrib/slapd-modules/acl/README.posixgroup new file mode 100644 index 0000000..30f4e38 --- /dev/null +++ b/contrib/slapd-modules/acl/README.posixgroup @@ -0,0 +1,35 @@ +This directory contains native slapd plugins that implement access rules. + +posixgroup.c contains a simple example that implements access control +based on posixGroup membership, loosely inspired by ITS#3849. It should +be made clear that this access control policy does not reflect any +standard track model of handling access control, and should be +essentially viewed as an illustration of the use of the dynamic +extension of access control within slapd. + +To use the acl-posixgroup plugin, add: + +moduleload acl-posixgroup.so + +to your slapd configuration file; it requires "nis.schema" to be loaded. +It is configured using + +access to <what> + by dynacl/posixGroup[.{exact,expand}]=<dnpat> {<level>|<priv(s)} + +The default is "exact"; in case of "expand", "<dnpat>" results from +the expansion of submatches in the "<what>" portion. "<level>|<priv(s)>" +describe the level of privilege this rule can assume. + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \ + -o acl-posixgroup.so posixgroup.c + +--- +Copyright 2005-2021 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + diff --git a/contrib/slapd-modules/acl/gssacl.c b/contrib/slapd-modules/acl/gssacl.c new file mode 100644 index 0000000..2fba789 --- /dev/null +++ b/contrib/slapd-modules/acl/gssacl.c @@ -0,0 +1,316 @@ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2011 PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#include <ac/string.h> +#include <slap.h> +#include <lutil.h> + +#include <sasl/sasl.h> +#include <gssapi/gssapi.h> +#include <gssapi/gssapi_ext.h> + +#define ACL_BUF_SIZE 1024 + +typedef struct gssattr_t { + slap_style_t gssattr_style; + struct berval gssattr_name; /* asserted name */ + struct berval gssattr_value; /* asserted value */ +} gssattr_t; + +static int gssattr_dynacl_destroy( void *priv ); + +static int +regex_matches( + struct berval *pat, /* pattern to expand and match against */ + char *str, /* string to match against pattern */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ + AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ +); + +static int +gssattr_dynacl_parse( + const char *fname, + int lineno, + const char *opts, + slap_style_t style, + const char *pattern, + void **privp ) +{ + gssattr_t *gssattr; + + gssattr = (gssattr_t *)ch_calloc( 1, sizeof( gssattr_t ) ); + + if ( opts == NULL || opts[0] == '\0' ) { + fprintf( stderr, "%s line %d: GSS ACL: no attribute specified.\n", + fname, lineno ); + goto cleanup; + } + + if ( pattern == NULL || pattern[0] == '\0' ) { + fprintf( stderr, "%s line %d: GSS ACL: no attribute value specified.\n", + fname, lineno ); + goto cleanup; + } + + gssattr->gssattr_style = style; + + switch ( gssattr->gssattr_style ) { + case ACL_STYLE_BASE: + case ACL_STYLE_REGEX: + case ACL_STYLE_EXPAND: + break; + default: + fprintf( stderr, "%s line %d: GSS ACL: unsupported style \"%s\".\n", + fname, lineno, style_strings[style] ); + goto cleanup; + break; + } + + ber_str2bv( opts, 0, 1, &gssattr->gssattr_name ); + ber_str2bv( pattern, 0, 1, &gssattr->gssattr_value ); + + *privp = (void *)gssattr; + return 0; + +cleanup: + (void)gssattr_dynacl_destroy( (void *)gssattr ); + + return 1; +} + +static int +gssattr_dynacl_unparse( + void *priv, + struct berval *bv ) +{ + gssattr_t *gssattr = (gssattr_t *)priv; + char *ptr; + + bv->bv_len = STRLENOF( " dynacl/gss/.expand=" ) + + gssattr->gssattr_name.bv_len + + gssattr->gssattr_value.bv_len; + bv->bv_val = ch_malloc( bv->bv_len + 1 ); + + ptr = lutil_strcopy( bv->bv_val, " dynacl/gss/" ); + ptr = lutil_strncopy( ptr, gssattr->gssattr_name.bv_val, + gssattr->gssattr_name.bv_len ); + switch ( gssattr->gssattr_style ) { + case ACL_STYLE_BASE: + ptr = lutil_strcopy( ptr, ".exact=" ); + break; + case ACL_STYLE_REGEX: + ptr = lutil_strcopy( ptr, ".regex=" ); + break; + case ACL_STYLE_EXPAND: + ptr = lutil_strcopy( ptr, ".expand=" ); + break; + default: + assert( 0 ); + break; + } + + ptr = lutil_strncopy( ptr, gssattr->gssattr_value.bv_val, + gssattr->gssattr_value.bv_len ); + + ptr[ 0 ] = '\0'; + + bv->bv_len = ptr - bv->bv_val; + + return 0; +} + +static int +gssattr_dynacl_mask( + void *priv, + Operation *op, + Entry *target, + AttributeDescription *desc, + struct berval *val, + int nmatch, + regmatch_t *matches, + slap_access_t *grant, + slap_access_t *deny ) +{ + gssattr_t *gssattr = (gssattr_t *)priv; + sasl_conn_t *sasl_ctx = op->o_conn->c_sasl_authctx; + gss_name_t gss_name = GSS_C_NO_NAME; + OM_uint32 major, minor; + int more = -1; + int authenticated, complete; + gss_buffer_desc attr = GSS_C_EMPTY_BUFFER; + int granted = 0; + + ACL_INVALIDATE( *deny ); + + if ( sasl_ctx == NULL || + sasl_getprop( sasl_ctx, SASL_GSS_PEER_NAME, (const void **)&gss_name) != 0 || + gss_name == GSS_C_NO_NAME ) { + return 0; + } + + attr.length = gssattr->gssattr_name.bv_len; + attr.value = gssattr->gssattr_name.bv_val; + + while ( more != 0 ) { + AclRegexMatches amatches = { 0 }; + gss_buffer_desc gss_value = GSS_C_EMPTY_BUFFER; + gss_buffer_desc gss_display_value = GSS_C_EMPTY_BUFFER; + struct berval bv_value; + + major = gss_get_name_attribute( &minor, gss_name, &attr, + &authenticated, &complete, + &gss_value, &gss_display_value, &more ); + if ( GSS_ERROR( major ) ) { + break; + } else if ( authenticated == 0 ) { + gss_release_buffer( &minor, &gss_value ); + gss_release_buffer( &minor, &gss_display_value ); + continue; + } + + bv_value.bv_len = gss_value.length; + bv_value.bv_val = (char *)gss_value.value; + + if ( !ber_bvccmp( &gssattr->gssattr_value, '*' ) ) { + if ( gssattr->gssattr_style != ACL_STYLE_BASE ) { + amatches.dn_count = nmatch; + AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) ); + } + + switch ( gssattr->gssattr_style ) { + case ACL_STYLE_REGEX: + /* XXX assumes value NUL terminated */ + granted = regex_matches( &gssattr->gssattr_value, bv_value.bv_val, + &target->e_nname, val, &amatches ); + break; + case ACL_STYLE_EXPAND: { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + + granted = ( acl_string_expand( &bv, &gssattr->gssattr_value, + &target->e_nname, val, + &amatches ) == 0 ) && + ( ber_bvstrcmp( &bv, &bv_value) == 0 ); + break; + } + case ACL_STYLE_BASE: + granted = ( ber_bvstrcmp( &gssattr->gssattr_value, &bv_value ) == 0 ); + break; + default: + assert(0); + break; + } + } else { + granted = 1; + } + + gss_release_buffer( &minor, &gss_value ); + gss_release_buffer( &minor, &gss_display_value ); + + if ( granted ) { + break; + } + } + + if ( granted ) { + ACL_LVL_ASSIGN_WRITE( *grant ); + } + + return 0; +} + +static int +gssattr_dynacl_destroy( + void *priv ) +{ + gssattr_t *gssattr = (gssattr_t *)priv; + + if ( gssattr != NULL ) { + if ( !BER_BVISNULL( &gssattr->gssattr_name ) ) { + ber_memfree( gssattr->gssattr_name.bv_val ); + } + if ( !BER_BVISNULL( &gssattr->gssattr_value ) ) { + ber_memfree( gssattr->gssattr_value.bv_val ); + } + ch_free( gssattr ); + } + + return 0; +} + +static struct slap_dynacl_t gssattr_dynacl = { + "gss", + gssattr_dynacl_parse, + gssattr_dynacl_unparse, + gssattr_dynacl_mask, + gssattr_dynacl_destroy +}; + +int +init_module( int argc, char *argv[] ) +{ + return slap_dynacl_register( &gssattr_dynacl ); +} + + +static int +regex_matches( + struct berval *pat, /* pattern to expand and match against */ + char *str, /* string to match against pattern */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ + AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ +) +{ + regex_t re; + char newbuf[ACL_BUF_SIZE]; + struct berval bv; + int rc; + + bv.bv_len = sizeof( newbuf ) - 1; + bv.bv_val = newbuf; + + if (str == NULL) { + str = ""; + }; + + acl_string_expand( &bv, pat, dn_matches, val_matches, matches ); + rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE ); + if ( rc ) { + char error[ACL_BUF_SIZE]; + regerror( rc, &re, error, sizeof( error ) ); + + Debug( LDAP_DEBUG_TRACE, + "compile( \"%s\", \"%s\") failed %s\n", + pat->bv_val, str, error ); + return( 0 ); + } + + rc = regexec( &re, str, 0, NULL, 0 ); + regfree( &re ); + + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: string: %s\n", str, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: rc: %d %s\n", + rc, !rc ? "matches" : "no matches", 0 ); + return( !rc ); +} + diff --git a/contrib/slapd-modules/acl/posixgroup.c b/contrib/slapd-modules/acl/posixgroup.c new file mode 100644 index 0000000..bc1a008 --- /dev/null +++ b/contrib/slapd-modules/acl/posixgroup.c @@ -0,0 +1,329 @@ +/* posixgroup.c */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#include <ac/string.h> +#include <slap.h> +#include <lutil.h> + +/* Need dynacl... */ + +#ifdef SLAP_DYNACL + +typedef struct pg_t { + slap_style_t pg_style; + struct berval pg_pat; +} pg_t; + +static ObjectClass *pg_posixGroup; +static AttributeDescription *pg_memberUid; +static ObjectClass *pg_posixAccount; +static AttributeDescription *pg_uidNumber; + +static int pg_dynacl_destroy( void *priv ); + +static int +pg_dynacl_parse( + const char *fname, + int lineno, + const char *opts, + slap_style_t style, + const char *pattern, + void **privp ) +{ + pg_t *pg; + int rc; + const char *text = NULL; + struct berval pat; + + ber_str2bv( pattern, 0, 0, &pat ); + + pg = ch_calloc( 1, sizeof( pg_t ) ); + + pg->pg_style = style; + + switch ( pg->pg_style ) { + case ACL_STYLE_BASE: + rc = dnNormalize( 0, NULL, NULL, &pat, &pg->pg_pat, NULL ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unable to normalize DN \"%s\".\n", + fname, lineno, pattern ); + goto cleanup; + } + break; + + case ACL_STYLE_EXPAND: + ber_dupbv( &pg->pg_pat, &pat ); + break; + + default: + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unsupported style \"%s\".\n", + fname, lineno, style_strings[ pg->pg_style ] ); + goto cleanup; + } + + /* TODO: use opts to allow the use of different + * group objects and member attributes */ + if ( pg_posixGroup == NULL ) { + pg_posixGroup = oc_find( "posixGroup" ); + if ( pg_posixGroup == NULL ) { + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unable to lookup \"posixGroup\" " + "objectClass.\n", + fname, lineno ); + goto cleanup; + } + + pg_posixAccount = oc_find( "posixAccount" ); + if ( pg_posixGroup == NULL ) { + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unable to lookup \"posixAccount\" " + "objectClass.\n", + fname, lineno ); + goto cleanup; + } + + rc = slap_str2ad( "memberUid", &pg_memberUid, &text ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unable to lookup \"memberUid\" " + "attributeDescription (%d: %s).\n", + fname, lineno, rc, text ); + goto cleanup; + } + + rc = slap_str2ad( "uidNumber", &pg_uidNumber, &text ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "%s line %d: posixGroup ACL: " + "unable to lookup \"uidNumber\" " + "attributeDescription (%d: %s).\n", + fname, lineno, rc, text ); + goto cleanup; + } + } + + *privp = (void *)pg; + return 0; + +cleanup: + (void)pg_dynacl_destroy( (void *)pg ); + + return 1; +} + +static int +pg_dynacl_unparse( + void *priv, + struct berval *bv ) +{ + pg_t *pg = (pg_t *)priv; + char *ptr; + + bv->bv_len = STRLENOF( " dynacl/posixGroup.expand=" ) + pg->pg_pat.bv_len; + bv->bv_val = ch_malloc( bv->bv_len + 1 ); + + ptr = lutil_strcopy( bv->bv_val, " dynacl/posixGroup" ); + + switch ( pg->pg_style ) { + case ACL_STYLE_BASE: + ptr = lutil_strcopy( ptr, ".exact=" ); + break; + + case ACL_STYLE_EXPAND: + ptr = lutil_strcopy( ptr, ".expand=" ); + break; + + default: + assert( 0 ); + } + + ptr = lutil_strncopy( ptr, pg->pg_pat.bv_val, pg->pg_pat.bv_len ); + ptr[ 0 ] = '\0'; + + bv->bv_len = ptr - bv->bv_val; + + return 0; +} + +static int +pg_dynacl_mask( + void *priv, + Operation *op, + Entry *target, + AttributeDescription *desc, + struct berval *val, + int nmatch, + regmatch_t *matches, + slap_access_t *grant, + slap_access_t *deny ) +{ + pg_t *pg = (pg_t *)priv; + Entry *group = NULL, + *user = NULL; + int rc; + Backend *be = op->o_bd, + *group_be = NULL, + *user_be = NULL; + struct berval group_ndn; + + ACL_INVALIDATE( *deny ); + + /* get user */ + if ( target && dn_match( &target->e_nname, &op->o_ndn ) ) { + user = target; + rc = LDAP_SUCCESS; + + } else { + user_be = op->o_bd = select_backend( &op->o_ndn, 0 ); + if ( op->o_bd == NULL ) { + op->o_bd = be; + return 0; + } + rc = be_entry_get_rw( op, &op->o_ndn, pg_posixAccount, pg_uidNumber, 0, &user ); + } + + if ( rc != LDAP_SUCCESS || user == NULL ) { + op->o_bd = be; + return 0; + } + + /* get target */ + if ( pg->pg_style == ACL_STYLE_EXPAND ) { + char buf[ 1024 ]; + struct berval bv; + AclRegexMatches amatches = { 0 }; + + amatches.dn_count = nmatch; + AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) ); + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + + if ( acl_string_expand( &bv, &pg->pg_pat, + &target->e_nname, + NULL, &amatches ) ) + { + goto cleanup; + } + + if ( dnNormalize( 0, NULL, NULL, &bv, &group_ndn, + op->o_tmpmemctx ) != LDAP_SUCCESS ) + { + /* did not expand to a valid dn */ + goto cleanup; + } + + } else { + group_ndn = pg->pg_pat; + } + + if ( target && dn_match( &target->e_nname, &group_ndn ) ) { + group = target; + rc = LDAP_SUCCESS; + + } else { + group_be = op->o_bd = select_backend( &group_ndn, 0 ); + if ( op->o_bd == NULL ) { + goto cleanup; + } + rc = be_entry_get_rw( op, &group_ndn, pg_posixGroup, pg_memberUid, 0, &group ); + } + + if ( group_ndn.bv_val != pg->pg_pat.bv_val ) { + op->o_tmpfree( group_ndn.bv_val, op->o_tmpmemctx ); + } + + if ( rc == LDAP_SUCCESS && group != NULL ) { + Attribute *a_uid, + *a_member; + + a_uid = attr_find( user->e_attrs, pg_uidNumber ); + if ( !a_uid || !BER_BVISNULL( &a_uid->a_nvals[ 1 ] ) ) { + rc = LDAP_NO_SUCH_ATTRIBUTE; + + } else { + a_member = attr_find( group->e_attrs, pg_memberUid ); + if ( !a_member ) { + rc = LDAP_NO_SUCH_ATTRIBUTE; + + } else { + rc = value_find_ex( pg_memberUid, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a_member->a_nvals, &a_uid->a_nvals[ 0 ], + op->o_tmpmemctx ); + } + } + + } else { + rc = LDAP_NO_SUCH_OBJECT; + } + + + if ( rc == LDAP_SUCCESS ) { + ACL_LVL_ASSIGN_WRITE( *grant ); + } + +cleanup:; + if ( group != NULL && group != target ) { + op->o_bd = group_be; + be_entry_release_r( op, group ); + op->o_bd = be; + } + + if ( user != NULL && user != target ) { + op->o_bd = user_be; + be_entry_release_r( op, user ); + op->o_bd = be; + } + + return 0; +} + +static int +pg_dynacl_destroy( + void *priv ) +{ + pg_t *pg = (pg_t *)priv; + + if ( pg != NULL ) { + if ( !BER_BVISNULL( &pg->pg_pat ) ) { + ber_memfree( pg->pg_pat.bv_val ); + } + ch_free( pg ); + } + + return 0; +} + +static struct slap_dynacl_t pg_dynacl = { + "posixGroup", + pg_dynacl_parse, + pg_dynacl_unparse, + pg_dynacl_mask, + pg_dynacl_destroy +}; + +int +init_module( int argc, char *argv[] ) +{ + return slap_dynacl_register( &pg_dynacl ); +} + +#endif /* SLAP_DYNACL */ diff --git a/contrib/slapd-modules/addpartial/Makefile b/contrib/slapd-modules/addpartial/Makefile new file mode 100644 index 0000000..a999d7f --- /dev/null +++ b/contrib/slapd-modules/addpartial/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = addpartial.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +addpartial.la: addpartial-overlay.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/addpartial/README b/contrib/slapd-modules/addpartial/README new file mode 100644 index 0000000..e2cb2ce --- /dev/null +++ b/contrib/slapd-modules/addpartial/README @@ -0,0 +1,72 @@ +addpartial Overlay README + +DESCRIPTION + This package contains an OpenLDAP overlay called "addpartial" that + intercepts add requests, determines if the entry exists, determines what + attributes, if any, have changed, and modifies those attributes. If the + entry does not exist, the add request falls through and proceeds normally. + If the entry exists but no changes have been detected, the client receives + LDAP_SUCCESS (I suppose it is debatable what to do in this case, but this is + the most clean for my use. The LDAP_SUCCESS lets me know that the entry I + sent slapd == the entry already in my slapd DB. Perhaps this behavior + should be configurable in the future). + + When a change is found, the addpartial overlay will replace all values for + the attribute (if an attribute does not exist in the new entry but exists + in the entry in the slapd DB, a replace will be done with an empty list of + values). + + Once a modify takes place, the syncprov overlay will properly process the + change, provided that addpartial is the first overlay to run. Please see + the CAVEATS for more specifics about this. + + The addpartial overlay makes it easy to replicate full entries to a slapd + instance without worrying about the differences between entries or even if + the entry exists. Using ldapadd to add entries, the addpartial overlay can + compare about 500 records per second. The intent of the addpartial overlay + is to make it easy to replicate records from a source that is not an LDAP + instance, such as a database. The overlay is also useful in places where it + is easier to create full entries rather than comparing an entry with an + entry that must be retrieved (with ldapsearch or similar) from an existing + slapd DB to find changes. + + The addpartial overlay has been used in production since August 2004 and has + processed millions of records without incident. + +BUILDING + A Makefile is included, please set your LDAP_SRC directory properly. + +INSTALLATION + After compiling the addpartial overlay, add the following to your + slapd.conf: + + ### slapd.conf + ... + moduleload addpartial.so + ... + # after database directive... + # this overlay should be the last overlay in the config file to ensure that + # it properly intercepts the add request + overlay addpartial + ... + ### end slapd.conf + +CAVEATS + - In order to ensure that addpartial does what it needs to do, it should be + the last overlay configured so it will run before the other overlays. + This is especially important if you are using syncrepl, as the modify that + addpartial does will muck with the locking that takes place in the + syncprov overlay. + +--- +Copyright 2004-2021 The OpenLDAP Foundation. +Portions Copyright (C) Virginia Tech, David Hawes. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in file LICENSE in the +top-level directory of the distribution or, alternatively, at +http://www.OpenLDAP.org/license.html. diff --git a/contrib/slapd-modules/addpartial/addpartial-overlay.c b/contrib/slapd-modules/addpartial/addpartial-overlay.c new file mode 100644 index 0000000..355c8ba --- /dev/null +++ b/contrib/slapd-modules/addpartial/addpartial-overlay.c @@ -0,0 +1,349 @@ +/* addpartial-overlay.c */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * Portions Copyright (C) 2004 Virginia Tech, David Hawes. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * http://www.OpenLDAP.org/license.html. + */ +/* ACKNOLEDGEDMENTS: + * This work was initially developed by David Hawes of Virginia Tech + * for inclusion in OpenLDAP Software. + */ +/* addpartial-overlay + * + * This is an OpenLDAP overlay that intercepts ADD requests, determines if a + * change has actually taken place for that record, and then performs a modify + * request for those values that have changed (modified, added, deleted). If + * the record has not changed in any way, it is ignored. If the record does not + * exist, the record falls through to the normal add mechanism. This overlay is + * useful for replicating from sources that are not LDAPs where it is easier to + * build entire records than to determine the changes (i.e. a database). + */ + +#include "portable.h" +#include "slap.h" + +static int collect_error_msg_cb( Operation *op, SlapReply *rs); + +static slap_overinst addpartial; + +/** + * The meat of the overlay. Search for the record, determine changes, take + * action or fall through. + */ +static int addpartial_add( Operation *op, SlapReply *rs) +{ + Operation nop = *op; + Entry *toAdd = NULL; + Entry *found = NULL; + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + int rc; + + toAdd = op->oq_add.rs_e; + + Debug(LDAP_DEBUG_TRACE, "%s: toAdd->e_nname.bv_val: %s\n", + addpartial.on_bi.bi_type, toAdd->e_nname.bv_val,0); + + /* if the user doesn't have access, fall through to the normal ADD */ + if(!access_allowed(op, toAdd, slap_schema.si_ad_entry, + NULL, ACL_WRITE, NULL)) + { + return SLAP_CB_CONTINUE; + } + + rc = overlay_entry_get_ov(&nop, &nop.o_req_ndn, NULL, NULL, 0, &found, on); + + if(rc != LDAP_SUCCESS) + { + Debug(LDAP_DEBUG_TRACE, + "%s: no entry found, falling through to normal add\n", + addpartial.on_bi.bi_type, 0, 0); + return SLAP_CB_CONTINUE; + } + else + { + Debug(LDAP_DEBUG_TRACE, "%s: found the dn\n", addpartial.on_bi.bi_type, + 0,0); + + if(found) + { + Attribute *attr = NULL; + Attribute *at = NULL; + int ret; + Modifications *mods = NULL; + Modifications **modtail = &mods; + Modifications *mod = NULL; + + Debug(LDAP_DEBUG_TRACE, "%s: have an entry!\n", + addpartial.on_bi.bi_type,0,0); + + /* determine if the changes are in the found entry */ + for(attr = toAdd->e_attrs; attr; attr = attr->a_next) + { + if(attr->a_desc->ad_type->sat_atype.at_usage != 0) continue; + + at = attr_find(found->e_attrs, attr->a_desc); + if(!at) + { + Debug(LDAP_DEBUG_TRACE, "%s: Attribute %s not found!\n", + addpartial.on_bi.bi_type, + attr->a_desc->ad_cname.bv_val,0); + mod = (Modifications *) ch_malloc(sizeof( + Modifications)); + mod->sml_flags = 0; + mod->sml_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; + mod->sml_op &= LDAP_MOD_OP; + mod->sml_next = NULL; + mod->sml_desc = attr->a_desc; + mod->sml_type = attr->a_desc->ad_cname; + mod->sml_values = attr->a_vals; + mod->sml_nvalues = attr->a_nvals; + mod->sml_numvals = attr->a_numvals; + *modtail = mod; + modtail = &mod->sml_next; + } + else + { + MatchingRule *mr = attr->a_desc->ad_type->sat_equality; + struct berval *bv; + const char *text; + int acount , bcount; + Debug(LDAP_DEBUG_TRACE, "%s: Attribute %s found\n", + addpartial.on_bi.bi_type, + attr->a_desc->ad_cname.bv_val,0); + + for(bv = attr->a_vals, acount = 0; bv->bv_val != NULL; + bv++, acount++) + { + /* count num values for attr */ + } + for(bv = at->a_vals, bcount = 0; bv->bv_val != NULL; + bv++, bcount++) + { + /* count num values for attr */ + } + if(acount != bcount) + { + Debug(LDAP_DEBUG_TRACE, "%s: acount != bcount, %s\n", + addpartial.on_bi.bi_type, + "replace all",0); + mod = (Modifications *) ch_malloc(sizeof( + Modifications)); + mod->sml_flags = 0; + mod->sml_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; + mod->sml_op &= LDAP_MOD_OP; + mod->sml_next = NULL; + mod->sml_desc = attr->a_desc; + mod->sml_type = attr->a_desc->ad_cname; + mod->sml_values = attr->a_vals; + mod->sml_nvalues = attr->a_nvals; + mod->sml_numvals = attr->a_numvals; + *modtail = mod; + modtail = &mod->sml_next; + continue; + } + + for(bv = attr->a_vals; bv->bv_val != NULL; bv++) + { + struct berval *v; + ret = -1; + + for(v = at->a_vals; v->bv_val != NULL; v++) + { + int r; + if(mr && ((r = value_match(&ret, attr->a_desc, mr, + SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + bv, v, &text)) == 0)) + { + if(ret == 0) + break; + } + else + { + Debug(LDAP_DEBUG_TRACE, + "%s: \tvalue DNE, r: %d \n", + addpartial.on_bi.bi_type, + r,0); + ret = strcmp(bv->bv_val, v->bv_val); + if(ret == 0) + break; + } + } + + if(ret == 0) + { + Debug(LDAP_DEBUG_TRACE, + "%s: \tvalue %s exists, ret: %d\n", + addpartial.on_bi.bi_type, bv->bv_val, ret); + } + else + { + Debug(LDAP_DEBUG_TRACE, + "%s: \tvalue %s DNE, ret: %d\n", + addpartial.on_bi.bi_type, bv->bv_val, ret); + mod = (Modifications *) ch_malloc(sizeof( + Modifications)); + mod->sml_flags = 0; + mod->sml_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; + mod->sml_op &= LDAP_MOD_OP; + mod->sml_next = NULL; + mod->sml_desc = attr->a_desc; + mod->sml_type = attr->a_desc->ad_cname; + mod->sml_values = attr->a_vals; + mod->sml_nvalues = attr->a_nvals; + mod->sml_numvals = attr->a_numvals; + *modtail = mod; + modtail = &mod->sml_next; + break; + } + } + } + } + + /* determine if any attributes were deleted */ + for(attr = found->e_attrs; attr; attr = attr->a_next) + { + if(attr->a_desc->ad_type->sat_atype.at_usage != 0) continue; + + at = NULL; + at = attr_find(toAdd->e_attrs, attr->a_desc); + if(!at) + { + Debug(LDAP_DEBUG_TRACE, + "%s: Attribute %s not found in new entry!!!\n", + addpartial.on_bi.bi_type, + attr->a_desc->ad_cname.bv_val, 0); + mod = (Modifications *) ch_malloc(sizeof( + Modifications)); + mod->sml_flags = 0; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_next = NULL; + mod->sml_desc = attr->a_desc; + mod->sml_type = attr->a_desc->ad_cname; + mod->sml_values = NULL; + mod->sml_nvalues = NULL; + mod->sml_numvals = 0; + *modtail = mod; + modtail = &mod->sml_next; + } + else + { + Debug(LDAP_DEBUG_TRACE, + "%s: Attribute %s found in new entry\n", + addpartial.on_bi.bi_type, + at->a_desc->ad_cname.bv_val, 0); + } + } + + overlay_entry_release_ov(&nop, found, 0, on); + + if(mods) + { + Modifications *m = NULL; + Modifications *toDel; + int modcount; + slap_callback nullcb = { NULL, collect_error_msg_cb, + NULL, NULL }; + + Debug(LDAP_DEBUG_TRACE, "%s: mods to do...\n", + addpartial.on_bi.bi_type, 0, 0); + + nop.o_tag = LDAP_REQ_MODIFY; + nop.orm_modlist = mods; + nop.orm_no_opattrs = 0; + nop.o_callback = &nullcb; + nop.o_bd->bd_info = (BackendInfo *) on->on_info; + + for(m = mods, modcount = 0; m; m = m->sml_next, + modcount++) + { + /* count number of mods */ + } + + Debug(LDAP_DEBUG_TRACE, "%s: number of mods: %d\n", + addpartial.on_bi.bi_type, modcount, 0); + + if(nop.o_bd->be_modify) + { + SlapReply nrs = { REP_RESULT }; + rc = (nop.o_bd->be_modify)(&nop, &nrs); + } + + if(rc == LDAP_SUCCESS) + { + Debug(LDAP_DEBUG_TRACE, + "%s: modify successful\n", + addpartial.on_bi.bi_type, 0, 0); + } + else + { + Debug(LDAP_DEBUG_TRACE, "%s: modify unsuccessful: %d\n", + addpartial.on_bi.bi_type, rc, 0); + rs->sr_err = rc; + if(nullcb.sc_private) + { + rs->sr_text = nullcb.sc_private; + } + } + + Debug(LDAP_DEBUG_TRACE, "%s: freeing mods...\n", + addpartial.on_bi.bi_type, 0, 0); + + for(toDel = mods; toDel; toDel = mods) + { + mods = mods->sml_next; + ch_free(toDel); + } + } + else + { + Debug(LDAP_DEBUG_TRACE, "%s: no mods to process\n", + addpartial.on_bi.bi_type, 0, 0); + } + } + else + { + Debug(LDAP_DEBUG_TRACE, "%s: no entry!\n", + addpartial.on_bi.bi_type, 0, 0); + } + + op->o_callback = NULL; + send_ldap_result( op, rs ); + ch_free((void *)rs->sr_text); + rs->sr_text = NULL; + + return LDAP_SUCCESS; + } +} + +static int collect_error_msg_cb( Operation *op, SlapReply *rs) +{ + if(rs->sr_text) + { + op->o_callback->sc_private = (void *) ch_strdup(rs->sr_text); + } + + return LDAP_SUCCESS; +} + +int addpartial_init() +{ + addpartial.on_bi.bi_type = "addpartial"; + addpartial.on_bi.bi_op_add = addpartial_add; + + return (overlay_register(&addpartial)); +} + +int init_module(int argc, char *argv[]) +{ + return addpartial_init(); +} diff --git a/contrib/slapd-modules/allop/Makefile b/contrib/slapd-modules/allop/Makefile new file mode 100644 index 0000000..1af134c --- /dev/null +++ b/contrib/slapd-modules/allop/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = allop.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +allop.la: allop.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/allop/README b/contrib/slapd-modules/allop/README new file mode 100644 index 0000000..6809d34 --- /dev/null +++ b/contrib/slapd-modules/allop/README @@ -0,0 +1,26 @@ +This directory contains a slapd overlay, allop. +The intended usage is as a global overlay for use with those clients +that do not make use of the RFC3673 allOp ("+") in the requested +attribute list, but expect all operational attributes to be returned. +Usage: add to slapd.conf(5) + +moduleload path/to/allop.so + +overlay allop +allop-URI <ldapURI> + +if the allop-URI is not given, the rootDSE, i.e. "ldap:///??base", +is assumed. + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \ + -o allop.so allop.c + +--- +Copyright 2004-2021 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + diff --git a/contrib/slapd-modules/allop/allop.c b/contrib/slapd-modules/allop/allop.c new file mode 100644 index 0000000..fc7d0f6 --- /dev/null +++ b/contrib/slapd-modules/allop/allop.c @@ -0,0 +1,261 @@ +/* allop.c - returns all operational attributes when appropriate */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2005-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion in + * OpenLDAP Software. + */ + +/* + * The intended usage is as a global overlay for use with those clients + * that do not make use of the RFC3673 allOp ("+") in the requested + * attribute list, but expect all operational attributes to be returned. + * Usage: add + * + +overlay allop +allop-URI <ldapURI> + + * + * if the allop-URI is not given, the rootDSE, i.e. "ldap:///??base", + * is assumed. + */ + +#include "portable.h" + +#include <stdio.h> +#include <ac/string.h> + +#include "slap.h" +#include "config.h" + +#define SLAP_OVER_VERSION_REQUIRE(major,minor,patch) \ + ( \ + ( LDAP_VENDOR_VERSION_MAJOR == X || LDAP_VENDOR_VERSION_MAJOR >= (major) ) \ + && ( LDAP_VENDOR_VERSION_MINOR == X || LDAP_VENDOR_VERSION_MINOR >= (minor) ) \ + && ( LDAP_VENDOR_VERSION_PATCH == X || LDAP_VENDOR_VERSION_PATCH >= (patch) ) \ + ) + +#if !SLAP_OVER_VERSION_REQUIRE(2,3,0) +#error "version mismatch" +#endif + +typedef struct allop_t { + struct berval ao_ndn; + int ao_scope; +} allop_t; + +static int +allop_db_config( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + allop_t *ao = (allop_t *)on->on_bi.bi_private; + + if ( strcasecmp( argv[ 0 ], "allop-uri" ) == 0 ) { + LDAPURLDesc *lud; + struct berval dn, + ndn; + int scope, + rc = LDAP_SUCCESS; + + if ( argc != 2 ) { + fprintf( stderr, "%s line %d: " + "need exactly 1 arg " + "in \"allop-uri <ldapURI>\" " + "directive.\n", + fname, lineno ); + return 1; + } + + if ( ldap_url_parse( argv[ 1 ], &lud ) != LDAP_URL_SUCCESS ) { + return -1; + } + + scope = lud->lud_scope; + if ( scope == LDAP_SCOPE_DEFAULT ) { + scope = LDAP_SCOPE_BASE; + } + + if ( lud->lud_dn == NULL || lud->lud_dn[ 0 ] == '\0' ) { + if ( scope == LDAP_SCOPE_BASE ) { + BER_BVZERO( &ndn ); + + } else { + ber_str2bv( "", 0, 1, &ndn ); + } + + } else { + + ber_str2bv( lud->lud_dn, 0, 0, &dn ); + rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL ); + } + + ldap_free_urldesc( lud ); + if ( rc != LDAP_SUCCESS ) { + return -1; + } + + if ( BER_BVISNULL( &ndn ) ) { + /* rootDSE */ + if ( ao != NULL ) { + ch_free( ao->ao_ndn.bv_val ); + ch_free( ao ); + on->on_bi.bi_private = NULL; + } + + } else { + if ( ao == NULL ) { + ao = ch_calloc( 1, sizeof( allop_t ) ); + on->on_bi.bi_private = (void *)ao; + + } else { + ch_free( ao->ao_ndn.bv_val ); + } + + ao->ao_ndn = ndn; + ao->ao_scope = scope; + } + + } else { + return SLAP_CONF_UNKNOWN; + } + + return 0; +} + +static int +allop_db_destroy( BackendDB *be, ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + allop_t *ao = (allop_t *)on->on_bi.bi_private; + + if ( ao != NULL ) { + assert( !BER_BVISNULL( &ao->ao_ndn ) ); + + ch_free( ao->ao_ndn.bv_val ); + ch_free( ao ); + on->on_bi.bi_private = NULL; + } + + return 0; +} + +static int +allop_op_search( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + allop_t *ao = (allop_t *)on->on_bi.bi_private; + + slap_mask_t mask; + int i, + add_allUser = 0; + + if ( ao == NULL ) { + if ( !BER_BVISEMPTY( &op->o_req_ndn ) + || op->ors_scope != LDAP_SCOPE_BASE ) + { + return SLAP_CB_CONTINUE; + } + + } else { + if ( !dnIsSuffix( &op->o_req_ndn, &ao->ao_ndn ) ) { + return SLAP_CB_CONTINUE; + } + + switch ( ao->ao_scope ) { + case LDAP_SCOPE_BASE: + if ( op->o_req_ndn.bv_len != ao->ao_ndn.bv_len ) { + return SLAP_CB_CONTINUE; + } + break; + + case LDAP_SCOPE_ONELEVEL: + if ( op->ors_scope == LDAP_SCOPE_BASE ) { + struct berval rdn = op->o_req_ndn; + + rdn.bv_len -= ao->ao_ndn.bv_len + STRLENOF( "," ); + if ( !dnIsOneLevelRDN( &rdn ) ) { + return SLAP_CB_CONTINUE; + } + + break; + } + return SLAP_CB_CONTINUE; + + case LDAP_SCOPE_SUBTREE: + break; + } + } + + mask = slap_attr_flags( op->ors_attrs ); + if ( SLAP_OPATTRS( mask ) ) { + return SLAP_CB_CONTINUE; + } + + if ( !SLAP_USERATTRS( mask ) ) { + return SLAP_CB_CONTINUE; + } + + i = 0; + if ( op->ors_attrs == NULL ) { + add_allUser = 1; + + } else { + for ( ; !BER_BVISNULL( &op->ors_attrs[ i ].an_name ); i++ ) + ; + } + + op->ors_attrs = op->o_tmprealloc( op->ors_attrs, + sizeof( AttributeName ) * ( i + add_allUser + 2 ), + op->o_tmpmemctx ); + + if ( add_allUser ) { + op->ors_attrs[ i ] = slap_anlist_all_user_attributes[ 0 ]; + i++; + } + + op->ors_attrs[ i ] = slap_anlist_all_operational_attributes[ 0 ]; + + BER_BVZERO( &op->ors_attrs[ i + 1 ].an_name ); + + return SLAP_CB_CONTINUE; +} + +static slap_overinst allop; + +int +allop_init() +{ + allop.on_bi.bi_type = "allop"; + + allop.on_bi.bi_db_config = allop_db_config; + allop.on_bi.bi_db_destroy = allop_db_destroy; + + allop.on_bi.bi_op_search = allop_op_search; + + return overlay_register( &allop ); +} + +int +init_module( int argc, char *argv[] ) +{ + return allop_init(); +} + diff --git a/contrib/slapd-modules/allop/slapo-allop.5 b/contrib/slapd-modules/allop/slapo-allop.5 new file mode 100644 index 0000000..9bb7d83 --- /dev/null +++ b/contrib/slapd-modules/allop/slapo-allop.5 @@ -0,0 +1,63 @@ +.TH SLAPO-ALLOP 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2005-2021 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-allop \- All Operational Attributes overlay +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The All Operational Attributes overlay is designed to allow slapd to +interoperate with dumb clients that expect all attributes, including +operational ones, to be returned when "*" or an empty attribute list +is requested, as opposed to RFC2251 and RFC3673. +.SH CONFIGURATION +These +.B slapd.conf +options apply to the All Operational overlay. +They should appear after the +.B overlay +directive and before any subsequent +.B database +directive. +.TP +.B allop-URI <ldapURI> +Specify the base and the scope of search operations that trigger the overlay. +By default, it is "ldap:///??base", i.e. it only applies to the rootDSE. +This requires the overlay to be instantited as global. + +.SH EXAMPLES +.LP +default behavior: only affects requests to the rootDSE +.nf + # global + overlay allop +.fi +.LP +affects all requests +.nf + # global + overlay allop + allop-URI "ldap:///??sub" +.fi +.LP +affects only requests directed to the suffix of a database +.nf + # per database + database bdb + suffix "dc=example,dc=com" + # database specific directives ... + overlay allop + allop-URI "ldap:///dc=example,dc=com??base" +.fi + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5). + +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2005 by Pierangelo Masarati for SysNet s.n.c. diff --git a/contrib/slapd-modules/allowed/Makefile b/contrib/slapd-modules/allowed/Makefile new file mode 100644 index 0000000..b0ba0c7 --- /dev/null +++ b/contrib/slapd-modules/allowed/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_ALLOWED=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = allowed.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +allowed.la: allowed.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/allowed/README b/contrib/slapd-modules/allowed/README new file mode 100644 index 0000000..e3372c1 --- /dev/null +++ b/contrib/slapd-modules/allowed/README @@ -0,0 +1,73 @@ +This directory contains a slapd overlay, "allowed". + + --- o --- o --- o --- + +It adds to entries returned by search operations the value of attributes + +"allowedAttributes" + <http://msdn.microsoft.com/en-us/library/ms675217(VS.85).aspx> + +"allowedAttributesEffective" + <http://msdn.microsoft.com/en-us/library/ms675218(VS.85).aspx> + +"allowedChildClasses" + <http://msdn.microsoft.com/en-us/library/ms675219(VS.85).aspx> + +"allowedChildClassesEffective" + <http://msdn.microsoft.com/en-us/library/ms675220(VS.85).aspx> + +No other use is made of those attributes: they cannot be compared, +they cannot be used in search filters, they cannot be used in ACLs, ... + + --- o --- o --- o --- + +Usage: add to slapd.conf(5) + + +moduleload path/to/allowed.so +overlay allowed + +or add + +dn: olcOverlay={0}allowed,olcDatabase={1}bdb,cn=config +objectClass: olcOverlayConfig +olcOverlay: {0}allowed + +as a child of the database that's intended to support this feature +(replace "olcDatabase={1}bdb,cn=config" with the appropriate parent); +or use + +dn: olcOverlay={0}allowed,olcDatabase={-1}frontend,cn=config +objectClass: olcOverlayConfig +olcOverlay: {0}allowed + +if it's supposed to be global. + + --- o --- o --- o --- + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -I../../../servers/slapd -Wall -g \ + -o allowed.so allowed.c + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2006-2021 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + +ACKNOWLEDGEMENTS: +This work was initially developed by Pierangelo Masarati for inclusion in +OpenLDAP Software. + diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c new file mode 100644 index 0000000..e824abe --- /dev/null +++ b/contrib/slapd-modules/allowed/allowed.c @@ -0,0 +1,507 @@ +/* allowed.c - add allowed attributes based on ACL */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2006-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion in + * OpenLDAP Software. + */ + +/* + * Rationale: return in allowedAttributes the attributes required/allowed + * by the objectClasses that are currently present in an object; return + * in allowedAttributesEffective the subset of the above that can be written + * by the identity that performs the search. + * + * Caveats: + * - right now, the overlay assumes that all values of the objectClass + * attribute will be returned in rs->sr_entry; this may not be true + * in general, but it usually is for back-bdb/back-hdb. To generalize, + * the search request should be analyzed, and if allowedAttributes or + * allowedAttributesEffective are requested, add objectClass to the + * requested attributes + * - it assumes that there is no difference between write-add and + * write-delete + * - it assumes that access rules do not depend on the values of the + * attributes or on the contents of the entry (attr/val, filter, ...) + * allowedAttributes and allowedAttributesEffective cannot be used + * in filters or in compare + */ + +#include "portable.h" + +/* define SLAPD_OVER_ALLOWED=2 to build as run-time loadable module */ +#ifdef SLAPD_OVER_ALLOWED + +#include "slap.h" + +/* + * NOTE: part of the schema definition reported below is taken + * from Microsoft schema definitions (OID, NAME, SYNTAX); + * + * EQUALITY is taken from + * <http://www.redhat.com/archives/fedora-directory-devel/2006-August/msg00007.html> + * (posted by Andrew Bartlett) + * + * The rest is guessed. Specifically + * + * DESC briefly describes the purpose + * + * NO-USER-MODIFICATION is added to make attributes operational + * + * USAGE is set to "dSAOperation" as per ITS#7493, + * to prevent replication, since this information + * is generated (based on ACL and identity of request) + * and not stored. + */ + +#define AA_SCHEMA_AT "1.2.840.113556.1.4" + +static AttributeDescription + *ad_allowedChildClasses, + *ad_allowedChildClassesEffective, + *ad_allowedAttributes, + *ad_allowedAttributesEffective; + +static struct { + char *at; + AttributeDescription **ad; +} aa_attrs[] = { + { "( " AA_SCHEMA_AT ".911 " + "NAME 'allowedChildClasses' " + "EQUALITY objectIdentifierMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 " + /* added by me :) */ + "DESC 'Child classes allowed for a given object' " + "NO-USER-MODIFICATION " + "USAGE dSAOperation )", &ad_allowedChildClasses }, + { "( " AA_SCHEMA_AT ".912 " + "NAME 'allowedChildClassesEffective' " + "EQUALITY objectIdentifierMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 " + /* added by me :) */ + "DESC 'Child classes allowed for a given object according to ACLs' " + "NO-USER-MODIFICATION " + "USAGE dSAOperation )", &ad_allowedChildClassesEffective }, + { "( " AA_SCHEMA_AT ".913 " + "NAME 'allowedAttributes' " + "EQUALITY objectIdentifierMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 " + /* added by me :) */ + "DESC 'Attributes allowed for a given object' " + "NO-USER-MODIFICATION " + "USAGE dSAOperation )", &ad_allowedAttributes }, + { "( " AA_SCHEMA_AT ".914 " + "NAME 'allowedAttributesEffective' " + "EQUALITY objectIdentifierMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 " + /* added by me :) */ + "DESC 'Attributes allowed for a given object according to ACLs' " + "NO-USER-MODIFICATION " + "USAGE dSAOperation )", &ad_allowedAttributesEffective }, + + /* TODO: add objectClass stuff? */ + + { NULL, NULL } +}; + +static int +aa_add_at( AttributeType *at, AttributeType ***atpp ) +{ + int i = 0; + + if ( *atpp ) { + for ( i = 0; (*atpp)[ i ] != NULL; i++ ) { + if ( (*atpp)[ i ] == at ) { + break; + } + } + + if ( (*atpp)[ i ] != NULL ) { + return 0; + } + } + + *atpp = ch_realloc( *atpp, sizeof( AttributeType * ) * ( i + 2 ) ); + (*atpp)[ i ] = at; + (*atpp)[ i + 1 ] = NULL; + + return 0; +} + +static int +aa_add_oc( ObjectClass *oc, ObjectClass ***ocpp, AttributeType ***atpp ) +{ + int i = 0; + + if ( *ocpp ) { + for ( ; (*ocpp)[ i ] != NULL; i++ ) { + if ( (*ocpp)[ i ] == oc ) { + break; + } + } + + if ( (*ocpp)[ i ] != NULL ) { + return 0; + } + } + + *ocpp = ch_realloc( *ocpp, sizeof( ObjectClass * ) * ( i + 2 ) ); + (*ocpp)[ i ] = oc; + (*ocpp)[ i + 1 ] = NULL; + + if ( oc->soc_required ) { + int i; + + for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) { + aa_add_at( oc->soc_required[ i ], atpp ); + } + } + + if ( oc->soc_allowed ) { + int i; + + for ( i = 0; oc->soc_allowed[ i ] != NULL; i++ ) { + aa_add_at( oc->soc_allowed[ i ], atpp ); + } + } + + return 0; +} + +static int +aa_operational( Operation *op, SlapReply *rs ) +{ + Attribute *a, **ap; + AccessControlState acl_state = ACL_STATE_INIT; + struct berval *v; + AttributeType **atp = NULL; + ObjectClass **ocp = NULL; + +#define GOT_NONE (0x0U) +#define GOT_C (0x1U) +#define GOT_CE (0x2U) +#define GOT_A (0x4U) +#define GOT_AE (0x8U) +#define GOT_ALL (GOT_C|GOT_CE|GOT_A|GOT_AE) + int got = GOT_NONE; + + /* only add if requested */ + if ( SLAP_OPATTRS( rs->sr_attr_flags ) ) { + got = GOT_ALL; + + } else { + if ( ad_inlist( ad_allowedChildClasses, rs->sr_attrs ) ) { + got |= GOT_C; + } + + if ( ad_inlist( ad_allowedChildClassesEffective, rs->sr_attrs ) ) { + got |= GOT_CE; + } + + if ( ad_inlist( ad_allowedAttributes, rs->sr_attrs ) ) { + got |= GOT_A; + } + + if ( ad_inlist( ad_allowedAttributesEffective, rs->sr_attrs ) ) { + got |= GOT_AE; + } + } + + if ( got == GOT_NONE ) { + return SLAP_CB_CONTINUE; + } + + /* shouldn't be called without an entry; please check */ + assert( rs->sr_entry != NULL ); + + for ( ap = &rs->sr_operational_attrs; *ap != NULL; ap = &(*ap)->a_next ) + /* go to last */ ; + + /* see caveats; this is not guaranteed for all backends */ + a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass ); + if ( a == NULL ) { + goto do_oc; + } + + /* if client has no access to objectClass attribute; don't compute */ + if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_objectClass, + NULL, ACL_READ, &acl_state ) ) + { + return SLAP_CB_CONTINUE; + } + + for ( v = a->a_nvals; !BER_BVISNULL( v ); v++ ) { + ObjectClass *oc = oc_bvfind( v ); + + assert( oc != NULL ); + + /* if client has no access to specific value, don't compute */ + if ( !access_allowed( op, rs->sr_entry, + slap_schema.si_ad_objectClass, + &oc->soc_cname, ACL_READ, &acl_state ) ) + { + continue; + } + + aa_add_oc( oc, &ocp, &atp ); + + if ( oc->soc_sups ) { + int i; + + for ( i = 0; oc->soc_sups[ i ] != NULL; i++ ) { + aa_add_oc( oc->soc_sups[ i ], &ocp, &atp ); + } + } + } + + ch_free( ocp ); + + if ( atp != NULL ) { + BerVarray bv_allowed = NULL, + bv_effective = NULL; + int i, ja = 0, je = 0; + + for ( i = 0; atp[ i ] != NULL; i++ ) + /* just count */ ; + + if ( got & GOT_A ) { + bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); + } + if ( got & GOT_AE ) { + bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); + } + + for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) { + if ( got & GOT_A ) { + ber_dupbv( &bv_allowed[ ja ], &atp[ i ]->sat_cname ); + ja++; + } + + if ( got & GOT_AE ) { + AttributeDescription *ad = NULL; + const char *text = NULL; + + if ( slap_bv2ad( &atp[ i ]->sat_cname, &ad, &text ) ) { + /* log? */ + continue; + } + + if ( access_allowed( op, rs->sr_entry, + ad, NULL, ACL_WRITE, NULL ) ) + { + ber_dupbv( &bv_effective[ je ], &atp[ i ]->sat_cname ); + je++; + } + } + } + + ch_free( atp ); + + if ( ( got & GOT_A ) && ja > 0 ) { + BER_BVZERO( &bv_allowed[ ja ] ); + *ap = attr_alloc( ad_allowedAttributes ); + (*ap)->a_vals = bv_allowed; + (*ap)->a_nvals = bv_allowed; + (*ap)->a_numvals = ja; + ap = &(*ap)->a_next; + } + + if ( ( got & GOT_AE ) && je > 0 ) { + BER_BVZERO( &bv_effective[ je ] ); + *ap = attr_alloc( ad_allowedAttributesEffective ); + (*ap)->a_vals = bv_effective; + (*ap)->a_nvals = bv_effective; + (*ap)->a_numvals = je; + ap = &(*ap)->a_next; + } + + *ap = NULL; + } + +do_oc:; + if ( ( got & GOT_C ) || ( got & GOT_CE ) ) { + BerVarray bv_allowed = NULL, + bv_effective = NULL; + int i, ja = 0, je = 0; + + ObjectClass *oc; + + for ( i = 0, oc_start( &oc ); oc != NULL; oc_next( &oc ) ) { + /* we can only add AUXILIARY objectClasses */ + if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) { + continue; + } + + i++; + } + + if ( got & GOT_C ) { + bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); + } + if ( got & GOT_CE ) { + bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) ); + } + + for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) { + /* we can only add AUXILIARY objectClasses */ + if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) { + continue; + } + + if ( got & GOT_C ) { + ber_dupbv( &bv_allowed[ ja ], &oc->soc_cname ); + ja++; + } + + if ( got & GOT_CE ) { + if ( !access_allowed( op, rs->sr_entry, + slap_schema.si_ad_objectClass, + &oc->soc_cname, ACL_WRITE, NULL ) ) + { + goto done_ce; + } + + if ( oc->soc_required ) { + for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) { + AttributeDescription *ad = NULL; + const char *text = NULL; + + if ( slap_bv2ad( &oc->soc_required[ i ]->sat_cname, &ad, &text ) ) { + /* log? */ + continue; + } + + if ( !access_allowed( op, rs->sr_entry, + ad, NULL, ACL_WRITE, NULL ) ) + { + goto done_ce; + } + } + } + + ber_dupbv( &bv_effective[ je ], &oc->soc_cname ); + je++; + } +done_ce:; + } + + if ( ( got & GOT_C ) && ja > 0 ) { + BER_BVZERO( &bv_allowed[ ja ] ); + *ap = attr_alloc( ad_allowedChildClasses ); + (*ap)->a_vals = bv_allowed; + (*ap)->a_nvals = bv_allowed; + (*ap)->a_numvals = ja; + ap = &(*ap)->a_next; + } + + if ( ( got & GOT_CE ) && je > 0 ) { + BER_BVZERO( &bv_effective[ je ] ); + *ap = attr_alloc( ad_allowedChildClassesEffective ); + (*ap)->a_vals = bv_effective; + (*ap)->a_nvals = bv_effective; + (*ap)->a_numvals = je; + ap = &(*ap)->a_next; + } + + *ap = NULL; + } + + return SLAP_CB_CONTINUE; +} + +static slap_overinst aa; + +#if LDAP_VENDOR_VERSION_MINOR != X && LDAP_VENDOR_VERSION_MINOR <= 3 +/* backport register_at() from HEAD, to allow building with OL <= 2.3 */ +static int +register_at( char *def, AttributeDescription **rad, int dupok ) +{ + LDAPAttributeType *at; + int code, freeit = 0; + const char *err; + AttributeDescription *ad = NULL; + + at = ldap_str2attributetype( def, &code, &err, LDAP_SCHEMA_ALLOW_ALL ); + if ( !at ) { + Debug( LDAP_DEBUG_ANY, + "register_at: AttributeType \"%s\": %s, %s\n", + def, ldap_scherr2str(code), err ); + return code; + } + + code = at_add( at, 0, NULL, &err ); + if ( code ) { + if ( code == SLAP_SCHERR_ATTR_DUP && dupok ) { + freeit = 1; + + } else { + ldap_attributetype_free( at ); + Debug( LDAP_DEBUG_ANY, + "register_at: AttributeType \"%s\": %s, %s\n", + def, scherr2str(code), err ); + return code; + } + } + code = slap_str2ad( at->at_names[0], &ad, &err ); + if ( freeit || code ) { + ldap_attributetype_free( at ); + } else { + ldap_memfree( at ); + } + if ( code ) { + Debug( LDAP_DEBUG_ANY, "register_at: AttributeType \"%s\": %s\n", + def, err, 0 ); + } + if ( rad ) *rad = ad; + return code; +} +#endif + +#if SLAPD_OVER_ALLOWED == SLAPD_MOD_DYNAMIC +static +#endif /* SLAPD_OVER_ALLOWED == SLAPD_MOD_DYNAMIC */ +int +aa_initialize( void ) +{ + int i; + + aa.on_bi.bi_type = "allowed"; + + aa.on_bi.bi_operational = aa_operational; + + /* aa schema integration */ + for ( i = 0; aa_attrs[i].at; i++ ) { + int code; + + code = register_at( aa_attrs[i].at, aa_attrs[i].ad, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "aa_initialize: register_at failed\n", 0, 0, 0 ); + return -1; + } + } + + return overlay_register( &aa ); +} + +#if SLAPD_OVER_ALLOWED == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return aa_initialize(); +} +#endif /* SLAPD_OVER_ALLOWED == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_ALLOWED */ diff --git a/contrib/slapd-modules/autogroup/Makefile b/contrib/slapd-modules/autogroup/Makefile new file mode 100644 index 0000000..efd9678 --- /dev/null +++ b/contrib/slapd-modules/autogroup/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = autogroup.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +autogroup.la: autogroup.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/autogroup/README b/contrib/slapd-modules/autogroup/README new file mode 100644 index 0000000..be32282 --- /dev/null +++ b/contrib/slapd-modules/autogroup/README @@ -0,0 +1,120 @@ +autogroup overlay Readme + +DESCRIPTION + The autogroup overlay allows automated updates of group memberships which + meet the requirements of any filter contained in the group definition. + The filters are built from LDAP URI-valued attributes. Any time an object + is added/deleted/updated, it is tested for compliance with the filters, + and its membership is accordingly updated. For searches and compares + it behaves like a static group. + If the attribute part of the URI is filled, the group entry is populated + by the values of this attribute in the entries resulting from the search. + +BUILDING + A Makefile is included. + +CONFIGURATION + # dyngroup.schema: + The dyngroup schema must be modified, adding the 'member' attribute + to the MAY clause of the groupOfURLs object class, i.e.: + + objectClass ( NetscapeLDAPobjectClass:33 + NAME 'groupOfURLs' + SUP top STRUCTURAL + MUST cn + MAY ( memberURL $ businessCategory $ description $ o $ ou $ + owner $ seeAlso $ member) ) + + + # slapd.conf: + + moduleload /path/to/autogroup.so + Loads the overlay (OpenLDAP must be built with --enable-modules). + + overlay autogroup + This directive adds the autogroup overlay to the current database. + + autogroup-attrset <group-oc> <URL-ad> <member-ad> + This configuration option is defined for the autogroup overlay. + It may have multiple occurrences, and it must appear after the + overlay directive. + + The value <group-oc> is the name of the objectClass that represents + the group. + + The value <URL-ad> is the name of the attributeDescription that + contains the URI that is converted to the filters. If no URI is + present, there will be no members in that group. It must be a subtype + of labeledURI. + + The value <member-ad> is the name of the attributeDescription that + specifies the member attribute. User modification of this attribute + is disabled for consistency. + + autogroup-memberof-ad <memberof-ad> + This configuration option is defined for the autogroup overlay. + + It defines the attribute that is used by the memberOf overlay + to store the names of groups that an entry is member of; it must be + DN-valued. It should be set to the same value as + memberof-memberof-ad. It defaults to 'memberOf'. + + +EXAMPLE + ### slapd.conf + include /path/to/dyngroup.schema + # ... + moduleload /path/to/autogroup.so + # ... + + database <database> + # ... + + overlay autogroup + autogroup-attrset groupOfURLs memberURL member + ### end slapd.conf + + ### slapd.conf + include /path/to/dyngroup.schema + # ... + moduleload /path/to/autogroup.so + moduleload /path/to/memberof.so + # ... + + database <database> + #... + + overlay memberof + memberof-memberof-ad foo + + overlay autogroup + autogroup-attrset groupOfURLs memberURL member + autogroup-memberof-ad foo + ### end slapd.conf + +CAVEATS + As with static groups, update operations on groups with a large number + of members may be slow. + If the attribute part of the URI is specified, modify and delete operations + are more difficult to handle. In these cases the overlay will try to detect + if groups have been modified and then simply refresh them. This can cause + performance hits if the search specified by the URI deals with a significant + number of entries. + +ACKNOWLEDGEMENTS + This module was originally written in 2007 by Michał Szulczyński. Further + enhancements were contributed by Howard Chu, Raphael Ouazana, + Norbert Pueschel, and Christian Manal. + +--- +Copyright 1998-2021 The OpenLDAP Foundation. +Portions Copyright (C) 2007 Michał Szulczyński. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in file LICENSE in the +top-level directory of the distribution or, alternatively, at +http://www.OpenLDAP.org/license.html. diff --git a/contrib/slapd-modules/autogroup/autogroup.c b/contrib/slapd-modules/autogroup/autogroup.c new file mode 100644 index 0000000..8caf082 --- /dev/null +++ b/contrib/slapd-modules/autogroup/autogroup.c @@ -0,0 +1,2234 @@ +/* autogroup.c - automatic group overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2007-2021 The OpenLDAP Foundation. + * Portions Copyright 2007 Michał Szulczyński. + * Portions Copyright 2009 Howard Chu. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Michał Szulczyński for inclusion in + * OpenLDAP Software. Additional significant contributors include: + * Howard Chu + * Raphael Ouazana + * Norbert Pueschel + * Christian Manal + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/string.h> + +#include "slap.h" +#include "config.h" +#include "lutil.h" + +#ifndef SLAPD_MEMBEROF_ATTR +#define SLAPD_MEMBEROF_ATTR "memberOf" +#endif + +static slap_overinst autogroup; + +/* Filter represents the memberURL of a group. */ +typedef struct autogroup_filter_t { + struct berval agf_dn; /* The base DN in memberURL */ + struct berval agf_ndn; + struct berval agf_filterstr; + Filter *agf_filter; + int agf_scope; + AttributeName *agf_anlist; + struct autogroup_filter_t *agf_next; +} autogroup_filter_t; + +/* Description of group attributes. */ +typedef struct autogroup_def_t { + ObjectClass *agd_oc; + AttributeDescription *agd_member_url_ad; + AttributeDescription *agd_member_ad; + struct autogroup_def_t *agd_next; +} autogroup_def_t; + +/* Represents the group entry. */ +typedef struct autogroup_entry_t { + BerValue age_dn; + BerValue age_ndn; + autogroup_filter_t *age_filter; /* List of filters made from memberURLs */ + autogroup_def_t *age_def; /* Attribute definition */ + ldap_pvt_thread_mutex_t age_mutex; + int age_mustrefresh; /* Defined in request to refresh in response */ + int age_modrdn_olddnmodified; /* Defined in request to refresh in response */ + struct autogroup_entry_t *age_next; +} autogroup_entry_t; + +/* Holds pointers to attribute definitions and groups. */ +typedef struct autogroup_info_t { + autogroup_def_t *agi_def; /* Group attributes definitions. */ + autogroup_entry_t *agi_entry; /* Group entries. */ + AttributeDescription *agi_memberof_ad; /* memberOf attribute description */ + ldap_pvt_thread_mutex_t agi_mutex; +} autogroup_info_t; + +/* Search callback for adding groups initially. */ +typedef struct autogroup_sc_t { + autogroup_info_t *ags_info; /* Group definitions and entries. */ + autogroup_def_t *ags_def; /* Attributes definition of the group being added. */ +} autogroup_sc_t; + +/* Used for adding members, found when searching, to a group. */ +typedef struct autogroup_ga_t { + autogroup_entry_t *agg_group; /* The group to which the members will be added. */ + autogroup_filter_t *agg_filter; /* Current filter */ + Entry *agg_entry; /* Used in autogroup_member_search_cb to modify + this entry with the search results. */ + + Modifications *agg_mod; /* Used in autogroup_member_search_modify_cb to hold the + search results which will be added to the group. */ + + Modifications *agg_mod_last; /* Used in autogroup_member_search_modify_cb so we don't + have to search for the last mod added. */ +} autogroup_ga_t; + + +/* +** dn, ndn - the DN of the member to add +** age - the group to which the member DN will be added +*/ +static int +autogroup_add_member_to_group( Operation *op, BerValue *dn, BerValue *ndn, autogroup_entry_t *age ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + Modifications *modlist = (Modifications *)ch_calloc( 1, sizeof( Modifications ) ); + SlapReply sreply = {REP_RESULT}; + BerValue *vals, *nvals; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + Operation o = *op; + unsigned long opid = op->o_opid; + OpExtra oex; + + assert( dn != NULL ); + assert( ndn != NULL ); + Debug(LDAP_DEBUG_TRACE, "==> autogroup_add_member_to_group adding <%s> to <%s>\n", + dn->bv_val, age->age_dn.bv_val, 0); + + vals = (BerValue *)ch_calloc( 2, sizeof( BerValue ) ); + nvals = (BerValue *)ch_calloc( 2, sizeof( BerValue ) ); + ber_dupbv( vals, dn ); + BER_BVZERO( &vals[ 1 ] ); + ber_dupbv( nvals, ndn ); + BER_BVZERO( &nvals[ 1 ] ); + + modlist->sml_op = LDAP_MOD_ADD; + modlist->sml_desc = age->age_def->agd_member_ad; + modlist->sml_type = age->age_def->agd_member_ad->ad_cname; + modlist->sml_values = vals; + modlist->sml_nvalues = nvals; + modlist->sml_numvals = 1; + modlist->sml_flags = SLAP_MOD_INTERNAL; + modlist->sml_next = NULL; + + o.o_opid = 0; /* shared with op, saved above */ + o.o_tag = LDAP_REQ_MODIFY; + o.o_callback = &cb; + o.orm_modlist = modlist; + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = age->age_dn; + o.o_req_ndn = age->age_ndn; + o.o_permissive_modify = 1; + o.o_dont_replicate = 1; + o.orm_no_opattrs = 1; + o.o_managedsait = SLAP_CONTROL_CRITICAL; + o.o_relax = SLAP_CONTROL_CRITICAL; + + oex.oe_key = (void *)&autogroup; + LDAP_SLIST_INSERT_HEAD( &o.o_extra, &oex, oe_next ); + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + (void)op->o_bd->be_modify( &o, &sreply ); + o.o_bd->bd_info = (BackendInfo *)on; + + LDAP_SLIST_REMOVE( &o.o_extra, &oex, OpExtra, oe_next ); + + slap_mods_free( modlist, 1 ); + op->o_opid = opid; + + return sreply.sr_err; +} + +/* +** e - the entry where to get the attribute values +** age - the group to which the values will be added +*/ +static int +autogroup_add_member_values_to_group( Operation *op, struct berval *dn, autogroup_entry_t *age, Attribute *attr ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + Modifications modlist; + SlapReply sreply = {REP_RESULT}; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + Operation o = *op; + unsigned long opid = op->o_opid; + OpExtra oex; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_add_member_values_to_group adding <%s> to <%s>\n", + dn->bv_val, age->age_dn.bv_val, 0); + + modlist.sml_op = LDAP_MOD_ADD; + modlist.sml_desc = age->age_def->agd_member_ad; + modlist.sml_type = age->age_def->agd_member_ad->ad_cname; + modlist.sml_values = attr->a_vals; + modlist.sml_nvalues = attr->a_nvals; + modlist.sml_numvals = attr->a_numvals; + modlist.sml_flags = SLAP_MOD_INTERNAL; + modlist.sml_next = NULL; + + o.o_opid = 0; + o.o_tag = LDAP_REQ_MODIFY; + o.o_callback = &cb; + o.orm_modlist = &modlist; + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = age->age_dn; + o.o_req_ndn = age->age_ndn; + o.o_permissive_modify = 1; + o.o_dont_replicate = 1; + o.orm_no_opattrs = 1; + o.o_managedsait = SLAP_CONTROL_CRITICAL; + o.o_relax = SLAP_CONTROL_CRITICAL; + + oex.oe_key = (void *)&autogroup; + LDAP_SLIST_INSERT_HEAD( &o.o_extra, &oex, oe_next ); + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + (void)op->o_bd->be_modify( &o, &sreply ); + o.o_bd->bd_info = (BackendInfo *)on; + op->o_opid = opid; + LDAP_SLIST_REMOVE( &o.o_extra, &oex, OpExtra, oe_next ); + + return sreply.sr_err; +} + +/* +** dn,ndn - the DN to be deleted +** age - the group from which the DN will be deleted +** If we pass a NULL dn and ndn, all members are deleted from the group. +*/ +static int +autogroup_delete_member_from_group( Operation *op, BerValue *dn, BerValue *ndn, autogroup_entry_t *age ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + Modifications *modlist = (Modifications *)ch_calloc( 1, sizeof( Modifications ) ); + SlapReply sreply = {REP_RESULT}; + BerValue *vals, *nvals; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + Operation o = *op; + unsigned long opid = op->o_opid; + OpExtra oex; + + if ( dn == NULL || ndn == NULL ) { + Debug(LDAP_DEBUG_TRACE, "==> autogroup_delete_member_from_group removing all members from <%s>\n", + age->age_dn.bv_val, 0 ,0); + + modlist->sml_values = NULL; + modlist->sml_nvalues = NULL; + modlist->sml_numvals = 0; + } else { + Debug(LDAP_DEBUG_TRACE, "==> autogroup_delete_member_from_group removing <%s> from <%s>\n", + dn->bv_val, age->age_dn.bv_val, 0); + + vals = (BerValue *)ch_calloc( 2, sizeof( BerValue ) ); + nvals = (BerValue *)ch_calloc( 2, sizeof( BerValue ) ); + ber_dupbv( vals, dn ); + BER_BVZERO( &vals[ 1 ] ); + ber_dupbv( nvals, ndn ); + BER_BVZERO( &nvals[ 1 ] ); + + modlist->sml_values = vals; + modlist->sml_nvalues = nvals; + modlist->sml_numvals = 1; + } + + + modlist->sml_op = LDAP_MOD_DELETE; + modlist->sml_desc = age->age_def->agd_member_ad; + modlist->sml_type = age->age_def->agd_member_ad->ad_cname; + modlist->sml_flags = SLAP_MOD_INTERNAL; + modlist->sml_next = NULL; + + o.o_opid = 0; + o.o_callback = &cb; + o.o_tag = LDAP_REQ_MODIFY; + o.orm_modlist = modlist; + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = age->age_dn; + o.o_req_ndn = age->age_ndn; + o.o_relax = SLAP_CONTROL_CRITICAL; + o.o_managedsait = SLAP_CONTROL_CRITICAL; + o.o_permissive_modify = 1; + o.o_dont_replicate = 1; + o.orm_no_opattrs = 1; + + oex.oe_key = (void *)&autogroup; + LDAP_SLIST_INSERT_HEAD( &o.o_extra, &oex, oe_next ); + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + (void)op->o_bd->be_modify( &o, &sreply ); + o.o_bd->bd_info = (BackendInfo *)on; + + LDAP_SLIST_REMOVE( &o.o_extra, &oex, OpExtra, oe_next ); + + slap_mods_free( modlist, 1 ); + + op->o_opid = opid; + return sreply.sr_err; +} + +/* +** e - the entry where to get the attribute values +** age - the group from which the values will be deleted +*/ +static int +autogroup_delete_member_values_from_group( Operation *op, struct berval *dn, autogroup_entry_t *age, Attribute *attr ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + Modifications modlist; + SlapReply sreply = {REP_RESULT}; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + Operation o = *op; + unsigned long opid = op->o_opid; + OpExtra oex; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_delete_member_values_from_group removing <%s> from <%s>\n", + dn->bv_val, age->age_dn.bv_val, 0); + + modlist.sml_op = LDAP_MOD_DELETE; + modlist.sml_desc = age->age_def->agd_member_ad; + modlist.sml_type = age->age_def->agd_member_ad->ad_cname; + modlist.sml_values = attr->a_vals; + modlist.sml_nvalues = attr->a_nvals; + modlist.sml_numvals = attr->a_numvals; + modlist.sml_flags = SLAP_MOD_INTERNAL; + modlist.sml_next = NULL; + + o.o_opid = 0; + o.o_tag = LDAP_REQ_MODIFY; + o.o_callback = &cb; + o.orm_modlist = &modlist; + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = age->age_dn; + o.o_req_ndn = age->age_ndn; + o.o_permissive_modify = 1; + o.o_dont_replicate = 1; + o.orm_no_opattrs = 1; + o.o_managedsait = SLAP_CONTROL_CRITICAL; + o.o_relax = SLAP_CONTROL_CRITICAL; + + oex.oe_key = (void *)&autogroup; + LDAP_SLIST_INSERT_HEAD( &o.o_extra, &oex, oe_next ); + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + (void)op->o_bd->be_modify( &o, &sreply ); + o.o_bd->bd_info = (BackendInfo *)on; + op->o_opid = opid; + + LDAP_SLIST_REMOVE( &o.o_extra, &oex, OpExtra, oe_next ); + + return sreply.sr_err; +} + +/* +** Callback used to add entries to a group, +** which are going to be written in the database +** (used in bi_op_add) +** The group is passed in autogroup_ga_t->agg_group +*/ +static int +autogroup_member_search_cb( Operation *op, SlapReply *rs ) +{ + assert( op->o_tag == LDAP_REQ_SEARCH ); + + if ( rs->sr_type == REP_SEARCH ) { + autogroup_ga_t *agg = (autogroup_ga_t *)op->o_callback->sc_private; + autogroup_entry_t *age = agg->agg_group; + autogroup_filter_t *agf = agg->agg_filter; + Modification mod; + const char *text = NULL; + char textbuf[1024]; + struct berval *vals, *nvals; + struct berval lvals[ 2 ], lnvals[ 2 ]; + int numvals; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_member_search_cb <%s>\n", + rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0); + + if ( agf->agf_anlist ) { + Attribute *attr = attrs_find( rs->sr_entry->e_attrs, agf->agf_anlist[0].an_desc ); + if (attr) { + vals = attr->a_vals; + nvals = attr->a_nvals; + numvals = attr->a_numvals; + } else { + // Nothing to add + return 0; + } + } else { + lvals[ 0 ] = rs->sr_entry->e_name; + BER_BVZERO( &lvals[ 1 ] ); + lnvals[ 0 ] = rs->sr_entry->e_nname; + BER_BVZERO( &lnvals[ 1 ] ); + vals = lvals; + nvals = lnvals; + numvals = 1; + } + + mod.sm_op = LDAP_MOD_ADD; + mod.sm_desc = age->age_def->agd_member_ad; + mod.sm_type = age->age_def->agd_member_ad->ad_cname; + mod.sm_values = vals; + mod.sm_nvalues = nvals; + mod.sm_numvals = numvals; + + modify_add_values( agg->agg_entry, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); + } + + return 0; +} + +/* +** Callback used to add entries to a group, which is already in the database. +** (used in on_response) +** The group is passed in autogroup_ga_t->agg_group +** NOTE: Very slow. +*/ +static int +autogroup_member_search_modify_cb( Operation *op, SlapReply *rs ) +{ + assert( op->o_tag == LDAP_REQ_SEARCH ); + + if ( rs->sr_type == REP_SEARCH ) { + autogroup_ga_t *agg = (autogroup_ga_t *)op->o_callback->sc_private; + autogroup_entry_t *age = agg->agg_group; + autogroup_filter_t *agf = agg->agg_filter; + Modifications *modlist; + struct berval *vals, *nvals; + struct berval lvals[ 2 ], lnvals[ 2 ]; + int numvals; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_member_search_modify_cb <%s>\n", + rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0); + + if ( agf->agf_anlist ) { + Attribute *attr = attrs_find( rs->sr_entry->e_attrs, agf->agf_anlist[0].an_desc ); + if (attr) { + vals = attr->a_vals; + nvals = attr->a_nvals; + numvals = attr->a_numvals; + } else { + // Nothing to add + return 0; + } + } else { + lvals[ 0 ] = rs->sr_entry->e_name; + BER_BVZERO( &lvals[ 1 ] ); + lnvals[ 0 ] = rs->sr_entry->e_nname; + BER_BVZERO( &lnvals[ 1 ] ); + vals = lvals; + nvals = lnvals; + numvals = 1; + } + + if ( numvals ) { + modlist = (Modifications *)ch_calloc( 1, sizeof( Modifications ) ); + + modlist->sml_op = LDAP_MOD_ADD; + modlist->sml_desc = age->age_def->agd_member_ad; + modlist->sml_type = age->age_def->agd_member_ad->ad_cname; + + ber_bvarray_dup_x( &modlist->sml_values, vals, NULL ); + ber_bvarray_dup_x( &modlist->sml_nvalues, nvals, NULL ); + modlist->sml_numvals = numvals; + + modlist->sml_flags = SLAP_MOD_INTERNAL; + modlist->sml_next = NULL; + + if ( agg->agg_mod == NULL ) { + agg->agg_mod = modlist; + agg->agg_mod_last = modlist; + } else { + agg->agg_mod_last->sml_next = modlist; + agg->agg_mod_last = modlist; + } + } + + } + + return 0; +} + + +/* +** Adds all entries matching the passed filter to the specified group. +** If modify == 1, then we modify the group's entry in the database using be_modify. +** If modify == 0, then, we must supply a rw entry for the group, +** because we only modify the entry, without calling be_modify. +** e - the group entry, to which the members will be added +** age - the group +** agf - the filter +*/ +static int +autogroup_add_members_from_filter( Operation *op, Entry *e, autogroup_entry_t *age, autogroup_filter_t *agf, int modify) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + Operation o = *op; + SlapReply rs = { REP_SEARCH }; + slap_callback cb = { 0 }; + slap_callback null_cb = { NULL, slap_null_cb, NULL, NULL }; + autogroup_ga_t agg; + OpExtra oex; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_add_members_from_filter <%s>\n", + age->age_dn.bv_val, 0, 0); + + o.ors_attrsonly = 0; + o.o_tag = LDAP_REQ_SEARCH; + + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = agf->agf_dn; + o.o_req_ndn = agf->agf_ndn; + + o.ors_filterstr = agf->agf_filterstr; + o.ors_filter = agf->agf_filter; + + o.ors_scope = agf->agf_scope; + o.ors_deref = LDAP_DEREF_NEVER; + o.ors_limit = NULL; + o.ors_tlimit = SLAP_NO_LIMIT; + o.ors_slimit = SLAP_NO_LIMIT; + o.ors_attrs = agf->agf_anlist ? agf->agf_anlist : slap_anlist_no_attrs; + o.o_do_not_cache = 1; + + agg.agg_group = age; + agg.agg_filter = agf; + agg.agg_mod = NULL; + agg.agg_mod_last = NULL; + agg.agg_entry = e; + cb.sc_private = &agg; + + if ( modify == 1 ) { + cb.sc_response = autogroup_member_search_modify_cb; + } else { + cb.sc_response = autogroup_member_search_cb; + } + + cb.sc_cleanup = NULL; + cb.sc_next = NULL; + + o.o_callback = &cb; + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + op->o_bd->be_search( &o, &rs ); + o.o_bd->bd_info = (BackendInfo *)on; + + if ( modify == 1 && agg.agg_mod ) { + unsigned long opid = op->o_opid; + + rs_reinit( &rs, REP_RESULT ); + + o = *op; + o.o_opid = 0; + o.o_callback = &null_cb; + o.o_tag = LDAP_REQ_MODIFY; + o.orm_modlist = agg.agg_mod; + o.o_dn = op->o_bd->be_rootdn; + o.o_ndn = op->o_bd->be_rootndn; + o.o_req_dn = age->age_dn; + o.o_req_ndn = age->age_ndn; + o.o_relax = SLAP_CONTROL_CRITICAL; + o.o_managedsait = SLAP_CONTROL_NONCRITICAL; + o.o_permissive_modify = 1; + o.o_dont_replicate = 1; + o.orm_no_opattrs = 1; + + oex.oe_key = (void *)&autogroup; + LDAP_SLIST_INSERT_HEAD( &o.o_extra, &oex, oe_next ); + + o.o_bd->bd_info = (BackendInfo *)on->on_info; + (void)op->o_bd->be_modify( &o, &rs ); + o.o_bd->bd_info = (BackendInfo *)on; + + LDAP_SLIST_REMOVE( &o.o_extra, &oex, OpExtra, oe_next ); + + slap_mods_free(agg.agg_mod, 1); + op->o_opid = opid; + } + + return 0; +} + +/* +** Adds a group to the internal list from the passed entry. +** scan specifies whether to add all maching members to the group. +** modify specifies whether to modify the given group entry (when modify == 0), +** or to modify the group entry in the database (when modify == 1 and e = NULL and ndn != NULL). +** agi - pointer to the groups and the attribute definitions +** agd - the attribute definition of the added group +** e - the entry representing the group, can be NULL if the ndn is specified, and modify == 1 +** ndn - the DN of the group, can be NULL if we give a non-NULL e +*/ +static int +autogroup_add_group( Operation *op, autogroup_info_t *agi, autogroup_def_t *agd, Entry *e, BerValue *ndn, int scan, int modify) +{ + autogroup_entry_t **agep = &agi->agi_entry; + autogroup_filter_t *agf, *agf_prev = NULL; + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + LDAPURLDesc *lud = NULL; + Attribute *a; + BerValue *bv, dn; + int rc = 0, match = 1, null_entry = 0; + + if ( e == NULL ) { + if ( overlay_entry_get_ov( op, ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot get entry for <%s>\n", ndn->bv_val, 0, 0); + return 1; + } + + null_entry = 1; + } + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_add_group <%s>\n", + e->e_name.bv_val, 0, 0); + + if ( agi->agi_entry != NULL ) { + for ( ; *agep ; agep = &(*agep)->age_next ) { + dnMatch( &match, 0, NULL, NULL, &e->e_nname, &(*agep)->age_ndn ); + if ( match == 0 ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: group already exists: <%s>\n", e->e_name.bv_val,0,0); + return 1; + } + /* goto last */; + } + } + + + *agep = (autogroup_entry_t *)ch_calloc( 1, sizeof( autogroup_entry_t ) ); + ldap_pvt_thread_mutex_init( &(*agep)->age_mutex ); + (*agep)->age_def = agd; + (*agep)->age_filter = NULL; + (*agep)->age_mustrefresh = 0; + (*agep)->age_modrdn_olddnmodified = 0; + + ber_dupbv( &(*agep)->age_dn, &e->e_name ); + ber_dupbv( &(*agep)->age_ndn, &e->e_nname ); + + a = attrs_find( e->e_attrs, agd->agd_member_url_ad ); + + if ( null_entry == 1 ) { + a = attrs_dup( a ); + overlay_entry_release_ov( op, e, 0, on ); + } + + if( a == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: group has no memberURL\n", 0,0,0); + } else { + for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) { + + agf = (autogroup_filter_t*)ch_calloc( 1, sizeof( autogroup_filter_t ) ); + + if ( ldap_url_parse( bv->bv_val, &lud ) != LDAP_URL_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot parse url <%s>\n", bv->bv_val,0,0); + /* FIXME: error? */ + ch_free( agf ); + continue; + } + + agf->agf_scope = lud->lud_scope; + + if ( lud->lud_dn == NULL ) { + BER_BVSTR( &dn, "" ); + } else { + ber_str2bv( lud->lud_dn, 0, 0, &dn ); + } + + rc = dnPrettyNormal( NULL, &dn, &agf->agf_dn, &agf->agf_ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: cannot normalize DN <%s>\n", dn.bv_val,0,0); + /* FIXME: error? */ + goto cleanup; + } + + if ( lud->lud_filter != NULL ) { + ber_str2bv( lud->lud_filter, 0, 1, &agf->agf_filterstr); + agf->agf_filter = str2filter( lud->lud_filter ); + } else { + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: URL filter is missing <%s>\n", bv->bv_val,0,0); + /* FIXME: error? */ + goto cleanup; + } + + if ( lud->lud_attrs != NULL ) { + int i; + + for ( i=0 ; lud->lud_attrs[i]!=NULL ; i++) { + /* Just counting */; + } + + if ( i > 1 ) { + Debug( LDAP_DEBUG_ANY, "autogroup_add_group: too many attributes specified in url <%s>\n", + bv->bv_val, 0, 0); + /* FIXME: error? */ + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + ldap_free_urldesc( lud ); + ch_free( agf ); + continue; + } + + agf->agf_anlist = str2anlist( NULL, lud->lud_attrs[0], "," ); + + if ( agf->agf_anlist == NULL ) { + Debug( LDAP_DEBUG_ANY, "autogroup_add_group: unable to find AttributeDescription \"%s\".\n", + lud->lud_attrs[0], 0, 0 ); + /* FIXME: error? */ + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + ldap_free_urldesc( lud ); + ch_free( agf ); + continue; + } + } + + agf->agf_next = NULL; + + if( (*agep)->age_filter == NULL ) { + (*agep)->age_filter = agf; + } + + if( agf_prev != NULL ) { + agf_prev->agf_next = agf; + } + + agf_prev = agf; + + if ( scan == 1 ){ + autogroup_add_members_from_filter( op, e, (*agep), agf, modify ); + } + + Debug( LDAP_DEBUG_TRACE, "autogroup_add_group: added memberURL DN <%s> with filter <%s>\n", + agf->agf_ndn.bv_val, agf->agf_filterstr.bv_val, 0); + + ldap_free_urldesc( lud ); + + continue; + + +cleanup:; + + ch_free( agf->agf_ndn.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ldap_free_urldesc( lud ); + ch_free( agf ); + } + } + + if ( null_entry == 1 ) { + attrs_free( a ); + } + return rc; +} + +/* +** Used when opening the database to add all existing +** groups from the database to our internal list. +*/ +static int +autogroup_group_add_cb( Operation *op, SlapReply *rs ) +{ + assert( op->o_tag == LDAP_REQ_SEARCH ); + + if ( rs->sr_type == REP_SEARCH ) { + autogroup_sc_t *ags = (autogroup_sc_t *)op->o_callback->sc_private; + + Debug(LDAP_DEBUG_TRACE, "==> autogroup_group_add_cb <%s>\n", + rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0); + + autogroup_add_group( op, ags->ags_info, ags->ags_def, rs->sr_entry, NULL, 0, 0); + } + + return 0; +} + +typedef struct ag_addinfo { + slap_overinst *on; + Entry *e; + autogroup_def_t *agd; +} ag_addinfo; + +static int +autogroup_add_entry_cb( Operation *op, SlapReply *rs ) +{ + slap_callback *sc = op->o_callback; + ag_addinfo *aa = sc->sc_private; + slap_overinst *on = aa->on; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + BackendInfo *bi = op->o_bd->bd_info; + + if ( rs->sr_err != LDAP_SUCCESS ) + goto done; + + op->o_bd->bd_info = (BackendInfo *)on; + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + if ( aa->agd ) { + autogroup_add_group( op, agi, aa->agd, aa->e, NULL, 1 , 0); + } else { + autogroup_entry_t *age; + autogroup_filter_t *agf; + struct berval odn, ondn; + int rc; + + /* must use rootdn when calling test_filter */ + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + for ( age = agi->agi_entry; age ; age = age->age_next ) { + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + /* Check if any of the filters are the suffix to the entry DN. + If yes, we can test that filter against the entry. */ + + for ( agf = age->age_filter; agf ; agf = agf->agf_next ) { + if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) { + rc = test_filter( op, aa->e, agf->agf_filter ); + if ( rc == LDAP_COMPARE_TRUE ) { + if ( agf->agf_anlist ) { + Attribute *a = attr_find( aa->e->e_attrs, agf->agf_anlist[0].an_desc ); + if ( a ) + autogroup_add_member_values_to_group( op, &op->o_req_dn, age, a ); + } else { + autogroup_add_member_to_group( op, &aa->e->e_name, &aa->e->e_nname, age ); + } + break; + } + } + } + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + op->o_dn = odn; + op->o_ndn = ondn; + } + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + + op->o_bd->bd_info = bi; + +done: + op->o_callback = sc->sc_next; + op->o_tmpfree( sc, op->o_tmpmemctx ); + + return SLAP_CB_CONTINUE; +} + +/* +** When adding a group, we first strip any existing members, +** and add all which match the filters ourselfs. +*/ +static int +autogroup_add_entry( Operation *op, SlapReply *rs) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_def_t *agd = agi->agi_def; + slap_callback *sc = NULL; + ag_addinfo *aa = NULL; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_add_entry <%s>\n", + op->ora_e->e_name.bv_val, 0, 0); + + sc = op->o_tmpcalloc( sizeof(slap_callback) + sizeof(ag_addinfo), 1, op->o_tmpmemctx ); + sc->sc_private = (sc+1); + sc->sc_response = autogroup_add_entry_cb; + aa = sc->sc_private; + aa->on = on; + aa->e = op->ora_e; + sc->sc_next = op->o_callback; + op->o_callback = sc; + + /* Check if it's a group. */ + for ( ; agd ; agd = agd->agd_next ) { + if ( is_entry_objectclass_or_sub( op->ora_e, agd->agd_oc ) ) { + Modification mod; + const char *text = NULL; + char textbuf[1024]; + + mod.sm_op = LDAP_MOD_DELETE; + mod.sm_desc = agd->agd_member_ad; + mod.sm_type = agd->agd_member_ad->ad_cname; + mod.sm_values = NULL; + mod.sm_nvalues = NULL; + + /* We don't want any member attributes added by the user. */ + modify_delete_values( op->ora_e, &mod, /* permissive */ 1, &text, textbuf, sizeof( textbuf ) ); + + aa->agd = agd; + + break; + } + } + + return SLAP_CB_CONTINUE; +} + +/* +** agi - internal group and attribute definitions list +** e - the group to remove from the internal list +*/ +static int +autogroup_delete_group( autogroup_info_t *agi, autogroup_entry_t *e ) +{ + autogroup_entry_t *age = agi->agi_entry, + *age_prev = NULL, + *age_next; + int rc = 1; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_delete_group <%s>\n", + age->age_dn.bv_val, 0, 0); + + for ( age_next = age ; age_next ; age_prev = age, age = age_next ) { + age_next = age->age_next; + + if ( age == e ) { + autogroup_filter_t *agf = age->age_filter, + *agf_next; + + if ( age_prev != NULL ) { + age_prev->age_next = age_next; + } else { + agi->agi_entry = NULL; + } + + ch_free( age->age_dn.bv_val ); + ch_free( age->age_ndn.bv_val ); + + for( agf_next = agf ; agf_next ; agf = agf_next ){ + agf_next = agf->agf_next; + + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + anlist_free( agf->agf_anlist, 1, NULL ); + ch_free( agf ); + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + ldap_pvt_thread_mutex_destroy( &age->age_mutex ); + ch_free( age ); + + rc = 0; + return rc; + + } + } + + Debug( LDAP_DEBUG_TRACE, "autogroup_delete_group: group <%s> not found, should not happen\n", age->age_dn.bv_val, 0, 0); + + return rc; + +} + +static int +autogroup_delete_entry( Operation *op, SlapReply *rs) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_entry_t *age, *age_prev, *age_next; + autogroup_filter_t *agf; + Entry *e; + int matched_group = 0, rc = 0; + struct berval odn, ondn; + OpExtra *oex; + + LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) { + if ( oex->oe_key == (void *)&autogroup ) + return SLAP_CB_CONTINUE; + } + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_delete_entry <%s>\n", op->o_req_dn.bv_val, 0, 0); + + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_delete_entry: cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + /* Check if the entry to be deleted is one of our groups. */ + for ( age_next = agi->agi_entry ; age_next ; age_prev = age ) { + age = age_next; + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + age_next = age->age_next; + + if ( is_entry_objectclass_or_sub( e, age->age_def->agd_oc ) ) { + int match = 1; + + matched_group = 1; + + dnMatch( &match, 0, NULL, NULL, &e->e_nname, &age->age_ndn ); + + if ( match == 0 ) { + autogroup_delete_group( agi, age ); + break; + } + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + + if ( matched_group == 1 ) { + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + /* Check if the entry matches any of the groups. + If yes, we can delete the entry from that group. */ + + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + for ( agf = age->age_filter; agf ; agf = agf->agf_next ) { + if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) { + rc = test_filter( op, e, agf->agf_filter ); + if ( rc == LDAP_COMPARE_TRUE ) { + /* If the attribute is retrieved from the entry, we don't know what to delete + ** So the group must be entirely refreshed + ** But the refresh can't be done now because the entry is not deleted + ** So the group is marked as mustrefresh + */ + if ( agf->agf_anlist ) { + age->age_mustrefresh = 1; + } else { + autogroup_delete_member_from_group( op, &e->e_name, &e->e_nname, age ); + } + break; + } + } + } + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + op->o_dn = odn; + op->o_ndn = ondn; + + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + + return SLAP_CB_CONTINUE; +} + +static int +autogroup_response( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_def_t *agd = agi->agi_def; + autogroup_entry_t *age; + autogroup_filter_t *agf; + BerValue new_dn, new_ndn, pdn; + Entry *e, *group; + Attribute *a, *ea, *attrs; + int is_olddn, is_newdn, is_value_refresh, dn_equal; + OpExtra *oex; + + LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) { + if ( oex->oe_key == (void *)&autogroup ) + break; + } + + /* Handle all cases where a refresh of the group is needed */ + if ( op->o_tag == LDAP_REQ_DELETE || op->o_tag == LDAP_REQ_MODIFY ) { + if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !oex ) { + + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + /* Request detected that the group must be refreshed */ + + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + if ( age->age_mustrefresh ) { + autogroup_delete_member_from_group( op, NULL, NULL, age) ; + + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + autogroup_add_members_from_filter( op, NULL, age, agf, 1 ); + } + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + } + } else if ( op->o_tag == LDAP_REQ_MODRDN ) { + if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !oex ) { + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_response MODRDN from <%s>\n", op->o_req_dn.bv_val, 0, 0); + + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + if ( op->oq_modrdn.rs_newSup ) { + pdn = *op->oq_modrdn.rs_newSup; + } else { + dnParent( &op->o_req_dn, &pdn ); + } + build_new_dn( &new_dn, &pdn, &op->orr_newrdn, op->o_tmpmemctx ); + + if ( op->oq_modrdn.rs_nnewSup ) { + pdn = *op->oq_modrdn.rs_nnewSup; + } else { + dnParent( &op->o_req_ndn, &pdn ); + } + build_new_dn( &new_ndn, &pdn, &op->orr_nnewrdn, op->o_tmpmemctx ); + + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN to <%s>\n", new_dn.bv_val, 0, 0); + + dnMatch( &dn_equal, 0, NULL, NULL, &op->o_req_ndn, &new_ndn ); + + if ( overlay_entry_get_ov( op, &new_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN cannot get entry for <%s>\n", new_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass ); + + + if ( a == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN entry <%s> has no objectClass\n", new_dn.bv_val, 0, 0); + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + + /* If a groups DN is modified, just update age_dn/ndn of that group with the new DN. */ + for ( ; agd; agd = agd->agd_next ) { + + if ( value_find_ex( slap_schema.si_ad_objectClass, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, &agd->agd_oc->soc_cname, + op->o_tmpmemctx ) == 0 ) + { + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + int match = 1; + + dnMatch( &match, 0, NULL, NULL, &age->age_ndn, &op->o_req_ndn ); + if ( match == 0 ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN updating group's DN to <%s>\n", new_dn.bv_val, 0, 0); + ber_dupbv( &age->age_dn, &new_dn ); + ber_dupbv( &age->age_ndn, &new_ndn ); + + op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx ); + op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx ); + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + } + + } + } + + /* For each group: + 1. check if the orginal entry's DN is in the group. + 2. chceck if the any of the group filter's base DN is a suffix of the new DN + + If 1 and 2 are both false, we do nothing. + If 1 and 2 is true, we remove the old DN from the group, and add the new DN. + If 1 is false, and 2 is true, we check the entry against the group's filters, + and add it's DN to the group. + If 1 is true, and 2 is false, we delete the entry's DN from the group. + */ + attrs = attrs_dup( e->e_attrs ); + overlay_entry_release_ov( op, e, 0, on ); + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + is_olddn = 0; + is_newdn = 0; + is_value_refresh = 0; + + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + if ( age->age_filter && age->age_filter->agf_anlist ) { + ea = attrs_find( attrs, age->age_filter->agf_anlist[0].an_desc ); + } + else { + ea = NULL; + } + + if ( age->age_modrdn_olddnmodified ) { + /* Resquest already marked this group to be updated */ + is_olddn = 1; + is_value_refresh = 1; + age->age_modrdn_olddnmodified = 0; + } else { + + if ( overlay_entry_get_ov( op, &age->age_ndn, NULL, NULL, 0, &group, on ) != + LDAP_SUCCESS || group == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODRDN cannot get group entry <%s>\n", age->age_dn.bv_val, 0, 0); + + op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx ); + op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx ); + + attrs_free( attrs ); + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + a = attrs_find( group->e_attrs, age->age_def->agd_member_ad ); + + if ( a != NULL ) { + if ( value_find_ex( age->age_def->agd_member_ad, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, ea ? ea->a_nvals : &op->o_req_ndn, op->o_tmpmemctx ) == 0 ) + { + is_olddn = 1; + } + + } + + overlay_entry_release_ov( op, group, 0, on ); + + } + + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + if ( dnIsSuffix( &new_ndn, &agf->agf_ndn ) ) { + /* TODO: should retest filter as it could imply conditions on the dn */ + is_newdn = 1; + break; + } + } + + + if ( is_value_refresh ) { + if ( is_olddn != is_newdn ) { + /* group refresh */ + autogroup_delete_member_from_group( op, NULL, NULL, age) ; + + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + autogroup_add_members_from_filter( op, NULL, age, agf, 1 ); + } + } + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + continue; + } + if ( is_olddn == 1 && is_newdn == 0 ) { + if ( ea ) + autogroup_delete_member_values_from_group( op, &new_dn, age, ea ); + else + autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age ); + } else + if ( is_olddn == 0 && is_newdn == 1 ) { + Entry etmp; + struct berval odn, ondn; + etmp.e_name = op->o_req_dn; + etmp.e_nname = op->o_req_ndn; + etmp.e_attrs = attrs; + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + for ( agf = age->age_filter; agf; agf = agf->agf_next ) { + if ( test_filter( op, &etmp, agf->agf_filter ) == LDAP_COMPARE_TRUE ) { + if ( ea ) { + autogroup_add_member_values_to_group( op, &new_dn, age, ea ); + } else + autogroup_add_member_to_group( op, &new_dn, &new_ndn, age ); + break; + } + } + op->o_dn = odn; + op->o_ndn = ondn; + } else + if ( is_olddn == 1 && is_newdn == 1 && dn_equal != 0 ) { + if ( ea ) { + /* group refresh */ + autogroup_delete_member_from_group( op, NULL, NULL, age) ; + + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + autogroup_add_members_from_filter( op, NULL, age, agf, 1 ); + } + } + else { + autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age ); + autogroup_add_member_to_group( op, &new_dn, &new_ndn, age ); + } + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + + op->o_tmpfree( new_dn.bv_val, op->o_tmpmemctx ); + op->o_tmpfree( new_ndn.bv_val, op->o_tmpmemctx ); + + attrs_free( attrs ); + + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + } + } + + if ( op->o_tag == LDAP_REQ_MODIFY ) { + if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !oex ) { + Entry etmp; + struct berval odn, ondn; + Debug( LDAP_DEBUG_TRACE, "==> autogroup_response MODIFY <%s>\n", op->o_req_dn.bv_val, 0, 0); + + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass ); + + + if ( a == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY entry <%s> has no objectClass\n", op->o_req_dn.bv_val, 0, 0); + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + /* If we modify a group's memberURL, we have to delete all of it's members, + and add them anew, because we cannot tell from which memberURL a member was added. */ + for ( ; agd; agd = agd->agd_next ) { + + if ( value_find_ex( slap_schema.si_ad_objectClass, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, &agd->agd_oc->soc_cname, + op->o_tmpmemctx ) == 0 ) + { + Modifications *m; + int match = 1; + + m = op->orm_modlist; + + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + dnMatch( &match, 0, NULL, NULL, &op->o_req_ndn, &age->age_ndn ); + + if ( match == 0 ) { + for ( ; m ; m = m->sml_next ) { + if ( m->sml_desc == age->age_def->agd_member_url_ad ) { + autogroup_def_t *group_agd = age->age_def; + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY changing memberURL for group <%s>\n", + op->o_req_dn.bv_val, 0, 0); + + overlay_entry_release_ov( op, e, 0, on ); + + autogroup_delete_member_from_group( op, NULL, NULL, age ); + autogroup_delete_group( agi, age ); + + autogroup_add_group( op, agi, group_agd, NULL, &op->o_req_ndn, 1, 1); + + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + break; + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + } + + /* When modifying any of the attributes of an entry, we must + check if the entry is in any of our groups, and if + the modified entry maches any of the filters of that group. + + If the entry exists in a group, but the modified attributes do + not match any of the group's filters, we delete the entry from that group. + If the entry doesn't exist in a group, but matches a filter, + we add it to that group. + */ + attrs = attrs_dup( e->e_attrs ); + overlay_entry_release_ov( op, e, 0, on ); + etmp.e_name = op->o_req_dn; + etmp.e_nname = op->o_req_ndn; + etmp.e_attrs = attrs; + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + is_olddn = 0; + is_newdn = 0; + + ldap_pvt_thread_mutex_lock( &age->age_mutex ); + + if ( age->age_filter && age->age_filter->agf_anlist ) { + ea = attrs_find( attrs, age->age_filter->agf_anlist[0].an_desc ); + } + else { + ea = NULL; + } + + if ( overlay_entry_get_ov( op, &age->age_ndn, NULL, NULL, 0, &group, on ) != + LDAP_SUCCESS || group == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_response MODIFY cannot get entry for <%s>\n", + age->age_dn.bv_val, 0, 0); + + attrs_free( attrs ); + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + op->o_dn = odn; + op->o_ndn = ondn; + return SLAP_CB_CONTINUE; + } + + a = attrs_find( group->e_attrs, age->age_def->agd_member_ad ); + + if ( a != NULL ) { + if ( value_find_ex( age->age_def->agd_member_ad, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, ea ? ea->a_nvals : &op->o_req_ndn, op->o_tmpmemctx ) == 0 ) + { + is_olddn = 1; + } + + } + + overlay_entry_release_ov( op, group, 0, on ); + + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) { + if ( test_filter( op, &etmp, agf->agf_filter ) == LDAP_COMPARE_TRUE ) { + is_newdn = 1; + break; + } + } + } + + if ( is_olddn == 1 && is_newdn == 0 ) { + if(ea) + autogroup_delete_member_values_from_group( op, &op->o_req_dn, age, ea ); + else + autogroup_delete_member_from_group( op, &op->o_req_dn, &op->o_req_ndn, age ); + } else + if ( is_olddn == 0 && is_newdn == 1 ) { + if(ea) + autogroup_add_member_values_to_group( op, &op->o_req_dn, age, ea ); + else + autogroup_add_member_to_group( op, &op->o_req_dn, &op->o_req_ndn, age ); + } + + ldap_pvt_thread_mutex_unlock( &age->age_mutex ); + } + + op->o_dn = odn; + op->o_ndn = ondn; + attrs_free( attrs ); + + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + } + } + + return SLAP_CB_CONTINUE; +} + +/* +** Detect if filter contains a memberOf check for dn +*/ +static int +autogroup_memberOf_filter( Filter *f, BerValue *dn, AttributeDescription *memberof_ad ) +{ + int result = 0; + if ( f == NULL ) return 0; + + switch ( f->f_choice & SLAPD_FILTER_MASK ) { + case LDAP_FILTER_AND: + case LDAP_FILTER_OR: + case LDAP_FILTER_NOT: + for ( f = f->f_un.f_un_complex; f && !result; f = f->f_next ) { + result = result || autogroup_memberOf_filter( f, dn, memberof_ad ); + } + break; + case LDAP_FILTER_EQUALITY: + result = ( f->f_ava->aa_desc == memberof_ad && + ber_bvcmp( &f->f_ava->aa_value, dn ) == 0 ); + break; + default: + break; + } + + return result; +} + +/* +** When modifing a group, we must deny any modifications to the member attribute, +** because the group would be inconsistent. +*/ +static int +autogroup_modify_entry( Operation *op, SlapReply *rs) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_def_t *agd = agi->agi_def; + autogroup_entry_t *age; + Entry *e; + Attribute *a; + struct berval odn, ondn; + OpExtra *oex; + + LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) { + if ( oex->oe_key == (void *)&autogroup ) + return SLAP_CB_CONTINUE; + } + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_modify_entry <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + /* Must refresh groups if a matching member value is modified OR filter contains memberOf=DN */ + for ( age = agi->agi_entry; age ; age = age->age_next ) { + autogroup_filter_t *agf; + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + if ( agf->agf_anlist ) { + Modifications *m; + for ( m = op->orm_modlist ; m ; m = m->sml_next ) { + if ( m->sml_desc == agf->agf_anlist[0].an_desc ) { + if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) { + int rc = test_filter( op, e, agf->agf_filter ); + if ( rc == LDAP_COMPARE_TRUE ) { + age->age_mustrefresh = 1; + } + } + } + } + } + + if ( autogroup_memberOf_filter( agf->agf_filter, &op->o_req_ndn, agi->agi_memberof_ad ) ) { + age->age_mustrefresh = 1; + } + } + } + op->o_dn = odn; + op->o_ndn = ondn; + + a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass ); + + if ( a == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry entry <%s> has no objectClass\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + + for ( ; agd; agd = agd->agd_next ) { + + if ( value_find_ex( slap_schema.si_ad_objectClass, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, &agd->agd_oc->soc_cname, + op->o_tmpmemctx ) == 0 ) + { + Modifications *m; + int match = 1; + + m = op->orm_modlist; + + for ( age = agi->agi_entry ; age ; age = age->age_next ) { + dnMatch( &match, 0, NULL, NULL, &op->o_req_ndn, &age->age_ndn ); + + if ( match == 0 ) { + for ( ; m ; m = m->sml_next ) { + if ( m->sml_desc == age->age_def->agd_member_ad ) { + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + Debug( LDAP_DEBUG_TRACE, "autogroup_modify_entry attempted to modify group's <%s> member attribute\n", op->o_req_dn.bv_val, 0, 0); + send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, "attempt to modify dynamic group member attribute"); + return LDAP_CONSTRAINT_VIOLATION; + } + } + break; + } + } + + /* an entry may only have one dynamic group class */ + break; + } + } + + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; +} + +/* +** Detect if the olddn is part of a group and so if the group should be refreshed +*/ +static int +autogroup_modrdn_entry( Operation *op, SlapReply *rs) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_entry_t *age; + Entry *e; + struct berval odn, ondn; + OpExtra *oex; + + LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) { + if ( oex->oe_key == (void *)&autogroup ) + return SLAP_CB_CONTINUE; + } + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_modrdn_entry <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); + + if ( overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_TRACE, "autogroup_modrdn_entry cannot get entry for <%s>\n", op->o_req_dn.bv_val, 0, 0); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; + } + + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + /* Must check if a dn is modified */ + for ( age = agi->agi_entry; age ; age = age->age_next ) { + autogroup_filter_t *agf; + for ( agf = age->age_filter ; agf ; agf = agf->agf_next ) { + if ( agf->agf_anlist ) { + if ( dnIsSuffix( &op->o_req_ndn, &agf->agf_ndn ) ) { + int rc = test_filter( op, e, agf->agf_filter ); + if ( rc == LDAP_COMPARE_TRUE ) { + age->age_modrdn_olddnmodified = 1; + } + } + } + } + } + op->o_dn = odn; + op->o_ndn = ondn; + + overlay_entry_release_ov( op, e, 0, on ); + ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + return SLAP_CB_CONTINUE; +} + +/* +** Builds a filter for searching for the +** group entries, according to the objectClass. +*/ +static int +autogroup_build_def_filter( autogroup_def_t *agd, Operation *op ) +{ + char *ptr; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_build_def_filter\n", 0, 0, 0); + + op->ors_filterstr.bv_len = STRLENOF( "(=)" ) + + slap_schema.si_ad_objectClass->ad_cname.bv_len + + agd->agd_oc->soc_cname.bv_len; + ptr = op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + *ptr++ = '('; + ptr = lutil_strcopy( ptr, slap_schema.si_ad_objectClass->ad_cname.bv_val ); + *ptr++ = '='; + ptr = lutil_strcopy( ptr, agd->agd_oc->soc_cname.bv_val ); + *ptr++ = ')'; + *ptr = '\0'; + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + + assert( op->ors_filterstr.bv_len == ptr - op->ors_filterstr.bv_val ); + + return 0; +} + +enum { + AG_ATTRSET = 1, + AG_MEMBER_OF_AD, + AG_LAST +}; + +static ConfigDriver ag_cfgen; + +static ConfigTable agcfg[] = { + { "autogroup-attrset", "group-oc> <URL-ad> <member-ad", + 4, 4, 0, ARG_MAGIC|AG_ATTRSET, ag_cfgen, + "( OLcfgCtAt:2.1 NAME 'olcAGattrSet' " + "DESC 'Automatic groups: <group objectClass>, <URL attributeDescription>, <member attributeDescription>' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString " + "X-ORDERED 'VALUES' )", + NULL, NULL }, + + { "autogroup-memberof-ad", "memberOf attribute", + 2, 2, 0, ARG_MAGIC|AG_MEMBER_OF_AD, ag_cfgen, + "( OLcfgCtAt:2.2 NAME 'olcAGmemberOfAd' " + "DESC 'memberOf attribute' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", + NULL, NULL }, + + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigOCs agocs[] = { + { "( OLcfgCtOc:2.1 " + "NAME 'olcAutomaticGroups' " + "DESC 'Automatic groups configuration' " + "SUP olcOverlayConfig " + "MAY ( " + "olcAGattrSet " + "$ olcAGmemberOfAd " + ")" + ")", + Cft_Overlay, agcfg, NULL, NULL }, + { NULL, 0, NULL } +}; + + +static int +ag_cfgen( ConfigArgs *c ) +{ + slap_overinst *on = (slap_overinst *)c->bi; + autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; + autogroup_def_t *agd; + autogroup_entry_t *age; + + int rc = 0, i; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_cfgen\n", 0, 0, 0); + + if( agi == NULL ) { + agi = (autogroup_info_t*)ch_calloc( 1, sizeof(autogroup_info_t) ); + ldap_pvt_thread_mutex_init( &agi->agi_mutex ); + agi->agi_def = NULL; + agi->agi_entry = NULL; + on->on_bi.bi_private = (void *)agi; + } + + agd = agi->agi_def; + age = agi->agi_entry; + + if ( c->op == SLAP_CONFIG_EMIT ) { + + switch( c->type ){ + case AG_ATTRSET: + for ( i = 0 ; agd ; i++, agd = agd->agd_next ) { + struct berval bv; + char *ptr = c->cr_msg; + + assert(agd->agd_oc != NULL); + assert(agd->agd_member_url_ad != NULL); + assert(agd->agd_member_ad != NULL); + + ptr += snprintf( c->cr_msg, sizeof( c->cr_msg ), + SLAP_X_ORDERED_FMT "%s %s %s", i, + agd->agd_oc->soc_cname.bv_val, + agd->agd_member_url_ad->ad_cname.bv_val, + agd->agd_member_ad->ad_cname.bv_val ); + + bv.bv_val = c->cr_msg; + bv.bv_len = ptr - bv.bv_val; + value_add_one ( &c->rvalue_vals, &bv ); + + } + break; + + case AG_MEMBER_OF_AD: + if ( agi->agi_memberof_ad != NULL ){ + value_add_one( &c->rvalue_vals, &agi->agi_memberof_ad->ad_cname ); + } + break; + + default: + assert( 0 ); + return 1; + } + + return rc; + + }else if ( c->op == LDAP_MOD_DELETE ) { + if ( c->valx < 0) { + autogroup_def_t *agd_next; + autogroup_entry_t *age_next; + autogroup_filter_t *agf = age->age_filter, + *agf_next; + + for ( agd_next = agd; agd_next; agd = agd_next ) { + agd_next = agd->agd_next; + + ch_free( agd ); + } + + for ( age_next = age ; age_next ; age = age_next ) { + age_next = age->age_next; + + ch_free( age->age_dn.bv_val ); + ch_free( age->age_ndn.bv_val ); + + for( agf_next = agf ; agf_next ; agf = agf_next ){ + agf_next = agf->agf_next; + + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + anlist_free( agf->agf_anlist, 1, NULL ); + ch_free( agf ); + } + + ldap_pvt_thread_mutex_init( &age->age_mutex ); + ch_free( age ); + } + + ch_free( agi ); + on->on_bi.bi_private = NULL; + + } else { + autogroup_def_t **agdp; + autogroup_entry_t *age_next, *age_prev; + autogroup_filter_t *agf, + *agf_next; + + for ( i = 0, agdp = &agi->agi_def; + i < c->valx; i++ ) + { + if ( *agdp == NULL) { + return 1; + } + agdp = &(*agdp)->agd_next; + } + + agd = *agdp; + *agdp = agd->agd_next; + + for ( age_next = age , age_prev = NULL ; age_next ; age_prev = age, age = age_next ) { + age_next = age->age_next; + + if( age->age_def == agd ) { + agf = age->age_filter; + + ch_free( age->age_dn.bv_val ); + ch_free( age->age_ndn.bv_val ); + + for ( agf_next = agf; agf_next ; agf = agf_next ) { + agf_next = agf->agf_next; + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + anlist_free( agf->agf_anlist, 1, NULL ); + ch_free( agf ); + } + + ldap_pvt_thread_mutex_destroy( &age->age_mutex ); + ch_free( age ); + + age = age_prev; + + if( age_prev != NULL ) { + age_prev->age_next = age_next; + } + } + } + + ch_free( agd ); + agd = agi->agi_def; + + } + + return rc; + } + + switch(c->type){ + case AG_ATTRSET: { + autogroup_def_t **agdp, + *agd_next = NULL; + ObjectClass *oc = NULL; + AttributeDescription *member_url_ad = NULL, + *member_ad = NULL; + const char *text; + + + oc = oc_find( c->argv[ 1 ] ); + if( oc == NULL ){ + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "unable to find ObjectClass \"%s\"", + c->argv[ 1 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + + rc = slap_str2ad( c->argv[ 2 ], &member_url_ad, &text ); + if( rc != LDAP_SUCCESS ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "unable to find AttributeDescription \"%s\"", + c->argv[ 2 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + if( !is_at_subtype( member_url_ad->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "AttributeDescription \"%s\" ", + "must be of a subtype \"labeledURI\"", + c->argv[ 2 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + rc = slap_str2ad( c->argv[3], &member_ad, &text ); + if( rc != LDAP_SUCCESS ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "unable to find AttributeDescription \"%s\"", + c->argv[ 3 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + for ( agdp = &agi->agi_def ; *agdp ; agdp = &(*agdp)->agd_next ) { + /* The same URL attribute / member attribute pair + * cannot be repeated */ + + if ( (*agdp)->agd_member_url_ad == member_url_ad && (*agdp)->agd_member_ad == member_ad ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "URL attributeDescription \"%s\" already mapped", + member_ad->ad_cname.bv_val ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); +/* return 1; //warning*/ + } + } + + if ( c->valx > 0 ) { + int i; + + for ( i = 0, agdp = &agi->agi_def ; + i < c->valx; i++ ) + { + if ( *agdp == NULL ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-attrset <oc> <URL-ad> <member-ad>\": " + "invalid index {%d}", + c->valx ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + + return 1; + } + agdp = &(*agdp)->agd_next; + } + agd_next = *agdp; + + } else { + for ( agdp = &agi->agi_def; *agdp; + agdp = &(*agdp)->agd_next ) + /* goto last */; + } + + *agdp = (autogroup_def_t *)ch_calloc( 1, sizeof(autogroup_info_t)); + + (*agdp)->agd_oc = oc; + (*agdp)->agd_member_url_ad = member_url_ad; + (*agdp)->agd_member_ad = member_ad; + (*agdp)->agd_next = agd_next; + + } break; + + case AG_MEMBER_OF_AD: { + AttributeDescription *memberof_ad = NULL; + const char *text; + + rc = slap_str2ad( c->argv[ 1 ], &memberof_ad, &text ); + if( rc != LDAP_SUCCESS ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"autogroup-memberof-ad <memberof-ad>\": " + "unable to find AttributeDescription \"%s\"", + c->argv[ 1 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + if ( !is_at_syntax( memberof_ad->ad_type, SLAPD_DN_SYNTAX ) /* e.g. "member" */ + && !is_at_syntax( memberof_ad->ad_type, SLAPD_NAMEUID_SYNTAX ) ) /* e.g. "uniqueMember" */ + { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "memberof attribute=\"%s\" must either " + "have DN (%s) or nameUID (%s) syntax", + c->argv[ 1 ], SLAPD_DN_SYNTAX, SLAPD_NAMEUID_SYNTAX ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + agi->agi_memberof_ad = memberof_ad; + + } break; + + default: + rc = 1; + break; + } + + return rc; +} + +extern int slapMode; + +/* +** Do a search for all the groups in the +** database, and add them to out internal list. +*/ +static int +autogroup_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + autogroup_info_t *agi = on->on_bi.bi_private; + autogroup_def_t *agd; + autogroup_sc_t ags; + Operation *op; + slap_callback cb = { 0 }; + + void *thrctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_db_open\n", 0, 0, 0); + + if ( agi == NULL || !( slapMode & SLAP_SERVER_MODE )) { + return 0; + } + + connection_fake_init( &conn, &opbuf, thrctx ); + op = &opbuf.ob_op; + + op->ors_attrsonly = 0; + op->o_tag = LDAP_REQ_SEARCH; + op->o_dn = be->be_rootdn; + op->o_ndn = be->be_rootndn; + + op->o_req_dn = be->be_suffix[0]; + op->o_req_ndn = be->be_nsuffix[0]; + + op->ors_scope = LDAP_SCOPE_SUBTREE; + op->ors_deref = LDAP_DEREF_NEVER; + op->ors_limit = NULL; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + op->o_do_not_cache = 1; + + op->o_bd = be; + op->o_bd->bd_info = (BackendInfo *)on->on_info; + + ags.ags_info = agi; + cb.sc_private = &ags; + cb.sc_response = autogroup_group_add_cb; + cb.sc_cleanup = NULL; + cb.sc_next = NULL; + + op->o_callback = &cb; + + for (agd = agi->agi_def ; agd ; agd = agd->agd_next) { + SlapReply rs = { REP_RESULT }; + + autogroup_build_def_filter(agd, op); + + ags.ags_def = agd; + + op->o_bd->be_search( op, &rs ); + + filter_free_x( op, op->ors_filter, 1 ); + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + } + + if( ! agi->agi_memberof_ad ){ + int rc; + const char *text = NULL; + + rc = slap_str2ad( SLAPD_MEMBEROF_ATTR, &agi->agi_memberof_ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "autogroup_db_open: " + "unable to find attribute=\"%s\": %s (%d)\n", + SLAPD_MEMBEROF_ATTR, text, rc ); + return rc; + } + } + + return 0; +} + +static int +autogroup_db_close( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_db_close\n", 0, 0, 0); + + if ( on->on_bi.bi_private ) { + autogroup_info_t *agi = on->on_bi.bi_private; + autogroup_entry_t *age = agi->agi_entry, + *age_next; + autogroup_filter_t *agf, *agf_next; + + for ( age_next = age; age_next; age = age_next ) { + age_next = age->age_next; + + ch_free( age->age_dn.bv_val ); + ch_free( age->age_ndn.bv_val ); + + agf = age->age_filter; + + for ( agf_next = agf; agf_next; agf = agf_next ) { + agf_next = agf->agf_next; + + filter_free( agf->agf_filter ); + ch_free( agf->agf_filterstr.bv_val ); + ch_free( agf->agf_dn.bv_val ); + ch_free( agf->agf_ndn.bv_val ); + anlist_free( agf->agf_anlist, 1, NULL ); + ch_free( agf ); + } + + ldap_pvt_thread_mutex_destroy( &age->age_mutex ); + ch_free( age ); + } + } + + return 0; +} + +static int +autogroup_db_destroy( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + + Debug( LDAP_DEBUG_TRACE, "==> autogroup_db_destroy\n", 0, 0, 0); + + if ( on->on_bi.bi_private ) { + autogroup_info_t *agi = on->on_bi.bi_private; + autogroup_def_t *agd = agi->agi_def, + *agd_next; + + for ( agd_next = agd; agd_next; agd = agd_next ) { + agd_next = agd->agd_next; + + ch_free( agd ); + } + + ldap_pvt_thread_mutex_destroy( &agi->agi_mutex ); + ch_free( agi ); + } + + return 0; +} + +static +int +autogroup_initialize(void) +{ + int rc = 0; + autogroup.on_bi.bi_type = "autogroup"; + + autogroup.on_bi.bi_db_open = autogroup_db_open; + autogroup.on_bi.bi_db_close = autogroup_db_close; + autogroup.on_bi.bi_db_destroy = autogroup_db_destroy; + + autogroup.on_bi.bi_op_add = autogroup_add_entry; + autogroup.on_bi.bi_op_delete = autogroup_delete_entry; + autogroup.on_bi.bi_op_modify = autogroup_modify_entry; + autogroup.on_bi.bi_op_modrdn = autogroup_modrdn_entry; + + autogroup.on_response = autogroup_response; + + autogroup.on_bi.bi_cf_ocs = agocs; + + rc = config_register_schema( agcfg, agocs ); + if ( rc ) { + return rc; + } + + return overlay_register( &autogroup ); +} + +int +init_module( int argc, char *argv[] ) +{ + return autogroup_initialize(); +} diff --git a/contrib/slapd-modules/autogroup/slapo-autogroup.5 b/contrib/slapd-modules/autogroup/slapo-autogroup.5 new file mode 100644 index 0000000..c2ed916 --- /dev/null +++ b/contrib/slapd-modules/autogroup/slapo-autogroup.5 @@ -0,0 +1,102 @@ +.TH SLAPO-AUTOGROUP 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2021 The OpenLDAP Foundation All Rights Reserved. +.\" Portions Copyright \[u00A9] 2007 Michał Szulczyński. +.\" Copying restrictions apply. See the COPYRIGHT file. +.\" $OpenLDAP$ +.SH NAME +\FCslapo-autogroup\FT \- automatic updates of group memberships which meet the +requirements of any filter contained in the group definition. +.SH SYNOPSIS +In \FCslapd.conf\FT: + ... + \FCinclude ETCDIR/schema/dyngroup.schema\FT + ... + \FCmoduleload autogroup.so\FT + ... + \FCdatabase\FT ... + ... + \FCoverlay autogroup\FT + \FCautogroup-attrset groupOfURLs memberURL member\FT +.SH DESCRIPTION +The +.B autogroup +overlay to +.BR slapd (8) +allows automated updates of group memberships which meet the requirements +of any filter contained in the group definition. The filters are built from +LDAP URI-valued attributes. Any time an object is added/deleted/updated, it is +tested for compliance with the filters, and its membership is accordingly +updated. For searches and compares, it behaves like a static group. +If the attribute part of the URI is filled, the group entry is populated by +the values of this attribute in the entries resulting from the search. +.SH CONFIGURATION +Either +.BR \FCslapd.conf\FT (5) +or the \FCcn=config\FT methodology of +.BR \FCslapd-config\FT (5) +may be used for configuring autogroup. Both syntaxes are provided +here for convenience: +.TP +.B \FCautogroup-attrset\FT <group-oc> <URL-ad> <member-ad> +.TP +.B \FColcAGattrSet:\FT <group-oc> <URL-ad> <member-ad> +This defines the objectclass-attribute-URI mappings defining the +automatically managed groups, and may appear multiple times. + +The value <group-oc> is the name of the objectClass that represents +the group. + +The value <URL-ad> is the name of the attributeDescription that +contains the URI that is converted to the filters. If no URI is +present, there will be no members in that group. It must be a subtype +of labeledURI. + +The value <member-ad> is the name of the attributeDescription that +specifies the member attribute. User modification of this attribute is +disabled for consistency. +.TP +.B \FCautogroup-memberof-ad\FT <memberof-ad> +.TP +.B \FColcAGmemberOfAd\FT <memberof-ad> +This defines the attribute that is used by the memberOf overlay to +store the names of groups that an entry is member of; it must be +DN-valued. It should be set to the same value as +memberof-memberof-ad. It defaults to 'memberOf'. +.SH EXAMPLES +As above in SYNOPSIS, or with memberof: + + ... + \FCinclude ETCDIR/schema/dyngroup.schema\FT + \FCinclude ETCDIR/schema/memberof.schema\FT + ... + \FCmoduleload autogroup.so\FT + \FCmoduleload memberof.so\FT + ... + \FCdatabase\FT ... + ... + \FCoverlay memberof\FT + \FCmemberof-memberof-ad\FT foo + ... + \FCoverlay autogroup\FT + \FCautogroup-attrset groupOfURLs memberURL member\FT + \FCautogroup-memberof-ad\FT foo +.SH CAVEATS +As with static groups, update operations on groups with a large number +of members may be slow. If the attribute part of the URI is specified, +modify and delete operations are more difficult to handle. In these +cases the overlay will try to detect if groups have been modified and +then simply refresh them. This can cause performance hits if the +search specified by the URI deals with a significant number of +entries. +.SH ACKNOWLEDGEMENTS +This module was originally written in 2007 by Michał +Szulczyński. Further enhancements were contributed by Howard +Chu, Raphael Ouazana, Norbert Pueschel, and Christian Manal. Manpage +updates provided by Emily Backes. +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8). +.SH Copyrights +Copyright 1998-2021 The OpenLDAP Foundation. +Portions Copyright \[u00A9] 2007 Michał Szulczyński. +All rights reserved. diff --git a/contrib/slapd-modules/cloak/Makefile b/contrib/slapd-modules/cloak/Makefile new file mode 100644 index 0000000..424e3b7 --- /dev/null +++ b/contrib/slapd-modules/cloak/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_CLOAK=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = cloak.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +cloak.la: cloak.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/cloak/cloak.c b/contrib/slapd-modules/cloak/cloak.c new file mode 100644 index 0000000..7045354 --- /dev/null +++ b/contrib/slapd-modules/cloak/cloak.c @@ -0,0 +1,354 @@ +/* cloak.c - Overlay to hide some attribute except if explicitely requested */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Emmanuel Dreyfus + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was originally developed by the Emmanuel Dreyfus for + * inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_CLOAK + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "lutil.h" +#include "slap.h" +#include "config.h" + +enum { CLOAK_ATTR = 1 }; + +typedef struct cloak_info_t { + ObjectClass *ci_oc; + AttributeDescription *ci_ad; + struct cloak_info_t *ci_next; +} cloak_info_t; + +#define CLOAK_USAGE "\"cloak-attr <attr> [<class>]\": " + +static int +cloak_cfgen( ConfigArgs *c ) +{ + slap_overinst *on = (slap_overinst *)c->bi; + cloak_info_t *ci = (cloak_info_t *)on->on_bi.bi_private; + + int rc = 0, i; + + if ( c->op == SLAP_CONFIG_EMIT ) { + switch( c->type ) { + case CLOAK_ATTR: + for ( i = 0; ci; i++, ci = ci->ci_next ) { + struct berval bv; + int len; + + assert( ci->ci_ad != NULL ); + + if ( ci->ci_oc != NULL ) + len = snprintf( c->cr_msg, + sizeof( c->cr_msg ), + SLAP_X_ORDERED_FMT "%s %s", i, + ci->ci_ad->ad_cname.bv_val, + ci->ci_oc->soc_cname.bv_val ); + else + len = snprintf( c->cr_msg, + sizeof( c->cr_msg ), + SLAP_X_ORDERED_FMT "%s", i, + ci->ci_ad->ad_cname.bv_val ); + + bv.bv_val = c->cr_msg; + bv.bv_len = len; + value_add_one( &c->rvalue_vals, &bv ); + } + break; + + default: + rc = 1; + break; + } + + return rc; + + } else if ( c->op == LDAP_MOD_DELETE ) { + cloak_info_t *ci_next; + + switch( c->type ) { + case CLOAK_ATTR: + for ( ci_next = ci, i = 0; + ci_next, c->valx < 0 || i < c->valx; + ci = ci_next, i++ ){ + + ci_next = ci->ci_next; + + ch_free ( ci->ci_ad ); + if ( ci->ci_oc != NULL ) + ch_free ( ci->ci_oc ); + + ch_free( ci ); + } + ci = (cloak_info_t *)on->on_bi.bi_private; + break; + + default: + rc = 1; + break; + } + + return rc; + } + + switch( c->type ) { + case CLOAK_ATTR: { + ObjectClass *oc = NULL; + AttributeDescription *ad = NULL; + const char *text; + cloak_info_t **cip = NULL; + cloak_info_t *ci_next = NULL; + + if ( c->argc == 3 ) { + oc = oc_find( c->argv[ 2 ] ); + if ( oc == NULL ) { + snprintf( c->cr_msg, + sizeof( c->cr_msg ), + CLOAK_USAGE + "unable to find ObjectClass \"%s\"", + c->argv[ 2 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + } + + rc = slap_str2ad( c->argv[ 1 ], &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), CLOAK_USAGE + "unable to find AttributeDescription \"%s\"", + c->argv[ 1 ] ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + + for ( i = 0, cip = (cloak_info_t **)&on->on_bi.bi_private; + c->valx < 0 || i < c->valx, *cip; + i++, cip = &(*cip)->ci_next ) { + if ( c->valx >= 0 && *cip == NULL ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + CLOAK_USAGE + "invalid index {%d}\n", + c->valx ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", + c->log, c->cr_msg, 0 ); + return 1; + } + ci_next = *cip; + } + + *cip = (cloak_info_t *)SLAP_CALLOC( 1, sizeof( cloak_info_t ) ); + (*cip)->ci_oc = oc; + (*cip)->ci_ad = ad; + (*cip)->ci_next = ci_next; + + rc = 0; + break; + } + + default: + rc = 1; + break; + } + + return rc; +} + +static int +cloak_search_response_cb( Operation *op, SlapReply *rs ) +{ + slap_callback *sc; + cloak_info_t *ci; + Entry *e = NULL; + Entry *me = NULL; + + assert( op && op->o_callback && rs ); + + if ( rs->sr_type != REP_SEARCH || !rs->sr_entry ) { + return ( SLAP_CB_CONTINUE ); + } + + sc = op->o_callback; + e = rs->sr_entry; + + /* + * First perform a quick scan for an attribute to cloak + */ + for ( ci = (cloak_info_t *)sc->sc_private; ci; ci = ci->ci_next ) { + Attribute *a; + + if ( ci->ci_oc != NULL && + !is_entry_objectclass_or_sub( e, ci->ci_oc ) ) + continue; + + for ( a = e->e_attrs; a; a = a->a_next ) + if ( a->a_desc == ci->ci_ad ) + break; + + if ( a != NULL ) + break; + } + + /* + * Nothing found to cloak + */ + if ( ci == NULL ) + return ( SLAP_CB_CONTINUE ); + + /* + * We are now committed to cloak an attribute. + */ + rs_entry2modifiable( op, rs, (slap_overinst *) op->o_bd->bd_info ); + me = rs->sr_entry; + + for ( ci = (cloak_info_t *)sc->sc_private; ci; ci = ci->ci_next ) { + Attribute *a; + Attribute *pa; + + for ( pa = NULL, a = me->e_attrs; + a; + pa = a, a = a->a_next ) { + + if ( a->a_desc != ci->ci_ad ) + continue; + + Debug( LDAP_DEBUG_TRACE, "cloak_search_response_cb: cloak %s\n", + a->a_desc->ad_cname.bv_val, + 0, 0 ); + + if ( pa != NULL ) + pa->a_next = a->a_next; + else + me->e_attrs = a->a_next; + + attr_clean( a ); + } + + } + + return ( SLAP_CB_CONTINUE ); +} + +static int +cloak_search_cleanup_cb( Operation *op, SlapReply *rs ) +{ + if ( rs->sr_type == REP_RESULT || rs->sr_err != LDAP_SUCCESS ) { + slap_freeself_cb( op, rs ); + } + + return SLAP_CB_CONTINUE; +} + +static int +cloak_search( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + cloak_info_t *ci = (cloak_info_t *)on->on_bi.bi_private; + slap_callback *sc; + + if ( op->ors_attrsonly || + op->ors_attrs || + get_manageDSAit( op ) ) + return SLAP_CB_CONTINUE; + + sc = op->o_tmpcalloc( 1, sizeof( *sc ), op->o_tmpmemctx ); + sc->sc_response = cloak_search_response_cb; + sc->sc_cleanup = cloak_search_cleanup_cb; + sc->sc_next = op->o_callback; + sc->sc_private = ci; + op->o_callback = sc; + + return SLAP_CB_CONTINUE; +} + +static slap_overinst cloak_ovl; + +static ConfigTable cloakcfg[] = { + { "cloak-attr", "attribute [class]", + 2, 3, 0, ARG_MAGIC|CLOAK_ATTR, cloak_cfgen, + "( OLcfgCtAt:4.1 NAME 'olcCloakAttribute' " + "DESC 'Cloaked attribute: attribute [class]' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString " + "X-ORDERED 'VALUES' )", + NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static int +cloak_db_destroy( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + cloak_info_t *ci = (cloak_info_t *)on->on_bi.bi_private; + + for ( ; ci; ) { + cloak_info_t *tmp = ci; + ci = ci->ci_next; + SLAP_FREE( tmp ); + } + + on->on_bi.bi_private = NULL; + + return 0; +} + +static ConfigOCs cloakocs[] = { + { "( OLcfgCtOc:4.1 " + "NAME 'olcCloakConfig' " + "DESC 'Attribute cloak configuration' " + "SUP olcOverlayConfig " + "MAY ( olcCloakAttribute ) )", + Cft_Overlay, cloakcfg }, + { NULL, 0, NULL } +}; + +#if SLAPD_OVER_CLOAK == SLAPD_MOD_DYNAMIC +static +#endif +int +cloak_initialize( void ) { + int rc; + cloak_ovl.on_bi.bi_type = "cloak"; + cloak_ovl.on_bi.bi_db_destroy = cloak_db_destroy; + cloak_ovl.on_bi.bi_op_search = cloak_search; + cloak_ovl.on_bi.bi_cf_ocs = cloakocs; + + rc = config_register_schema ( cloakcfg, cloakocs ); + if ( rc ) + return rc; + + return overlay_register( &cloak_ovl ); +} + +#if SLAPD_OVER_CLOAK == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + return cloak_initialize(); +} +#endif + +#endif /* defined(SLAPD_OVER_CLOAK) */ + diff --git a/contrib/slapd-modules/cloak/slapo-cloak.5 b/contrib/slapd-modules/cloak/slapo-cloak.5 new file mode 100644 index 0000000..3d4c992 --- /dev/null +++ b/contrib/slapd-modules/cloak/slapo-cloak.5 @@ -0,0 +1,82 @@ +.TH SLAPO-CLOAK 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved. +.\" Copying restrictions apply. See the COPYRIGHT file. +.\" $OpenLDAP$ +.SH NAME +slapo-cloak \- Attribute cloak overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B cloak +overlay to +.BR slapd (8) +allows the server to hide specific attributes, unless explicitely requested +by the client. This improve performance when a client requests all attributes +and get a huge binary attribute that is of no interest for it. +This behavior is disabled when the \fImanageDSAit\fP +control (RFC 3296) is used. + +.SH CONFIGURATION +The config directives that are specific to the +.B cloak +overlay must be prefixed by +.BR cloak\- , +to avoid potential conflicts with directives specific to the underlying +database or to other stacked overlays. + +.TP +.B overlay cloak +This directive adds the cloak overlay to the current database, +or to the frontend, if used before any database instantiation; see +.BR slapd.conf (5) +for details. + +.LP +This +.B slapd.conf +configuration option is defined for the cloak overlay. It may have multiple +occurrences, and it must appear after the +.B overlay +directive: +.TP +.B cloak-attr <attribute> [<class>] +The value +.B <attribute> +is the name of the attribute that will be cloaked. + +The optional +.B <class> +restricts cloaking only to entries of the named +.B <class>. + +.SH EXAMPLE +This example hide the +.B jpegPhoto +attribute. Add the following to slapd.conf: + +.LP +.nf + database <database> + # ... + + overlay cloak + cloak-attr jpegPhoto +.fi +.LP +and that slapd loads cloak.la, if compiled as a run-time module; + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8). +The +.BR slapo-cloak (5) +overlay supports dynamic configuration via +.BR back-config . +.SH ACKNOWLEDGEMENTS +.P +This module was originally written in 2008 by Emmanuel Dreyfus. diff --git a/contrib/slapd-modules/comp_match/Makefile b/contrib/slapd-modules/comp_match/Makefile new file mode 100644 index 0000000..f34f579 --- /dev/null +++ b/contrib/slapd-modules/comp_match/Makefile @@ -0,0 +1,69 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 2003-2021 The OpenLDAP Foundation. +# Portions Copyright 2004 by IBM Corporation. +# All rights reserved. + +# Copyright 2004 Sang Seok Lim, IBM Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +SNACC_DIR = ../$(LDAP_SRC)/snacc +SNACC_INC = -I$(SNACC_DIR) -I$(SNACC_DIR)/c-lib/inc +SNACC_LIB = $(SNACC_DIR)/c-lib/libcasn1.a + +SSL_DIR = /usr/local +SSL_INC = -I$(SSL_DIR)/include/openssl +SSL_LIB = -lcrypto -L$(SSL_DIR)/lib + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DLDAP_COMPONENT +INCS = $(LDAP_INC) $(SNACC_INC) $(SSL_INC) +LIBS = $(LDAP_LIB) $(SNACC_LIB) $(SSL_LIB) + +PROGRAMS = compmatch.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +compmatch.la: componentlib.lo init.lo certificate.lo asn_to_syn_mr.lo authorityKeyIdentifier.lo crl.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/comp_match/README b/contrib/slapd-modules/comp_match/README new file mode 100644 index 0000000..133757c --- /dev/null +++ b/contrib/slapd-modules/comp_match/README @@ -0,0 +1,127 @@ +Copyright 2004 Sang Seok Lim, IBM . All rights reserved. + +Redistribution and use in source and binary forms, with +or without modification, are permitted only as authorized +by the OpenLDAP Public License. + +A copy of this license is available in the file LICENSE in +the top-level directory of the distribution or, alternatively, +at <http://www.OpenLDAP.org/license.html>. + +This directory contains a Component Matching module and +a X.509 Certificate example. In order to understand Component +Matching, see RFC 3687 and +http://www.openldap.org/conf/odd-sandiego-2004/Sangseok.pdf + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +A) Brief introduction about files in this directory +%%%%%%%%%%55%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +1) init.c +module_init() and functions which are dynamically linked +into the main slapd codes. + +2) componentlib.c and componentlib.h +GSER and BER decoder library of each primitive ASN.1 type. +They use component representation to store ASN.1 values. + +3) certificate.c/.h authorityKeyIdentifier.c/.h +eSNACC generated BER and GSER decoder routines of the X.509 +certificate specification and one of its extensions, +authorityKeyIdentifier. + +4) asn_to_syn_mr.c asn.h +An mapping table from ASN.1 types to corresponding Syntaxes, +matching rules, and component description in slapd. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +B) How to use Component Matching on X.509 certificates +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +1) be sure to configure slapd with enable-modules on. +2) install the GSER-support eSNACC compiler. You can find +only in www.openldap.org. At least, you need the library +(libcasn1.a) and header files for compiling this module. +3) modify Makefile accordingly. then run make. +you will get compmatch.la and other necessary files in ./libs +4) modify slapd.conf to include the following module command + moduleload <path to>compmatch.la +5) run slapd and perform search operations against +the attribute, userCertificate. You need to read through +RFC 3687 in order to understand how to compose component +filters. +Ex) component search filter examples +"(userCertificate:componentFilterMatch:=item:{ component +\"toBeSigned.serialNumber\", rule integerMatch, value 2 })" +You can find more examples in "test031-component-filter" +in the OpenLDAP source directory. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +C) How to add a new ASN.1 syntax +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +1) download and install the eSNACC compiler supporting +Component Matching. You can find the compiler only in +www.openldap.org. Before compiling, be sure to define +the "LDAP_COMPONENT" macro to obtain component +supported version of C library and back-ends of eSNACC. +Otherwise compiled library will fail to be linked to +the module. +2) using eSNACC, compile your ASN.1 specifications and +copy the generated .c and .h files to this directory +Ex) +$ esnacc -E BER_COMP -E GSER -t -d -f example.asn +For Component Matching, set BOTH BER_COMP and GSER on. +After compiling, you will get example.c and example.h +3) modify example.c accordingly, seeing certificate.c +and certificate.asn as a reference. +- add init_module_xxx() located in generated .c file +into init_module() in init.c. +- modify the arguments of InstallOidDecoderMapping(...) +accordingly +- in the generated .c file, you need to write +"DecComponentxxxTop(...)" function for yourself. +You can copy BDecComponentCertificateTop in the +generated .c file and modify it accordingly. +4) register a new attribute syntax with a new OID +in a schema file +5) then goto 3) of B) section. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +D) How to configure Component Indexing +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +You can generate indices on each component of +a given attribute whose values are in either GSER or +BER. Currently primitive ASN.1 types, DN, and RDN +can be indexed for equality matching in BDB. +In order to generate indices, put following line +in the slapd configuration file, slapd.conf. + +index [attribute name].[component reference] eq + +Ex) +index userCertificate eq +index userCertificate.toBeSigned.issuer.rdnSequence eq +index userCertificate.toBeSigned.serialNumber eq +index userCertificate.toBeSigned.version eq + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +D) How to configure Attribute Alias +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +If your client is unable to use component filters, +attribute aliasing can be used instead. Attribute +Alias maps a virtual attribute type to an attribute +component and a component matching rule. +You can create your own aliases by following steps. + +1) register aliasing attributes in the schema file. +Sample aliasing attributes are in test.schema. +2) compose component filters for aliasing attributes +and put them in "preprocessed_comp_filter" array +in "init.c". +3) add "add_aa_entry" function calls in +"init_attribute_aliasing_table()" in "init.c" +4) perform searching against the aliasing attribute +Ex) +"(x509CertificateIssuer:distinguishedNameMatch= +cn=ray,L=yorktown,o=ibm,c=us)" diff --git a/contrib/slapd-modules/comp_match/asn.h b/contrib/slapd-modules/comp_match/asn.h new file mode 100644 index 0000000..de63c0a --- /dev/null +++ b/contrib/slapd-modules/comp_match/asn.h @@ -0,0 +1,57 @@ +/* Copyright 2004 IBM Corporation + * All rights reserved. + * Redisribution and use in source and binary forms, with or without + * modification, are permitted only as authorizd by the OpenLADP + * Public License. + */ +/* ACKNOWLEDGEMENTS + * This work originally developed by Sang Seok Lim + * 2004/06/18 03:20:00 slim@OpenLDAP.org + */ +#ifndef _H_ASN_MODULE +#define _H_ASN_MODULE + +typedef enum { BER, GSER } EncRulesType; + +typedef enum AsnTypeId { + BASICTYPE_BOOLEAN = 0, + BASICTYPE_INTEGER, + BASICTYPE_BITSTRING, + BASICTYPE_OCTETSTRING, + BASICTYPE_NULL, + BASICTYPE_OID, + BASICTYPE_REAL, + BASICTYPE_ENUMERATED, + BASICTYPE_NUMERIC_STR, + BASICTYPE_PRINTABLE_STR, + BASICTYPE_UNIVERSAL_STR, + BASICTYPE_IA5_STR, + BASICTYPE_BMP_STR, + BASICTYPE_UTF8_STR, + BASICTYPE_UTCTIME, + BASICTYPE_GENERALIZEDTIME, + BASICTYPE_GRAPHIC_STR, + BASICTYPE_VISIBLE_STR, + BASICTYPE_GENERAL_STR, + BASICTYPE_OBJECTDESCRIPTOR, + BASICTYPE_VIDEOTEX_STR, + BASICTYPE_T61_STR, + BASICTYPE_OCTETCONTAINING, + BASICTYPE_BITCONTAINING, + BASICTYPE_RELATIVE_OID, /* 25 */ + BASICTYPE_ANY, + /* Embedded Composite Types*/ + COMPOSITE_ASN1_TYPE, + /* A New ASN.1 types including type reference */ + RDNSequence, + RelativeDistinguishedName, + TelephoneNumber, + FacsimileTelephoneNumber__telephoneNumber, + DirectoryString, + /* Newly Defined ASN.1 Type, Manually registered */ + ASN_COMP_CERTIFICATE, + /* ASN.1 Type End */ + ASNTYPE_END +} AsnTypeId; + +#endif diff --git a/contrib/slapd-modules/comp_match/asn_to_syn_mr.c b/contrib/slapd-modules/comp_match/asn_to_syn_mr.c new file mode 100644 index 0000000..e7e1ee7 --- /dev/null +++ b/contrib/slapd-modules/comp_match/asn_to_syn_mr.c @@ -0,0 +1,282 @@ +#include <component.h> +#include "asn.h" +#include "componentlib.h" +#include "certificate.h" + +AsnTypetoMatchingRuleTable directory_component_matching_table[] = { + "1.2.36.79672281.1.13.7", +{ + { BASICTYPE_BOOLEAN,NULL,"1.3.6.1.4.1.1466.115.121.1.7", NULL }, + { BASICTYPE_INTEGER,NULL ,"1.3.6.1.4.1.1466.115.121.1.27", NULL }, + { BASICTYPE_BITSTRING,NULL ,"1.3.6.1.4.1.1466.115.121.1.6", NULL }, + { BASICTYPE_OCTETSTRING,NULL , "1.3.6.1.4.1.1466.115.121.1.40", NULL }, + { BASICTYPE_NULL,NULL , NULL, NULL }, + { BASICTYPE_OID,NULL ,"1.3.6.1.4.1.1466.115.121.1.38", NULL }, + { BASICTYPE_REAL,NULL , NULL, NULL }, + { BASICTYPE_ENUMERATED,NULL , NULL, NULL }, + { BASICTYPE_NUMERIC_STR, "numericStringMatch", "1.3.6.1.4.1.1466.115.121.1.36", NULL }, + { BASICTYPE_PRINTABLE_STR, "caseIgnoreMatch", "1.3.6.1.4.1.1466.115.121.1.44", NULL }, + { BASICTYPE_UNIVERSAL_STR, "caseIgnoreMatch" , NULL, NULL }, + { BASICTYPE_IA5_STR, "caseIgnoreMatch", "1.3.6.1.4.1.1466.115.121.1.26", NULL }, + { BASICTYPE_BMP_STR, "caseIgnoreMatch" , NULL, NULL }, + { BASICTYPE_UTF8_STR, "caseIgnoreMatch" , NULL, NULL }, + { BASICTYPE_UTCTIME, "uTCTimeMatch" , "1.3.6.1.4.1.1466.115.121.1.53", NULL }, + { BASICTYPE_GENERALIZEDTIME, "generalizedTimeMatch" ,"1.3.6.1.4.1.1466.115.121.1.24", NULL }, + { BASICTYPE_GRAPHIC_STR, "caseIgnoreMatch", NULL, NULL }, + { BASICTYPE_VISIBLE_STR, "caseIgnoreMatch", NULL, NULL }, + { BASICTYPE_GENERAL_STR, "caseIgnoreMatch", NULL, NULL }, + { BASICTYPE_OBJECTDESCRIPTOR, NULL , NULL, NULL }, + { BASICTYPE_VIDEOTEX_STR, "caseIgnoreMatch", NULL, NULL }, + { BASICTYPE_T61_STR, "caseIgnoreMatch", NULL, NULL }, + { BASICTYPE_OCTETCONTAINING, NULL , NULL, NULL }, + { BASICTYPE_BITCONTAINING, NULL , NULL, NULL }, + { BASICTYPE_RELATIVE_OID, NULL, "1.2.36.79672281.1.5.0", NULL }, + { RDNSequence, "distinguishedNameMatch" , NULL, NULL }, + { RelativeDistinguishedName, NULL , NULL, NULL }, + { TelephoneNumber, "telephoneNumberMatch" , "1.3.6.1.4.1.1466.115.121.1.50", NULL }, + { FacsimileTelephoneNumber__telephoneNumber, "telephoneNumberMatch","1.3.6.1.4.1.1466.115.121.1.22", NULL }, + { DirectoryString, "caseIgnoreMatch" ,"1.3.6.1.4.1.1466.115.121.1.15", NULL }, + { ASN_COMP_CERTIFICATE, NULL , "1.2.36.79672281.1.5.2" , NULL }, + { ASNTYPE_END , NULL , NULL, NULL } +}, + NULL +}; + +AsnTypetoSyntax asn_to_syntax_mapping_tbl[] = { +{ BASICTYPE_BOOLEAN,"Boolean","1.3.6.1.4.1.1466.115.121.1.7", NULL }, +{ BASICTYPE_INTEGER,"Integer","1.3.6.1.4.1.1466.115.121.1.27", NULL }, +{ BASICTYPE_BITSTRING,"Bit String","1.3.6.1.4.1.1466.115.121.1.6", NULL }, +{ BASICTYPE_OCTETSTRING,"Octet String", "1.3.6.1.4.1.1466.115.121.1.40", NULL }, +{ BASICTYPE_NULL,NULL, NULL, NULL }, +{ BASICTYPE_OID,"OID","1.3.6.1.4.1.1466.115.121.1.38", NULL }, +{ BASICTYPE_REAL,NULL, NULL, NULL }, +{ BASICTYPE_ENUMERATED,"Integer", "1.3.6.1.4.1.1466.115.121.1.27", NULL }, +{ BASICTYPE_NUMERIC_STR, "Numeric String", "1.3.6.1.4.1.1466.115.121.1.36", NULL }, +{ BASICTYPE_PRINTABLE_STR, "Printable String", "1.3.6.1.4.1.1466.115.121.1.44", NULL }, +{ BASICTYPE_UNIVERSAL_STR, NULL , NULL, NULL }, +{ BASICTYPE_IA5_STR, "IA5 String", "1.3.6.1.4.1.1466.115.121.1.26", NULL }, +{ BASICTYPE_BMP_STR, NULL , NULL, NULL }, +{ BASICTYPE_UTF8_STR, "Directory String" , "1.3.6.1.4.1.1466.115.121.1.15", NULL }, +{ BASICTYPE_UTCTIME, "UTC Time" , "1.3.6.1.4.1.1466.115.121.1.53", NULL }, +{ BASICTYPE_GENERALIZEDTIME, "Generalized Time" ,"1.3.6.1.4.1.1466.115.121.1.24", NULL }, +{ BASICTYPE_GRAPHIC_STR, NULL, NULL, NULL }, +{ BASICTYPE_VISIBLE_STR, "Directory String", "1.3.6.1.4.1.1466.115.121.1.15", NULL }, +{ BASICTYPE_GENERAL_STR, NULL, NULL, NULL }, +{ BASICTYPE_OBJECTDESCRIPTOR, "Object Class Description", "1.3.6.1.4.1.1466.115.121.1.37", NULL }, +{ BASICTYPE_VIDEOTEX_STR, NULL, NULL, NULL }, +{ BASICTYPE_T61_STR, NULL, NULL, NULL }, +{ BASICTYPE_OCTETCONTAINING, NULL , NULL, NULL }, +{ BASICTYPE_BITCONTAINING, NULL , NULL, NULL }, +{ BASICTYPE_RELATIVE_OID, "OID", "1.3.6.1.4.1.1466.115.121.1.38", NULL }, +{ BASICTYPE_ANY, NULL, NULL, NULL }, +{ COMPOSITE_ASN1_TYPE, NULL , NULL, NULL }, +{ RDNSequence, "Distinguished Name" , "1.3.6.1.4.1.1466.115.121.1.12", NULL }, +{ RelativeDistinguishedName, "RDN", "1.2.36.79672281.1.5.0", NULL }, +{ TelephoneNumber, "Telephone Number" , "1.3.6.1.4.1.1466.115.121.1.50", NULL }, +{ FacsimileTelephoneNumber__telephoneNumber, "Facsimile Telephone Number","1.3.6.1.4.1.1466.115.121.1.22", NULL }, +{ DirectoryString, "Directory String" ,"1.3.6.1.4.1.1466.115.121.1.15", NULL }, +{ ASN_COMP_CERTIFICATE, "componentCertificate", "1.2.36.79672281.1.5.2" , NULL }, +{ ASNTYPE_END , NULL , NULL, NULL } +}; + +/* + * This table describes relationship between an ASN.1 type and its + * potential matching rules such as equality, approx, ordering, and substring + * Based on the description of this table, the following ComponentType + * table is initialized + */ +AsnTypetoCompMatchingRule asntype_to_compMR_mapping_tbl[] = { +{ BASICTYPE_BOOLEAN, "booleanMatch", NULL, NULL, NULL }, +{ BASICTYPE_INTEGER, "integerMatch", NULL, "integerOrderingMatch", NULL }, +{ BASICTYPE_BITSTRING, "bitStringMatch", NULL, NULL, NULL }, +{ BASICTYPE_OCTETSTRING, "octetStringMatch", NULL, "octetStringOrderingMatch", NULL }, +{ BASICTYPE_NULL, NULL, NULL, NULL, NULL }, +{ BASICTYPE_OID, "objectIdentifierMatch", NULL, NULL, NULL }, +{ BASICTYPE_REAL, NULL, NULL, NULL, NULL }, +{ BASICTYPE_ENUMERATED, "integerMatch", NULL, "integerOrderingMatch", NULL }, +{ BASICTYPE_NUMERIC_STR, "numericStringMatch", NULL, "numericStringOrderingMatch", "numericStringSubstringsMatch"}, +{ BASICTYPE_PRINTABLE_STR, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_UNIVERSAL_STR, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_IA5_STR, "caseIgnoreMatch", "IA5StringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_BMP_STR, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_UTF8_STR, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_UTCTIME, NULL, NULL, NULL, NULL }, +{ BASICTYPE_GENERALIZEDTIME, NULL, NULL, NULL, NULL }, +{ BASICTYPE_GRAPHIC_STR, NULL, NULL, NULL, NULL }, +{ BASICTYPE_VISIBLE_STR, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ BASICTYPE_GENERAL_STR, NULL, NULL, NULL, NULL }, +{ BASICTYPE_OBJECTDESCRIPTOR, "objectIdentifierFirstComponentMatch", NULL, NULL, NULL }, +{ BASICTYPE_VIDEOTEX_STR, NULL, NULL, NULL, NULL }, +{ BASICTYPE_T61_STR, NULL, NULL, NULL, NULL }, +{ BASICTYPE_OCTETCONTAINING, NULL, NULL, NULL, NULL }, +{ BASICTYPE_BITCONTAINING, NULL, NULL, NULL, NULL }, +{ BASICTYPE_RELATIVE_OID, "objectIdentifierFirstComponentMatch", NULL, NULL, NULL }, +{ BASICTYPE_ANY, NULL, NULL, NULL, NULL }, +{ COMPOSITE_ASN1_TYPE, NULL, NULL, NULL, NULL }, +{ RDNSequence, "distinguishedNameMatch", NULL, NULL, NULL }, +{ RelativeDistinguishedName, "rdnMatch" , NULL, NULL, NULL }, +{ TelephoneNumber, NULL, NULL, NULL, NULL }, +{ FacsimileTelephoneNumber__telephoneNumber, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch" }, +{ DirectoryString, "caseIgnoreMatch", "directoryStringApproxMatch", "caseIgnoreOrderingMatch", "caseIgnoreSubstringsMatch"}, +{ ASN_COMP_CERTIFICATE, "componentFilterMatch", NULL, NULL, NULL }, +{ ASNTYPE_END, NULL, NULL, NULL, NULL } +}; + +/* + * This table mapps an ASN type to a corresponding ComponentType which has + * equivalent contents of an existing AttributeType + */ +AsnTypetoCompType asntype_to_compType_mapping_tbl[] = { +{ BASICTYPE_BOOLEAN,{}}, +{ BASICTYPE_INTEGER, {}}, +{ BASICTYPE_BITSTRING, {}}, +{ BASICTYPE_OCTETSTRING, {}}, +{ BASICTYPE_NULL, {}}, +{ BASICTYPE_OID, {}}, +{ BASICTYPE_REAL, {}}, +{ BASICTYPE_ENUMERATED, {}}, +{ BASICTYPE_NUMERIC_STR, {}}, +{ BASICTYPE_PRINTABLE_STR, {}}, +{ BASICTYPE_UNIVERSAL_STR, {}}, +{ BASICTYPE_IA5_STR, {}}, +{ BASICTYPE_BMP_STR, {}}, +{ BASICTYPE_UTF8_STR, {}}, +{ BASICTYPE_UTCTIME, {}}, +{ BASICTYPE_GENERALIZEDTIME, {}}, +{ BASICTYPE_GRAPHIC_STR, {}}, +{ BASICTYPE_VISIBLE_STR, {}}, +{ BASICTYPE_GENERAL_STR,{}}, +{ BASICTYPE_OBJECTDESCRIPTOR, {}}, +{ BASICTYPE_VIDEOTEX_STR, {}}, +{ BASICTYPE_T61_STR, {}}, +{ BASICTYPE_OCTETCONTAINING, {}}, +{ BASICTYPE_BITCONTAINING, {}}, +{ BASICTYPE_RELATIVE_OID, {}}, +{ BASICTYPE_ANY, {}}, +{ COMPOSITE_ASN1_TYPE, {}}, +{ RDNSequence, {}}, +{ RelativeDistinguishedName, {}}, +{ TelephoneNumber, {}}, +{ FacsimileTelephoneNumber__telephoneNumber, {}}, +{ DirectoryString, {}}, +{ ASN_COMP_CERTIFICATE, {}}, +{ ASNTYPE_END , {}} +}; + +AsnTypetoCompDesc asntype_to_compdesc_mapping_tbl[] = { +{ BASICTYPE_BOOLEAN, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_BOOLEAN, + (encoder_func*)NULL,(encoder_func*)GEncComponentBool,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentBool,(ber_decoder_func*)BDecComponentBool, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentBool}}, +{ BASICTYPE_INTEGER, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_INTEGER, + (encoder_func*)NULL,(encoder_func*)GEncComponentInt,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentInt,(ber_decoder_func*)BDecComponentInt, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentInt}}, +{ BASICTYPE_BITSTRING, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_BITSTRING, + (encoder_func*)NULL,(encoder_func*)GEncComponentBits,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentBits,(ber_decoder_func*)BDecComponentBits, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentBits}}, +{ BASICTYPE_OCTETSTRING, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_OCTETSTRING, + (encoder_func*)NULL,(encoder_func*)GEncComponentOcts,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentOcts,(ber_decoder_func*)BDecComponentOcts, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentOcts}}, +{ BASICTYPE_NULL, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_NULL, + (encoder_func*)NULL,(encoder_func*)GEncComponentNull,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentNull,(ber_decoder_func*)BDecComponentNull, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentNull}}, +{ BASICTYPE_OID, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_OID, + (encoder_func*)NULL,(encoder_func*)GEncComponentOid,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentOid,(ber_decoder_func*)BDecComponentOid, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentOid}}, +{ BASICTYPE_REAL, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_REAL, + (encoder_func*)NULL,(encoder_func*)GEncComponentReal,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentReal,(ber_decoder_func*)BDecComponentReal, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentReal}}, +{ BASICTYPE_ENUMERATED, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_ENUMERATED, + (encoder_func*)NULL,(encoder_func*)GEncComponentEnum,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentEnum,(ber_decoder_func*)BDecComponentEnum, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentEnum}}, +{ BASICTYPE_NUMERIC_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_NUMERIC_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentNumericString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentNumericString,(ber_decoder_func*)BDecComponentNumericString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentNumericString}}, +{ BASICTYPE_PRINTABLE_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_PRINTABLE_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentPrintableString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentPrintableString,(ber_decoder_func*)BDecComponentPrintableString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentPrintableString}}, +{ BASICTYPE_UNIVERSAL_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_UNIVERSAL_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentUniversalString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUniversalString,(ber_decoder_func*)BDecComponentUniversalString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUniversalString}}, +{ BASICTYPE_IA5_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_IA5_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentIA5String,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentIA5String,(ber_decoder_func*)BDecComponentIA5String, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentIA5String}}, +{ BASICTYPE_BMP_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_BMP_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentBMPString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentBMPString,(ber_decoder_func*)BDecComponentBMPString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentBMPString}}, +{ BASICTYPE_UTF8_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_UTF8_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTF8String,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTF8String,(ber_decoder_func*)BDecComponentUTF8String, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTF8String}}, +{ BASICTYPE_UTCTIME, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_UTCTIME, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTCTime,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTCTime,(ber_decoder_func*)BDecComponentUTCTime, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTCTime}}, +{ BASICTYPE_GENERALIZEDTIME, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_GENERALIZEDTIME, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTCTime,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTCTime,(ber_decoder_func*)BDecComponentUTCTime, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTCTime}}, +{ BASICTYPE_GRAPHIC_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_GRAPHIC_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentPrintableString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentPrintableString,(ber_decoder_func*)BDecComponentPrintableString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentPrintableString}}, +{ BASICTYPE_VISIBLE_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_VISIBLE_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentVisibleString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentVisibleString,(ber_decoder_func*)BDecComponentVisibleString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentVisibleString}}, +{ BASICTYPE_GENERAL_STR,{ -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_GENERAL_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTF8String,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTF8String,(ber_decoder_func*)BDecComponentUTF8String, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTF8String}}, +{ BASICTYPE_OBJECTDESCRIPTOR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_OBJECTDESCRIPTOR, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTF8String,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTF8String,(ber_decoder_func*)BDecComponentUTF8String, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTF8String}}, +{ BASICTYPE_VIDEOTEX_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_VIDEOTEX_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentTeletexString,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentTeletexString,(ber_decoder_func*)BDecComponentTeletexString, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentTeletexString}}, +{ BASICTYPE_T61_STR, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_T61_STR, + (encoder_func*)NULL,(encoder_func*)GEncComponentUTF8String,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentUTF8String,(ber_decoder_func*)BDecComponentUTF8String, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentUTF8String}}, +{ BASICTYPE_OCTETCONTAINING, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_OCTETCONTAINING, + (encoder_func*)NULL,(encoder_func*)NULL,(encoder_func*)NULL, + (gser_decoder_func*)NULL,(ber_decoder_func*)NULL, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,NULL}}, +{ BASICTYPE_BITCONTAINING, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_BITCONTAINING, + (encoder_func*)NULL,(encoder_func*)NULL,(encoder_func*)NULL, + (gser_decoder_func*)NULL,(ber_decoder_func*)NULL, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,NULL}}, +{ BASICTYPE_RELATIVE_OID, { -1, NULL, {},{},0,ASN_BASIC,BASICTYPE_RELATIVE_OID, + (encoder_func*)NULL,(encoder_func*)GEncComponentRelativeOid,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentRelativeOid,(ber_decoder_func*)BDecComponentRelativeOid, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentRelativeOid}}, +{ BASICTYPE_ANY, {}}, +{ COMPOSITE_ASN1_TYPE, {}}, +{ RDNSequence, { -1, NULL, {},{},0,ASN_COMPOSITE,RDNSequence, + (encoder_func*)ConvertRDNSequence2RFC2253,(encoder_func*)NULL,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentRDNSequence,(ber_decoder_func*)BDecComponentRDNSequence, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentRDNSequence}}, +{ RelativeDistinguishedName, { -1, NULL, {},{},0,ASN_COMPOSITE,RDNSequence, + (encoder_func*)ConvertRDNSequence2RFC2253,(encoder_func*)NULL,(encoder_func*)NULL, + (gser_decoder_func*)GDecComponentRDNSequence,(ber_decoder_func*)BDecComponentRDNSequence, + (comp_free_func*)NULL,(extract_component_from_id_func*)NULL,MatchingComponentRDNSequence}}, +{ TelephoneNumber, {}}, +{ FacsimileTelephoneNumber__telephoneNumber, {}}, +{ DirectoryString, {}}, +{ ASN_COMP_CERTIFICATE, {}}, +{ ASNTYPE_END , {}} +}; diff --git a/contrib/slapd-modules/comp_match/authorityKeyIdentifier.asn b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.asn new file mode 100644 index 0000000..85ac92d --- /dev/null +++ b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.asn @@ -0,0 +1,65 @@ +AuthorityKeyIdentifierDefinition DEFINITIONS ::=
+BEGIN
+AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL }
+ -- authorityCertIssuer and authorityCertSerialNumber MUST both
+ -- be present or both be absent
+
+KeyIdentifier ::= OCTET STRING
+
+CertificateSerialNumber ::= INTEGER
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] OtherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER }
+
+OtherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+EDIPartyName ::= SEQUENCE {
+ nameAssigner [0] DirectoryString OPTIONAL,
+ partyName [1] DirectoryString }
+
+-- following ORAddress may not conform original def. in ASN.1
+ORAddress ::= SEQUENCE {
+-- built-in-standard-attributes BuiltInStandardAttributes,
+ type-id OBJECT IDENTIFIER,
+-- built-in-domain-defined-attributes
+ value ANY DEFINED BY type-id,
+-- BuiltInDomainDefinedAttributes OPTIONAL,
+-- see also teletex-domain-defined-attributes
+--extension-attributes ExtensionAttributes OPTIONAL }
+ extension OCTET STRING OPTIONAL }
+
+
+Name ::= CHOICE {
+ rdnSequence RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ value ANY DEFINED BY type}
+
+DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+END
diff --git a/contrib/slapd-modules/comp_match/authorityKeyIdentifier.c b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.c new file mode 100644 index 0000000..84e83b8 --- /dev/null +++ b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.c @@ -0,0 +1,2058 @@ +/* + * authorityKeyIdentifier.c + * "AuthorityKeyIdentifierDefinition" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Wed Dec 8 22:22:49 2004 + * The generated files are supposed to be compiled as a module for OpenLDAP Software + */ + +#include "authorityKeyIdentifier.h" + +BDecComponentAuthorityKeyIdentifierTop( void* mem_op, GenBuf* b, void *v, AsnLen* bytesDecoded,int mode) { + AsnTag tag; + AsnLen elmtLen; + + tag = BDecTag ( b, bytesDecoded ); + elmtLen = BDecLen ( b, bytesDecoded ); + if ( elmtLen <= 0 ) return (-1); + if ( tag != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE) ) { + return (-1); + } + + return BDecComponentAuthorityKeyIdentifier( mem_op, b, tag, elmtLen, ( ComponentAuthorityKeyIdentifier**)v, (AsnLen*)bytesDecoded, mode ); +} + + +void init_module_AuthorityKeyIdentifierDefinition() { + InstallOidDecoderMapping( "2.5.29.35", NULL, + GDecComponentAuthorityKeyIdentifier, + BDecComponentAuthorityKeyIdentifierTop, + ExtractingComponentAuthorityKeyIdentifier, + MatchingComponentAuthorityKeyIdentifier ); +} + +int +MatchingComponentOtherName ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentOid ( oid, (ComponentSyntaxInfo*)&((ComponentOtherName*)csi_attr)->type_id, (ComponentSyntaxInfo*)&((ComponentOtherName*)csi_assert)->type_id ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = SetAnyTypeByComponentOid ((ComponentSyntaxInfo*)&((ComponentOtherName*)csi_attr)->value, (&((ComponentOtherName*)csi_attr)->type_id)); + rc = MatchingComponentAnyDefinedBy ( oid, (ComponentAny*)&((ComponentOtherName*)csi_attr)->value, (ComponentAny*)&((ComponentOtherName*)csi_assert)->value); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentOtherName */ + +void* +ExtractingComponentOtherName ( void* mem_op, ComponentReference* cr, ComponentOtherName *comp ) +{ + + if ( ( comp->type_id.identifier.bv_val && strncmp(comp->type_id.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->type_id.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->type_id; + else + return NULL; + } + if ( ( comp->value.identifier.bv_val && strncmp(comp->value.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->value.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->value; + else + return NULL; + } + return NULL; +} /* ExtractingComponentOtherName */ + +int +BDecComponentOtherName PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentOtherName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentOtherName *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOid (mem_op, b, tagId1, elmtLen1, (&k->type_id), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type_id)->identifier.bv_val = (&k->type_id)->id_buf; + (&k->type_id)->identifier.bv_len = strlen("type_id"); + strcpy( (&k->type_id)->identifier.bv_val, "type_id"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (CNTX, CONS, 0)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = SetAnyTypeByComponentOid ((&k->value), (&k->type_id)); + rc = BDecComponentAnyDefinedBy (mem_op,b, (&k->value), &totalElmtsLen1, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = (&k->value)->id_buf; + (&k->value)->identifier.bv_len = strlen("value"); + strcpy( (&k->value)->identifier.bv_val, "value"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentOtherName*) CompAlloc( mem_op, sizeof(ComponentOtherName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentOtherName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentOtherName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentOtherName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentOtherName; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecOtherName*/ + +int +GDecComponentOtherName PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentOtherName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentOtherName *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "type_id", strlen("type_id") ) == 0 ) { + rc = GDecComponentOid (mem_op, b, (&k->type_id), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type_id)->identifier.bv_val = peek_head; + (&k->type_id)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "value", strlen("value") ) == 0 ) { + rc = SetAnyTypeByComponentOid ((&k->value), (&k->type_id)); + rc = GDecComponentAnyDefinedBy (mem_op, b, (&k->value), bytesDecoded, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = peek_head; + (&k->value)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentOtherName*) CompAlloc( mem_op, sizeof(ComponentOtherName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentOtherName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentOtherName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentOtherName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentOtherName; + return LDAP_SUCCESS; +} /* GDecOtherName*/ + + +int +MatchingComponentORAddress ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentOid ( oid, (ComponentSyntaxInfo*)&((ComponentORAddress*)csi_attr)->type_id, (ComponentSyntaxInfo*)&((ComponentORAddress*)csi_assert)->type_id ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = SetAnyTypeByComponentOid ((ComponentSyntaxInfo*)&((ComponentORAddress*)csi_attr)->value, (&((ComponentORAddress*)csi_attr)->type_id)); + rc = MatchingComponentAnyDefinedBy ( oid, (ComponentAny*)&((ComponentORAddress*)csi_attr)->value, (ComponentAny*)&((ComponentORAddress*)csi_assert)->value); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentOcts ( oid, (ComponentSyntaxInfo*)&((ComponentORAddress*)csi_attr)->extension, (ComponentSyntaxInfo*)&((ComponentORAddress*)csi_assert)->extension ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentORAddress */ + +void* +ExtractingComponentORAddress ( void* mem_op, ComponentReference* cr, ComponentORAddress *comp ) +{ + + if ( ( comp->type_id.identifier.bv_val && strncmp(comp->type_id.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->type_id.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->type_id; + else + return NULL; + } + if ( ( comp->value.identifier.bv_val && strncmp(comp->value.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->value.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->value; + else + return NULL; + } + if ( ( comp->extension.identifier.bv_val && strncmp(comp->extension.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->extension.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->extension; + else + return NULL; + } + return NULL; +} /* ExtractingComponentORAddress */ + +int +BDecComponentORAddress PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentORAddress **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentORAddress *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOid (mem_op, b, tagId1, elmtLen1, (&k->type_id), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type_id)->identifier.bv_val = (&k->type_id)->id_buf; + (&k->type_id)->identifier.bv_len = strlen("type_id"); + strcpy( (&k->type_id)->identifier.bv_val, "type_id"); + } + else + return -1; + + + + { + rc = SetAnyTypeByComponentOid ((&k->value), (&k->type_id)); + rc = BDecComponentAnyDefinedBy (mem_op,b, (&k->value), &totalElmtsLen1, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = (&k->value)->id_buf; + (&k->value)->identifier.bv_len = strlen("value"); + strcpy( (&k->value)->identifier.bv_val, "value"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OCTETSTRING_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, OCTETSTRING_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOcts (mem_op, b, tagId1, elmtLen1, (&k->extension), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extension)->identifier.bv_val = (&k->extension)->id_buf; + (&k->extension)->identifier.bv_len = strlen("extension"); + strcpy( (&k->extension)->identifier.bv_val, "extension"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentORAddress*) CompAlloc( mem_op, sizeof(ComponentORAddress) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentORAddress ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentORAddress ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentORAddress; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentORAddress; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecORAddress*/ + +int +GDecComponentORAddress PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentORAddress **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentORAddress *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "type_id", strlen("type_id") ) == 0 ) { + rc = GDecComponentOid (mem_op, b, (&k->type_id), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type_id)->identifier.bv_val = peek_head; + (&k->type_id)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "value", strlen("value") ) == 0 ) { + rc = SetAnyTypeByComponentOid ((&k->value), (&k->type_id)); + rc = GDecComponentAnyDefinedBy (mem_op, b, (&k->value), bytesDecoded, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = peek_head; + (&k->value)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "extension", strlen("extension") ) == 0 ) { + rc = GDecComponentOcts (mem_op, b, (&k->extension), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extension)->identifier.bv_val = peek_head; + (&k->extension)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentORAddress*) CompAlloc( mem_op, sizeof(ComponentORAddress) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentORAddress ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentORAddress ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentORAddress; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentORAddress; + return LDAP_SUCCESS; +} /* GDecORAddress*/ + + +int +MatchingComponentDirectoryString ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + ComponentDirectoryString *v1, *v2; + + + v1 = (ComponentDirectoryString*)csi_attr; + v2 = (ComponentDirectoryString*)csi_assert; + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + if( (v1->choiceId != v2->choiceId ) ) + return LDAP_COMPARE_FALSE; + switch( v1->choiceId ) + { + case DIRECTORYSTRING_TELETEXSTRING : + rc = MatchingComponentTeletexString ( oid, (ComponentSyntaxInfo*)(v1->a.teletexString), (ComponentSyntaxInfo*)(v2->a.teletexString) ); + break; + case DIRECTORYSTRING_PRINTABLESTRING : + rc = MatchingComponentPrintableString ( oid, (ComponentSyntaxInfo*)(v1->a.printableString), (ComponentSyntaxInfo*)(v2->a.printableString) ); + break; + case DIRECTORYSTRING_UNIVERSALSTRING : + rc = MatchingComponentUniversalString ( oid, (ComponentSyntaxInfo*)(v1->a.universalString), (ComponentSyntaxInfo*)(v2->a.universalString) ); + break; + case DIRECTORYSTRING_UTF8STRING : + rc = MatchingComponentUTF8String ( oid, (ComponentSyntaxInfo*)(v1->a.utf8String), (ComponentSyntaxInfo*)(v2->a.utf8String) ); + break; + case DIRECTORYSTRING_BMPSTRING : + rc = MatchingComponentBMPString ( oid, (ComponentSyntaxInfo*)(v1->a.bmpString), (ComponentSyntaxInfo*)(v2->a.bmpString) ); + break; + default : + return LDAP_PROTOCOL_ERROR; + } + return rc; +} /* BMatchingComponentDirectoryStringContent */ + +void* +ExtractingComponentDirectoryString ( void* mem_op, ComponentReference* cr, ComponentDirectoryString *comp ) +{ + + + if( (comp->choiceId) == DIRECTORYSTRING_TELETEXSTRING && + (( comp->a.teletexString->identifier.bv_val && strncmp(comp->a.teletexString->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.teletexString->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.teletexString); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTeletexString ( mem_op, cr, (comp->a.teletexString) ); + }; + } + if( (comp->choiceId) == DIRECTORYSTRING_PRINTABLESTRING && + (( comp->a.printableString->identifier.bv_val && strncmp(comp->a.printableString->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.printableString->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.printableString); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentPrintableString ( mem_op, cr, (comp->a.printableString) ); + }; + } + if( (comp->choiceId) == DIRECTORYSTRING_UNIVERSALSTRING && + (( comp->a.universalString->identifier.bv_val && strncmp(comp->a.universalString->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.universalString->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.universalString); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentUniversalString ( mem_op, cr, (comp->a.universalString) ); + }; + } + if( (comp->choiceId) == DIRECTORYSTRING_UTF8STRING && + (( comp->a.utf8String->identifier.bv_val && strncmp(comp->a.utf8String->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.utf8String->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.utf8String); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentUTF8String ( mem_op, cr, (comp->a.utf8String) ); + }; + } + if( (comp->choiceId) == DIRECTORYSTRING_BMPSTRING && + (( comp->a.bmpString->identifier.bv_val && strncmp(comp->a.bmpString->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.bmpString->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.bmpString); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentBMPString ( mem_op, cr, (comp->a.bmpString) ); + }; + } + return NULL; +} /* ExtractingComponentDirectoryString */ + +int +BDecComponentDirectoryString PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentDirectoryString **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentDirectoryString *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + switch (tagId0) + { + case MAKE_TAG_ID (UNIV, PRIM, TELETEXSTRING_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, TELETEXSTRING_TAG_CODE): + (k->choiceId) = DIRECTORYSTRING_TELETEXSTRING; + rc = BDecComponentTeletexString (mem_op, b, tagId0, elmtLen0, (&k->a.teletexString), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.teletexString)->identifier.bv_val = (k->a.teletexString)->id_buf; + (k->a.teletexString)->identifier.bv_len = strlen("teletexString"); + strcpy( (k->a.teletexString)->identifier.bv_val, "teletexString"); + break; + + case MAKE_TAG_ID (UNIV, PRIM, PRINTABLESTRING_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, PRINTABLESTRING_TAG_CODE): + (k->choiceId) = DIRECTORYSTRING_PRINTABLESTRING; + rc = BDecComponentPrintableString (mem_op, b, tagId0, elmtLen0, (&k->a.printableString), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.printableString)->identifier.bv_val = (k->a.printableString)->id_buf; + (k->a.printableString)->identifier.bv_len = strlen("printableString"); + strcpy( (k->a.printableString)->identifier.bv_val, "printableString"); + break; + + case MAKE_TAG_ID (UNIV, PRIM, UNIVERSALSTRING_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, UNIVERSALSTRING_TAG_CODE): + (k->choiceId) = DIRECTORYSTRING_UNIVERSALSTRING; + rc = BDecComponentUniversalString (mem_op, b, tagId0, elmtLen0, (&k->a.universalString), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.universalString)->identifier.bv_val = (k->a.universalString)->id_buf; + (k->a.universalString)->identifier.bv_len = strlen("universalString"); + strcpy( (k->a.universalString)->identifier.bv_val, "universalString"); + break; + + case MAKE_TAG_ID (UNIV, PRIM, UTF8STRING_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, UTF8STRING_TAG_CODE): + (k->choiceId) = DIRECTORYSTRING_UTF8STRING; + rc = BDecComponentUTF8String (mem_op, b, tagId0, elmtLen0, (&k->a.utf8String), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.utf8String)->identifier.bv_val = (k->a.utf8String)->id_buf; + (k->a.utf8String)->identifier.bv_len = strlen("utf8String"); + strcpy( (k->a.utf8String)->identifier.bv_val, "utf8String"); + break; + + case MAKE_TAG_ID (UNIV, PRIM, BMPSTRING_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, BMPSTRING_TAG_CODE): + (k->choiceId) = DIRECTORYSTRING_BMPSTRING; + rc = BDecComponentBMPString (mem_op, b, tagId0, elmtLen0, (&k->a.bmpString), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.bmpString)->identifier.bv_val = (k->a.bmpString)->id_buf; + (k->a.bmpString)->identifier.bv_len = strlen("bmpString"); + strcpy( (k->a.bmpString)->identifier.bv_val, "bmpString"); + break; + + default: + Asn1Error ("ERROR - unexpected tag in CHOICE\n"); + return -1; + break; + } /* end switch */ + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentDirectoryString*) CompAlloc( mem_op, sizeof(ComponentDirectoryString) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentDirectoryString ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentDirectoryString ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentDirectoryString; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentDirectoryString; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecDirectoryStringContent */ + +int +GDecComponentDirectoryString PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentDirectoryString **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentDirectoryString *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen2 = LocateNextGSERToken(mem_op,b,&peek_head2,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head2 != ':'){ + Asn1Error("Missing : in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if( strncmp("teletexString",peek_head, strlen("teletexString")) == 0){ + (k->choiceId) = DIRECTORYSTRING_TELETEXSTRING; + rc = GDecComponentTeletexString (mem_op, b, (&k->a.teletexString), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.teletexString)->identifier.bv_val = peek_head; + (k->a.teletexString)->identifier.bv_len = strLen; + } + else if( strncmp("printableString",peek_head,strlen("printableString")) == 0){ + (k->choiceId) = DIRECTORYSTRING_PRINTABLESTRING; + rc = GDecComponentPrintableString (mem_op, b, (&k->a.printableString), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.printableString)->identifier.bv_val = peek_head; + (k->a.printableString)->identifier.bv_len = strLen; + } + else if( strncmp("universalString",peek_head,strlen("universalString")) == 0){ + (k->choiceId) = DIRECTORYSTRING_UNIVERSALSTRING; + rc = GDecComponentUniversalString (mem_op, b, (&k->a.universalString), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.universalString)->identifier.bv_val = peek_head; + (k->a.universalString)->identifier.bv_len = strLen; + } + else if( strncmp("utf8String",peek_head,strlen("utf8String")) == 0){ + (k->choiceId) = DIRECTORYSTRING_UTF8STRING; + rc = GDecComponentUTF8String (mem_op, b, (&k->a.utf8String), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.utf8String)->identifier.bv_val = peek_head; + (k->a.utf8String)->identifier.bv_len = strLen; + } + else if( strncmp("bmpString",peek_head,strlen("bmpString")) == 0){ + (k->choiceId) = DIRECTORYSTRING_BMPSTRING; + rc = GDecComponentBMPString (mem_op, b, (&k->a.bmpString), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.bmpString)->identifier.bv_val = peek_head; + (k->a.bmpString)->identifier.bv_len = strLen; + } + else { + Asn1Error("Undefined Identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentDirectoryString*) CompAlloc( mem_op, sizeof(ComponentDirectoryString) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentDirectoryString ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentDirectoryString ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentDirectoryString; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentDirectoryString; + return LDAP_SUCCESS; +} /* GDecDirectoryStringContent */ + + +int +MatchingComponentEDIPartyName ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + if(COMPONENTNOT_NULL( ((ComponentEDIPartyName*)csi_attr)->nameAssigner ) ) { + rc = MatchingComponentDirectoryString ( oid, (ComponentSyntaxInfo*)((ComponentEDIPartyName*)csi_attr)->nameAssigner, (ComponentSyntaxInfo*)((ComponentEDIPartyName*)csi_assert)->nameAssigner ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + rc = MatchingComponentDirectoryString ( oid, (ComponentSyntaxInfo*)((ComponentEDIPartyName*)csi_attr)->partyName, (ComponentSyntaxInfo*)((ComponentEDIPartyName*)csi_assert)->partyName ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentEDIPartyName */ + +void* +ExtractingComponentEDIPartyName ( void* mem_op, ComponentReference* cr, ComponentEDIPartyName *comp ) +{ + + if ( ( comp->nameAssigner->identifier.bv_val && strncmp(comp->nameAssigner->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->nameAssigner->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->nameAssigner; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentDirectoryString ( mem_op, cr, comp->nameAssigner ); + } + } + if ( ( comp->partyName->identifier.bv_val && strncmp(comp->partyName->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->partyName->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->partyName; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentDirectoryString ( mem_op, cr, comp->partyName ); + } + } + return NULL; +} /* ExtractingComponentEDIPartyName */ + +int +BDecComponentEDIPartyName PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentEDIPartyName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + AsnLen totalElmtsLen3 = 0; + AsnLen elmtLen3; + AsnTag tagId3; + int old_mode = mode; + int rc; + ComponentEDIPartyName *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (CNTX, CONS, 0)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = tagId2 = BDecTag (b, &totalElmtsLen1 ); + elmtLen2 = BDecLen (b, &totalElmtsLen1 ); + BDecComponentDirectoryString (mem_op, b, tagId2, elmtLen2, (&k->nameAssigner), &totalElmtsLen1, mode); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc(b, &totalElmtsLen1 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->nameAssigner)->identifier.bv_val = (k->nameAssigner)->id_buf; + (k->nameAssigner)->identifier.bv_len = strlen("nameAssigner"); + strcpy( (k->nameAssigner)->identifier.bv_val, "nameAssigner"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + + + if (((tagId1 == MAKE_TAG_ID (CNTX, CONS, 1)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = tagId2 = BDecTag (b, &totalElmtsLen1 ); + elmtLen2 = BDecLen (b, &totalElmtsLen1 ); + BDecComponentDirectoryString (mem_op, b, tagId2, elmtLen2, (&k->partyName), &totalElmtsLen1, mode); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc(b, &totalElmtsLen1 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->partyName)->identifier.bv_val = (k->partyName)->id_buf; + (k->partyName)->identifier.bv_len = strlen("partyName"); + strcpy( (k->partyName)->identifier.bv_val, "partyName"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentEDIPartyName*) CompAlloc( mem_op, sizeof(ComponentEDIPartyName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentEDIPartyName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentEDIPartyName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentEDIPartyName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentEDIPartyName; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecEDIPartyName*/ + +int +GDecComponentEDIPartyName PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentEDIPartyName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentEDIPartyName *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "nameAssigner", strlen("nameAssigner") ) == 0 ) { + rc = GDecComponentDirectoryString (mem_op, b, (&k->nameAssigner), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->nameAssigner)->identifier.bv_val = peek_head; + ( k->nameAssigner)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "partyName", strlen("partyName") ) == 0 ) { + rc = GDecComponentDirectoryString (mem_op, b, (&k->partyName), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->partyName)->identifier.bv_val = peek_head; + ( k->partyName)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentEDIPartyName*) CompAlloc( mem_op, sizeof(ComponentEDIPartyName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentEDIPartyName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentEDIPartyName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentEDIPartyName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentEDIPartyName; + return LDAP_SUCCESS; +} /* GDecEDIPartyName*/ + + + +int +MatchingComponentGeneralName ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + ComponentGeneralName *v1, *v2; + + + v1 = (ComponentGeneralName*)csi_attr; + v2 = (ComponentGeneralName*)csi_assert; + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + if( (v1->choiceId != v2->choiceId ) ) + return LDAP_COMPARE_FALSE; + switch( v1->choiceId ) + { + case GENERALNAME_OTHERNAME : + rc = MatchingComponentOtherName ( oid, (ComponentSyntaxInfo*)(v1->a.otherName), (ComponentSyntaxInfo*)(v2->a.otherName) ); + break; + case GENERALNAME_RFC822NAME : + rc = MatchingComponentIA5String ( oid, (ComponentSyntaxInfo*)(v1->a.rfc822Name), (ComponentSyntaxInfo*)(v2->a.rfc822Name) ); + break; + case GENERALNAME_DNSNAME : + rc = MatchingComponentIA5String ( oid, (ComponentSyntaxInfo*)(v1->a.dNSName), (ComponentSyntaxInfo*)(v2->a.dNSName) ); + break; + case GENERALNAME_X400ADDRESS : + rc = MatchingComponentORAddress ( oid, (ComponentSyntaxInfo*)(v1->a.x400Address), (ComponentSyntaxInfo*)(v2->a.x400Address) ); + break; + case GENERALNAME_DIRECTORYNAME : + rc = MatchingComponentName ( oid, (ComponentSyntaxInfo*)(v1->a.directoryName), (ComponentSyntaxInfo*)(v2->a.directoryName) ); + break; + case GENERALNAME_EDIPARTYNAME : + rc = MatchingComponentEDIPartyName ( oid, (ComponentSyntaxInfo*)(v1->a.ediPartyName), (ComponentSyntaxInfo*)(v2->a.ediPartyName) ); + break; + case GENERALNAME_UNIFORMRESOURCEIDENTIFIER : + rc = MatchingComponentIA5String ( oid, (ComponentSyntaxInfo*)(v1->a.uniformResourceIdentifier), (ComponentSyntaxInfo*)(v2->a.uniformResourceIdentifier) ); + break; + case GENERALNAME_IPADDRESS : + rc = MatchingComponentOcts ( oid, (ComponentSyntaxInfo*)(v1->a.iPAddress), (ComponentSyntaxInfo*)(v2->a.iPAddress) ); + break; + case GENERALNAME_REGISTEREDID : + rc = MatchingComponentOid ( oid, (ComponentSyntaxInfo*)(v1->a.registeredID), (ComponentSyntaxInfo*)(v2->a.registeredID) ); + break; + default : + return LDAP_PROTOCOL_ERROR; + } + return rc; +} /* BMatchingComponentGeneralNameContent */ + +void* +ExtractingComponentGeneralName ( void* mem_op, ComponentReference* cr, ComponentGeneralName *comp ) +{ + + + if( (comp->choiceId) == GENERALNAME_OTHERNAME && + (( comp->a.otherName->identifier.bv_val && strncmp(comp->a.otherName->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.otherName->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.otherName); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentOtherName ( mem_op, cr, (comp->a.otherName) ); + }; + } + if( (comp->choiceId) == GENERALNAME_RFC822NAME && + (( comp->a.rfc822Name->identifier.bv_val && strncmp(comp->a.rfc822Name->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.rfc822Name->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.rfc822Name); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentIA5String ( mem_op, cr, (comp->a.rfc822Name) ); + }; + } + if( (comp->choiceId) == GENERALNAME_DNSNAME && + (( comp->a.dNSName->identifier.bv_val && strncmp(comp->a.dNSName->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.dNSName->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.dNSName); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentIA5String ( mem_op, cr, (comp->a.dNSName) ); + }; + } + if( (comp->choiceId) == GENERALNAME_X400ADDRESS && + (( comp->a.x400Address->identifier.bv_val && strncmp(comp->a.x400Address->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.x400Address->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.x400Address); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentORAddress ( mem_op, cr, (comp->a.x400Address) ); + }; + } + if( (comp->choiceId) == GENERALNAME_DIRECTORYNAME && + (( comp->a.directoryName->identifier.bv_val && strncmp(comp->a.directoryName->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.directoryName->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.directoryName); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentName ( mem_op, cr, (comp->a.directoryName) ); + }; + } + if( (comp->choiceId) == GENERALNAME_EDIPARTYNAME && + (( comp->a.ediPartyName->identifier.bv_val && strncmp(comp->a.ediPartyName->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.ediPartyName->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.ediPartyName); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentEDIPartyName ( mem_op, cr, (comp->a.ediPartyName) ); + }; + } + if( (comp->choiceId) == GENERALNAME_UNIFORMRESOURCEIDENTIFIER && + (( comp->a.uniformResourceIdentifier->identifier.bv_val && strncmp(comp->a.uniformResourceIdentifier->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.uniformResourceIdentifier->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.uniformResourceIdentifier); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentIA5String ( mem_op, cr, (comp->a.uniformResourceIdentifier) ); + }; + } + if( (comp->choiceId) == GENERALNAME_IPADDRESS && + (( comp->a.iPAddress->identifier.bv_val && strncmp(comp->a.iPAddress->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.iPAddress->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.iPAddress); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentOcts ( mem_op, cr, (comp->a.iPAddress) ); + }; + } + if( (comp->choiceId) == GENERALNAME_REGISTEREDID && + (( comp->a.registeredID->identifier.bv_val && strncmp(comp->a.registeredID->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.registeredID->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.registeredID); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentOid ( mem_op, cr, (comp->a.registeredID) ); + }; + } + return NULL; +} /* ExtractingComponentGeneralName */ + +int +BDecComponentGeneralName PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentGeneralName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + AsnLen totalElmtsLen3 = 0; + AsnLen elmtLen3; + AsnTag tagId3; + int old_mode = mode; + int rc; + ComponentGeneralName *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + switch (tagId0) + { + case MAKE_TAG_ID (CNTX, CONS, 0): +if (BDecTag (b, &totalElmtsLen1 ) != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_OTHERNAME; + rc = BDecComponentOtherName (mem_op, b, tagId1, elmtLen1, (&k->a.otherName), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.otherName)->identifier.bv_val = (k->a.otherName)->id_buf; + (k->a.otherName)->identifier.bv_len = strlen("otherName"); + strcpy( (k->a.otherName)->identifier.bv_val, "otherName"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 1): + tagId1 = BDecTag (b, &totalElmtsLen1 ); +if ((tagId1 != MAKE_TAG_ID (UNIV, PRIM, IA5STRING_TAG_CODE)) && + (tagId1 != MAKE_TAG_ID (UNIV, CONS, IA5STRING_TAG_CODE))) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_RFC822NAME; + rc = BDecComponentIA5String (mem_op, b, tagId1, elmtLen1, (&k->a.rfc822Name), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.rfc822Name)->identifier.bv_val = (k->a.rfc822Name)->id_buf; + (k->a.rfc822Name)->identifier.bv_len = strlen("rfc822Name"); + strcpy( (k->a.rfc822Name)->identifier.bv_val, "rfc822Name"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 2): + tagId1 = BDecTag (b, &totalElmtsLen1 ); +if ((tagId1 != MAKE_TAG_ID (UNIV, PRIM, IA5STRING_TAG_CODE)) && + (tagId1 != MAKE_TAG_ID (UNIV, CONS, IA5STRING_TAG_CODE))) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_DNSNAME; + rc = BDecComponentIA5String (mem_op, b, tagId1, elmtLen1, (&k->a.dNSName), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.dNSName)->identifier.bv_val = (k->a.dNSName)->id_buf; + (k->a.dNSName)->identifier.bv_len = strlen("dNSName"); + strcpy( (k->a.dNSName)->identifier.bv_val, "dNSName"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 3): +if (BDecTag (b, &totalElmtsLen1 ) != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_X400ADDRESS; + rc = BDecComponentORAddress (mem_op, b, tagId1, elmtLen1, (&k->a.x400Address), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.x400Address)->identifier.bv_val = (k->a.x400Address)->id_buf; + (k->a.x400Address)->identifier.bv_len = strlen("x400Address"); + strcpy( (k->a.x400Address)->identifier.bv_val, "x400Address"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 4): + (k->choiceId) = GENERALNAME_DIRECTORYNAME; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentName (mem_op, b, tagId1, elmtLen1, (&k->a.directoryName), &totalElmtsLen1, mode); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc(b, &totalElmtsLen1 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.directoryName)->identifier.bv_val = (k->a.directoryName)->id_buf; + (k->a.directoryName)->identifier.bv_len = strlen("directoryName"); + strcpy( (k->a.directoryName)->identifier.bv_val, "directoryName"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 5): +if (BDecTag (b, &totalElmtsLen1 ) != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_EDIPARTYNAME; + rc = BDecComponentEDIPartyName (mem_op, b, tagId1, elmtLen1, (&k->a.ediPartyName), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.ediPartyName)->identifier.bv_val = (k->a.ediPartyName)->id_buf; + (k->a.ediPartyName)->identifier.bv_len = strlen("ediPartyName"); + strcpy( (k->a.ediPartyName)->identifier.bv_val, "ediPartyName"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 6): + tagId1 = BDecTag (b, &totalElmtsLen1 ); +if ((tagId1 != MAKE_TAG_ID (UNIV, PRIM, IA5STRING_TAG_CODE)) && + (tagId1 != MAKE_TAG_ID (UNIV, CONS, IA5STRING_TAG_CODE))) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_UNIFORMRESOURCEIDENTIFIER; + rc = BDecComponentIA5String (mem_op, b, tagId1, elmtLen1, (&k->a.uniformResourceIdentifier), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.uniformResourceIdentifier)->identifier.bv_val = (k->a.uniformResourceIdentifier)->id_buf; + (k->a.uniformResourceIdentifier)->identifier.bv_len = strlen("uniformResourceIdentifier"); + strcpy( (k->a.uniformResourceIdentifier)->identifier.bv_val, "uniformResourceIdentifier"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 7): + tagId1 = BDecTag (b, &totalElmtsLen1 ); +if ((tagId1 != MAKE_TAG_ID (UNIV, PRIM, OCTETSTRING_TAG_CODE)) && + (tagId1 != MAKE_TAG_ID (UNIV, CONS, OCTETSTRING_TAG_CODE))) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_IPADDRESS; + rc = BDecComponentOcts (mem_op, b, tagId1, elmtLen1, (&k->a.iPAddress), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.iPAddress)->identifier.bv_val = (k->a.iPAddress)->id_buf; + (k->a.iPAddress)->identifier.bv_len = strlen("iPAddress"); + strcpy( (k->a.iPAddress)->identifier.bv_val, "iPAddress"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + case MAKE_TAG_ID (CNTX, CONS, 8): +if (BDecTag (b, &totalElmtsLen1 ) != MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + (k->choiceId) = GENERALNAME_REGISTEREDID; + rc = BDecComponentOid (mem_op, b, tagId1, elmtLen1, (&k->a.registeredID), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.registeredID)->identifier.bv_val = (k->a.registeredID)->id_buf; + (k->a.registeredID)->identifier.bv_len = strlen("registeredID"); + strcpy( (k->a.registeredID)->identifier.bv_val, "registeredID"); + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + break; + + default: + Asn1Error ("ERROR - unexpected tag in CHOICE\n"); + return -1; + break; + } /* end switch */ + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentGeneralName*) CompAlloc( mem_op, sizeof(ComponentGeneralName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentGeneralName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentGeneralName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentGeneralName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentGeneralName; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecGeneralNameContent */ + +int +GDecComponentGeneralName PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentGeneralName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentGeneralName *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen2 = LocateNextGSERToken(mem_op,b,&peek_head2,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head2 != ':'){ + Asn1Error("Missing : in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if( strncmp("otherName",peek_head, strlen("otherName")) == 0){ + (k->choiceId) = GENERALNAME_OTHERNAME; + rc = GDecComponentOtherName (mem_op, b, (&k->a.otherName), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.otherName)->identifier.bv_val = peek_head; + (k->a.otherName)->identifier.bv_len = strLen; + } + else if( strncmp("rfc822Name",peek_head,strlen("rfc822Name")) == 0){ + (k->choiceId) = GENERALNAME_RFC822NAME; + rc = GDecComponentIA5String (mem_op, b, (&k->a.rfc822Name), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.rfc822Name)->identifier.bv_val = peek_head; + (k->a.rfc822Name)->identifier.bv_len = strLen; + } + else if( strncmp("dNSName",peek_head,strlen("dNSName")) == 0){ + (k->choiceId) = GENERALNAME_DNSNAME; + rc = GDecComponentIA5String (mem_op, b, (&k->a.dNSName), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.dNSName)->identifier.bv_val = peek_head; + (k->a.dNSName)->identifier.bv_len = strLen; + } + else if( strncmp("x400Address",peek_head,strlen("x400Address")) == 0){ + (k->choiceId) = GENERALNAME_X400ADDRESS; + rc = GDecComponentORAddress (mem_op, b, (&k->a.x400Address), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.x400Address)->identifier.bv_val = peek_head; + (k->a.x400Address)->identifier.bv_len = strLen; + } + else if( strncmp("directoryName",peek_head,strlen("directoryName")) == 0){ + (k->choiceId) = GENERALNAME_DIRECTORYNAME; + rc = GDecComponentName (mem_op, b, (&k->a.directoryName), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.directoryName)->identifier.bv_val = peek_head; + (k->a.directoryName)->identifier.bv_len = strLen; + } + else if( strncmp("ediPartyName",peek_head,strlen("ediPartyName")) == 0){ + (k->choiceId) = GENERALNAME_EDIPARTYNAME; + rc = GDecComponentEDIPartyName (mem_op, b, (&k->a.ediPartyName), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.ediPartyName)->identifier.bv_val = peek_head; + (k->a.ediPartyName)->identifier.bv_len = strLen; + } + else if( strncmp("uniformResourceIdentifier",peek_head,strlen("uniformResourceIdentifier")) == 0){ + (k->choiceId) = GENERALNAME_UNIFORMRESOURCEIDENTIFIER; + rc = GDecComponentIA5String (mem_op, b, (&k->a.uniformResourceIdentifier), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.uniformResourceIdentifier)->identifier.bv_val = peek_head; + (k->a.uniformResourceIdentifier)->identifier.bv_len = strLen; + } + else if( strncmp("iPAddress",peek_head,strlen("iPAddress")) == 0){ + (k->choiceId) = GENERALNAME_IPADDRESS; + rc = GDecComponentOcts (mem_op, b, (&k->a.iPAddress), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.iPAddress)->identifier.bv_val = peek_head; + (k->a.iPAddress)->identifier.bv_len = strLen; + } + else if( strncmp("registeredID",peek_head,strlen("registeredID")) == 0){ + (k->choiceId) = GENERALNAME_REGISTEREDID; + rc = GDecComponentOid (mem_op, b, (&k->a.registeredID), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.registeredID)->identifier.bv_val = peek_head; + (k->a.registeredID)->identifier.bv_len = strLen; + } + else { + Asn1Error("Undefined Identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentGeneralName*) CompAlloc( mem_op, sizeof(ComponentGeneralName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentGeneralName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentGeneralName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentGeneralName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentGeneralName; + return LDAP_SUCCESS; +} /* GDecGeneralNameContent */ + + +int +MatchingComponentGeneralNames ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + void* component1, *component2; + AsnList *v1, *v2, t_list; + + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + v1 = &((ComponentGeneralNames*)csi_attr)->comp_list; + v2 = &((ComponentGeneralNames*)csi_assert)->comp_list; + FOR_EACH_LIST_PAIR_ELMT(component1, component2, v1, v2) + { + if( MatchingComponentGeneralName(oid, (ComponentSyntaxInfo*)component1, (ComponentSyntaxInfo*)component2) == LDAP_COMPARE_FALSE) { + return LDAP_COMPARE_FALSE; + } + } /* end of for */ + + AsnListFirst( v1 ); + AsnListFirst( v2 ); + if( (!component1 && component2) || (component1 && !component2)) + return LDAP_COMPARE_FALSE; + else + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentGeneralNamesContent */ + +void* +ExtractingComponentGeneralNames ( void* mem_op, ComponentReference* cr, ComponentGeneralNames *comp ) +{ + int count = 0; + int total; + AsnList *v = &comp->comp_list; + ComponentInt *k; + ComponentGeneralName *component; + + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_FROM_BEGINNING : + count = cr->cr_curr->ci_val.ci_from_beginning; + FOR_EACH_LIST_ELMT( component , v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentGeneralName ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_FROM_END : + total = AsnListCount ( v ); + count = cr->cr_curr->ci_val.ci_from_end; + count = total + count +1; + FOR_EACH_LIST_ELMT ( component, v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentGeneralName ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_ALL : + return comp; + case LDAP_COMPREF_COUNT : + k = (ComponentInt*)CompAlloc( mem_op, sizeof(ComponentInt)); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + k->comp_desc->cd_tag = (-1); + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentInt; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentInt; + k->comp_desc->cd_extract_i = (extract_component_from_id_func*)NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_INTEGER; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentInt; + k->value = AsnListCount(v); + return k; + default : + return NULL; + } +} /* ExtractingComponentGeneralNames */ + +int +BDecComponentGeneralNames PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentGeneralNames **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentGeneralNames *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit(&k->comp_list,sizeof(ComponentGeneralName)); + for (totalElmtsLen1 = 0; (totalElmtsLen1 < elmtLen0) || (elmtLen0 == INDEFINITE_LEN);) + { + ComponentGeneralName **tmpVar; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((tagId1 == EOC_TAG_ID) && (elmtLen0 == INDEFINITE_LEN)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + break; /* got EOC so can exit this SET OF/SEQ OF's for loop*/ + } + elmtLen1 = BDecLen (b, &totalElmtsLen1); + tmpVar = (ComponentGeneralName**) CompAsnListAppend (mem_op,&k->comp_list); + rc = BDecComponentGeneralName (mem_op, b, tagId1, elmtLen1, tmpVar, &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentGeneralNames*) CompAlloc( mem_op, sizeof(ComponentGeneralNames) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentGeneralNames ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentGeneralNames ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentGeneralNames; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentGeneralNames; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecGeneralNamesContent */ + +int +GDecComponentGeneralNames PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentGeneralNames **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentGeneralNames *k,*t, c_temp; + + + int ElmtsLen1; + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit( &k->comp_list, sizeof( ComponentGeneralName ) ); + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_PEEK)) ){ + Asn1Error("Error during Reading { in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + for (ElmtsLen1 = 0; ElmtsLen1 >= INDEFINITE_LEN; ElmtsLen1++) + { + ComponentGeneralName **tmpVar; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_NO_COPY)) ){ + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head == '}') break; + if( !(*peek_head == '{' || *peek_head ==',') ) { + return LDAP_PROTOCOL_ERROR; + } + tmpVar = (ComponentGeneralName**) CompAsnListAppend (mem_op, &k->comp_list); + if ( tmpVar == NULL ) { + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + rc = GDecComponentGeneralName (mem_op, b, tmpVar, bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentGeneralNames*) CompAlloc( mem_op, sizeof(ComponentGeneralNames) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentGeneralNames ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentGeneralNames ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentGeneralNames; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentGeneralNames; + return LDAP_SUCCESS; +} /* GDecGeneralNamesContent */ + + +int +MatchingComponentAuthorityKeyIdentifier ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentKeyIdentifier ( oid, (ComponentSyntaxInfo*)&((ComponentAuthorityKeyIdentifier*)csi_attr)->keyIdentifier, (ComponentSyntaxInfo*)&((ComponentAuthorityKeyIdentifier*)csi_assert)->keyIdentifier ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + if(COMPONENTNOT_NULL( ((ComponentAuthorityKeyIdentifier*)csi_attr)->authorityCertIssuer ) ) { + rc = MatchingComponentGeneralNames ( oid, (ComponentSyntaxInfo*)((ComponentAuthorityKeyIdentifier*)csi_attr)->authorityCertIssuer, (ComponentSyntaxInfo*)((ComponentAuthorityKeyIdentifier*)csi_assert)->authorityCertIssuer ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + if(COMPONENTNOT_NULL( ((ComponentAuthorityKeyIdentifier*)csi_attr)->authorityCertSerialNumber ) ) { + rc = MatchingComponentCertificateSerialNumber ( oid, (ComponentSyntaxInfo*)((ComponentAuthorityKeyIdentifier*)csi_attr)->authorityCertSerialNumber, (ComponentSyntaxInfo*)((ComponentAuthorityKeyIdentifier*)csi_assert)->authorityCertSerialNumber ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentAuthorityKeyIdentifier */ + +void* +ExtractingComponentAuthorityKeyIdentifier ( void* mem_op, ComponentReference* cr, ComponentAuthorityKeyIdentifier *comp ) +{ + + if ( ( comp->keyIdentifier.identifier.bv_val && strncmp(comp->keyIdentifier.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->keyIdentifier.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->keyIdentifier; + else + return NULL; + } + if ( ( comp->authorityCertIssuer->identifier.bv_val && strncmp(comp->authorityCertIssuer->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->authorityCertIssuer->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->authorityCertIssuer; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentGeneralNames ( mem_op, cr, comp->authorityCertIssuer ); + } + } + if ( ( comp->authorityCertSerialNumber->identifier.bv_val && strncmp(comp->authorityCertSerialNumber->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->authorityCertSerialNumber->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->authorityCertSerialNumber; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentCertificateSerialNumber ( mem_op, cr, comp->authorityCertSerialNumber ); + } + } + return NULL; +} /* ExtractingComponentAuthorityKeyIdentifier */ + +int +BDecComponentAuthorityKeyIdentifier PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentAuthorityKeyIdentifier **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentAuthorityKeyIdentifier *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, PRIM, 0)) || +(tagId1 == MAKE_TAG_ID (CNTX, CONS, 0)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentKeyIdentifier (mem_op, b, tagId1, elmtLen1, (&k->keyIdentifier), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->keyIdentifier)->identifier.bv_val = (&k->keyIdentifier)->id_buf; + (&k->keyIdentifier)->identifier.bv_len = strlen("keyIdentifier"); + strcpy( (&k->keyIdentifier)->identifier.bv_val, "keyIdentifier"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, CONS, 1)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentGeneralNames (mem_op, b, tagId1, elmtLen1, +(&k->authorityCertIssuer), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->authorityCertIssuer)->identifier.bv_val = (k->authorityCertIssuer)->id_buf; + (k->authorityCertIssuer)->identifier.bv_len = strlen("authorityCertIssuer"); + strcpy( (k->authorityCertIssuer)->identifier.bv_val, "authorityCertIssuer"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, PRIM, 2)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentCertificateSerialNumber (mem_op, b, tagId1, elmtLen1, (&k->authorityCertSerialNumber), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); if ( rc != LDAP_SUCCESS ) return rc; + (k->authorityCertSerialNumber)->identifier.bv_val = (k->authorityCertSerialNumber)->id_buf; + (k->authorityCertSerialNumber)->identifier.bv_len = strlen("authorityCertSerialNumber"); + strcpy( (k->authorityCertSerialNumber)->identifier.bv_val, "authorityCertSerialNumber"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAuthorityKeyIdentifier*) CompAlloc( mem_op, sizeof(ComponentAuthorityKeyIdentifier) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAuthorityKeyIdentifier ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAuthorityKeyIdentifier ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAuthorityKeyIdentifier; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAuthorityKeyIdentifier; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecAuthorityKeyIdentifier*/ + +int +GDecComponentAuthorityKeyIdentifier PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentAuthorityKeyIdentifier **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentAuthorityKeyIdentifier *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "keyIdentifier", strlen("keyIdentifier") ) == 0 ) { + rc = GDecComponentKeyIdentifier (mem_op, b, (&k->keyIdentifier), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->keyIdentifier)->identifier.bv_val = peek_head; + (&k->keyIdentifier)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "authorityCertIssuer", strlen("authorityCertIssuer") ) == 0 ) { + rc = GDecComponentGeneralNames (mem_op, b, (&k->authorityCertIssuer), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->authorityCertIssuer)->identifier.bv_val = peek_head; + ( k->authorityCertIssuer)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "authorityCertSerialNumber", strlen("authorityCertSerialNumber") ) == 0 ) { + rc = GDecComponentCertificateSerialNumber (mem_op, b, (&k->authorityCertSerialNumber), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->authorityCertSerialNumber)->identifier.bv_val = peek_head; + ( k->authorityCertSerialNumber)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAuthorityKeyIdentifier*) CompAlloc( mem_op, sizeof(ComponentAuthorityKeyIdentifier) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAuthorityKeyIdentifier ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAuthorityKeyIdentifier ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAuthorityKeyIdentifier; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAuthorityKeyIdentifier; + return LDAP_SUCCESS; +} /* GDecAuthorityKeyIdentifier*/ + + diff --git a/contrib/slapd-modules/comp_match/authorityKeyIdentifier.h b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.h new file mode 100644 index 0000000..5fa4ab5 --- /dev/null +++ b/contrib/slapd-modules/comp_match/authorityKeyIdentifier.h @@ -0,0 +1,327 @@ + +#include "asn-incl.h" +/* + * authorityKeyIdentifier.h + * "AuthorityKeyIdentifierDefinition" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Sat Dec 11 10:15:39 2004 + * The generated files are strongly encouraged to be + * compiled as a module for OpenLDAP Software + */ + +#ifndef _authorityKeyIdentifier_h_ +#define _authorityKeyIdentifier_h_ + + + + +#ifdef __cplusplus +extern "C" { +#endif +#ifdef _WIN32 +#pragma warning( disable : 4101 ) +#endif +#include "componentlib.h" +typedef ComponentOcts ComponentKeyIdentifier; /* OCTET STRING */ + +#define MatchingComponentKeyIdentifier MatchingComponentOcts + +#define ExtractingComponentKeyIdentifier ExtractingComponentOcts + +#define BDecComponentKeyIdentifier BDecComponentOcts + +#define GDecComponentKeyIdentifier GDecComponentOcts + + +typedef ComponentInt ComponentCertificateSerialNumber; /* INTEGER */ + +#define MatchingComponentCertificateSerialNumber MatchingComponentInt + +#define ExtractingComponentCertificateSerialNumber ExtractingComponentInt + +#define BDecComponentCertificateSerialNumber BDecComponentInt + +#define GDecComponentCertificateSerialNumber GDecComponentInt + + +typedef struct OtherName /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid type_id; /* OBJECT IDENTIFIER */ + ComponentAnyDefinedBy value; /* [0] EXPLICIT ANY DEFINED BY type-id */ +} ComponentOtherName; + +int MatchingComponentOtherName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentOtherName PROTO (( void* mem_op, ComponentReference *cr, ComponentOtherName *comp )); + + +int BDecComponentOtherName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentOtherName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentOtherName PROTO (( void* mem_op, GenBuf * b, ComponentOtherName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct ORAddress /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid type_id; /* OBJECT IDENTIFIER */ + ComponentAnyDefinedBy value; /* ANY DEFINED BY type-id */ + ComponentOcts extension; /* OCTET STRING OPTIONAL */ +} ComponentORAddress; + +int MatchingComponentORAddress PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentORAddress PROTO (( void* mem_op, ComponentReference *cr, ComponentORAddress *comp )); + + +int BDecComponentORAddress PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentORAddress **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentORAddress PROTO (( void* mem_op, GenBuf * b, ComponentORAddress **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct AttributeTypeAndValue /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid type; /* OBJECT IDENTIFIER */ + ComponentAnyDefinedBy value; /* ANY DEFINED BY type */ +} ComponentAttributeTypeAndValue; + +int MatchingComponentAttributeTypeAndValue PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAttributeTypeAndValue PROTO (( void* mem_op, ComponentReference *cr, ComponentAttributeTypeAndValue *comp )); + + +int BDecComponentAttributeTypeAndValue PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAttributeTypeAndValue PROTO (( void* mem_op, GenBuf * b, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct DirectoryString /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum DirectoryStringChoiceId + { + DIRECTORYSTRING_TELETEXSTRING, + DIRECTORYSTRING_PRINTABLESTRING, + DIRECTORYSTRING_UNIVERSALSTRING, + DIRECTORYSTRING_UTF8STRING, + DIRECTORYSTRING_BMPSTRING + } choiceId; + union DirectoryStringChoiceUnion + { + ComponentTeletexString* teletexString; /* TeletexString SIZE 1..MAX */ + ComponentPrintableString* printableString; /* PrintableString SIZE 1..MAX */ + ComponentUniversalString* universalString; /* UniversalString SIZE 1..MAX */ + ComponentUTF8String* utf8String; /* UTF8String SIZE 1..MAX */ + ComponentBMPString* bmpString; /* BMPString SIZE 1..MAX */ + } a; +} ComponentDirectoryString; + +int MatchingComponentDirectoryString PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentDirectoryString PROTO (( void* mem_op, ComponentReference *cr, ComponentDirectoryString *comp )); + + +int BDecComponentDirectoryString PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentDirectoryString **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentDirectoryString PROTO (( void* mem_op, GenBuf * b, ComponentDirectoryString **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct EDIPartyName /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentDirectoryString* nameAssigner; /* [0] DirectoryString OPTIONAL */ + ComponentDirectoryString* partyName; /* [1] DirectoryString */ +} ComponentEDIPartyName; + +int MatchingComponentEDIPartyName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentEDIPartyName PROTO (( void* mem_op, ComponentReference *cr, ComponentEDIPartyName *comp )); + + +int BDecComponentEDIPartyName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentEDIPartyName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentEDIPartyName PROTO (( void* mem_op, GenBuf * b, ComponentEDIPartyName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRelativeDistinguishedName; /* SET OF AttributeTypeAndValue */ + +int MatchingComponentRelativeDistinguishedName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRelativeDistinguishedName PROTO (( void* mem_op, ComponentReference *cr, ComponentRelativeDistinguishedName *comp )); + + +int BDecComponentRelativeDistinguishedName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRelativeDistinguishedName PROTO (( void* mem_op, GenBuf * b, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRDNSequence; /* SEQUENCE OF RelativeDistinguishedName */ + +int MatchingComponentRDNSequence PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRDNSequence PROTO (( void* mem_op, ComponentReference *cr, ComponentRDNSequence *comp )); + + +int BDecComponentRDNSequence PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRDNSequence PROTO (( void* mem_op, GenBuf * b, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Name /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum NameChoiceId + { + NAME_RDNSEQUENCE + } choiceId; + union NameChoiceUnion + { + ComponentRDNSequence* rdnSequence; /* RDNSequence */ + } a; +} ComponentName; + +int MatchingComponentName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentName PROTO (( void* mem_op, ComponentReference *cr, ComponentName *comp )); + + +int BDecComponentName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentName PROTO (( void* mem_op, GenBuf * b, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct GeneralName /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum GeneralNameChoiceId + { + GENERALNAME_OTHERNAME, + GENERALNAME_RFC822NAME, + GENERALNAME_DNSNAME, + GENERALNAME_X400ADDRESS, + GENERALNAME_DIRECTORYNAME, + GENERALNAME_EDIPARTYNAME, + GENERALNAME_UNIFORMRESOURCEIDENTIFIER, + GENERALNAME_IPADDRESS, + GENERALNAME_REGISTEREDID + } choiceId; + union GeneralNameChoiceUnion + { + ComponentOtherName* otherName; /* [0] OtherName */ + ComponentIA5String* rfc822Name; /* [1] IA5String */ + ComponentIA5String* dNSName; /* [2] IA5String */ + ComponentORAddress* x400Address; /* [3] ORAddress */ + ComponentName* directoryName; /* [4] Name */ + ComponentEDIPartyName* ediPartyName; /* [5] EDIPartyName */ + ComponentIA5String* uniformResourceIdentifier; /* [6] IA5String */ + ComponentOcts* iPAddress; /* [7] OCTET STRING */ + ComponentOid* registeredID; /* [8] OBJECT IDENTIFIER */ + } a; +} ComponentGeneralName; + +int MatchingComponentGeneralName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentGeneralName PROTO (( void* mem_op, ComponentReference *cr, ComponentGeneralName *comp )); + + +int BDecComponentGeneralName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentGeneralName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentGeneralName PROTO (( void* mem_op, GenBuf * b, ComponentGeneralName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentGeneralNames; /* SEQUENCE SIZE 1..MAX OF GeneralName */ + +int MatchingComponentGeneralNames PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentGeneralNames PROTO (( void* mem_op, ComponentReference *cr, ComponentGeneralNames *comp )); + + +int BDecComponentGeneralNames PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentGeneralNames **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentGeneralNames PROTO (( void* mem_op, GenBuf * b, ComponentGeneralNames **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct AuthorityKeyIdentifier /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentKeyIdentifier keyIdentifier; /* [0] KeyIdentifier OPTIONAL */ + ComponentGeneralNames* authorityCertIssuer; /* [1] GeneralNames OPTIONAL */ + ComponentCertificateSerialNumber* authorityCertSerialNumber; /* [2] CertificateSerialNumber OPTIONAL */ +} ComponentAuthorityKeyIdentifier; + +int MatchingComponentAuthorityKeyIdentifier PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAuthorityKeyIdentifier PROTO (( void* mem_op, ComponentReference *cr, ComponentAuthorityKeyIdentifier *comp )); + + +int BDecComponentAuthorityKeyIdentifier PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAuthorityKeyIdentifier **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAuthorityKeyIdentifier PROTO (( void* mem_op, GenBuf * b, ComponentAuthorityKeyIdentifier **v, AsnLen *bytesDecoded, int mode)); + + + +/* ========== Object Declarations ========== */ + + +/* ========== Object Set Declarations ========== */ +#ifdef __cplusplus +extern "C" { +#endif + +#endif /* conditional include of authorityKeyIdentifier.h */ diff --git a/contrib/slapd-modules/comp_match/certificate.asn1 b/contrib/slapd-modules/comp_match/certificate.asn1 new file mode 100644 index 0000000..db81897 --- /dev/null +++ b/contrib/slapd-modules/comp_match/certificate.asn1 @@ -0,0 +1,175 @@ +AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 4} DEFINITIONS ::= +BEGIN +-- based on RFC 3280 and X.509 + +Certificate ::= SEQUENCE { + toBeSigned TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING +} + +TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version shall be v2 or v3 + subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version shall be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version shall be v3 -- } + +Version ::= INTEGER { v1(0), v2(1), v3(2) } + +CertificateSerialNumber ::= INTEGER + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL -- DSA, SHA-1-- +} + +Name ::= CHOICE { + rdnSequence RDNSequence } + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +RelativeDistinguishedName ::= SET OF AttributeTypeAndValue + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value ANY DEFINED BY type} + +AttributeType ::= OBJECT IDENTIFIER + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + +UniqueIdentifier ::= BIT STRING + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + +Time ::= CHOICE { + utcTime UTCTime, + generalizedTime GeneralizedTime } + +Extensions ::= SEQUENCE SIZE(1..MAX) OF Extension + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING +-- contains a DER encoding of a value of type &ExtnType +-- for the extension object identified by extnId -- +} + +nullOid OBJECT-TYPE + SYNTAX NULL + ACCESS read-write + STATUS mandatory + ::= { 1 2 840 113549 1 1 4 } + +nullOid2 OBJECT-TYPE + SYNTAX NULL + ACCESS read-write + STATUS mandatory + ::= { 1 2 840 113549 1 1 1 } + +nullOid3 OBJECT-TYPE + SYNTAX NULL + ACCESS read-write + STATUS mandatory + ::= { 1 2 840 113549 1 1 5 } + +printableStringOid OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 3 } + +printableStringOid2 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 6 } + +printableStringOid3 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 7 } + +printableStringOid4 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 8 } + +printableStringOid5 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 10 } + +printableStringOid6 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 2 5 4 11 } + +printableStringOid7 OBJECT-TYPE + SYNTAX PrintableString + ACCESS read-write + STATUS mandatory + ::= { 0 9 2342 19200300 100 1 3 } + + +iA5StringOid OBJECT-TYPE + SYNTAX IA5String + ACCESS read-write + STATUS mandatory + ::= { 1 2 840 113549 1 9 1 } + +octetStringOid OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 5 29 19 } + +octetStringOid2 OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 16 840 1 113730 1 13 } + +octetStringOid3 OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 5 29 14 } + +octetStringOid4 OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 5 29 21 } + +octetStringOid5 OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 5 29 20 } + +octetStringOid7 OBJECT-TYPE + SYNTAX OCTET STRING + ACCESS read-write + STATUS mandatory + ::= { 2 5 29 28 } + +END diff --git a/contrib/slapd-modules/comp_match/certificate.c b/contrib/slapd-modules/comp_match/certificate.c new file mode 100644 index 0000000..8b58bdb --- /dev/null +++ b/contrib/slapd-modules/comp_match/certificate.c @@ -0,0 +1,3249 @@ +/* + * certificate.c + * "AuthenticationFramework" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Sat Dec 11 11:22:49 2004 + * The generated files are supposed to be compiled as a module for OpenLDAP Software + */ + +#include "certificate.h" + +BDecComponentCertificateTop( void* mem_op, GenBuf* b, void **v, AsnLen* bytesDecoded,int mode) { + AsnTag tag; + AsnLen elmtLen; + + tag = BDecTag ( b, bytesDecoded ); + elmtLen = BDecLen ( b, bytesDecoded ); + if ( elmtLen <= 0 ) return (-1); + if ( tag != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE) ) { + return (-1); + } + + return BDecComponentCertificate( mem_op, b, tag, elmtLen, (ComponentCertificate**)v,(AsnLen*)bytesDecoded, mode ); +} + +void init_module_AuthenticationFramework() { + /* Register Certificate OID and its decoder */ + InstallOidDecoderMapping( "2.5.4.36", NULL, + GDecComponentCertificate, + BDecComponentCertificateTop, + ExtractingComponentCertificate, + MatchingComponentCertificate ); + InitAnyAuthenticationFramework(); +} + +void InitAnyAuthenticationFramework() +{ + AsnOid oid0 ={ 9, "\52\206\110\206\367\15\1\1\4" }; + AsnOid oid1 ={ 9, "\52\206\110\206\367\15\1\1\1" }; + AsnOid oid2 ={ 9, "\52\206\110\206\367\15\1\1\5" }; + AsnOid oid3 ={ 3, "\125\4\3" }; + AsnOid oid4 ={ 3, "\125\4\6" }; + AsnOid oid5 ={ 3, "\125\4\7" }; + AsnOid oid6 ={ 3, "\125\4\10" }; + AsnOid oid7 ={ 3, "\125\4\12" }; + AsnOid oid8 ={ 3, "\125\4\13" }; + AsnOid oid9 ={ 10, "\11\222\46\211\223\362\54\144\1\3" }; + AsnOid oid10 ={ 9, "\52\206\110\206\367\15\1\11\1" }; + AsnOid oid11 ={ 3, "\125\35\23" }; + AsnOid oid12 ={ 9, "\140\206\110\1\206\370\102\1\15" }; + AsnOid oid13 ={ 3, "\125\35\16" }; + AsnOid oid14 ={ 3, "\125\35\25" }; + AsnOid oid15 ={ 3, "\125\35\24" }; + AsnOid oid17 ={ 3, "\125\35\34" }; + + + InstallAnyByComponentOid (nullOid_ANY_ID, &oid0, sizeof (ComponentNull), (EncodeFcn)BEncAsnNull, (gser_decoder_func*)GDecComponentNull, (ber_tag_decoder_func*)BDecComponentNullTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentNull,(FreeFcn)FreeComponentNull, (PrintFcn)NULL); + + InstallAnyByComponentOid (nullOid2_ANY_ID, &oid1, sizeof (ComponentNull), (EncodeFcn)BEncAsnNull, (gser_decoder_func*)GDecComponentNull, (ber_tag_decoder_func*)BDecComponentNullTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentNull,(FreeFcn)FreeComponentNull, (PrintFcn)NULL); + + InstallAnyByComponentOid (nullOid3_ANY_ID, &oid2, sizeof (ComponentNull), (EncodeFcn)BEncAsnNull, (gser_decoder_func*)GDecComponentNull, (ber_tag_decoder_func*)BDecComponentNullTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentNull,(FreeFcn)FreeComponentNull, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid_ANY_ID, &oid3, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid2_ANY_ID, &oid4, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid3_ANY_ID, &oid5, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid4_ANY_ID, &oid6, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid5_ANY_ID, &oid7, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid6_ANY_ID, &oid8, sizeof (ComponentPrintableString), (EncodeFcn)BEncPrintableString, (gser_decoder_func*)GDecComponentPrintableString, (ber_tag_decoder_func*)BDecComponentPrintableStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentPrintableString,(FreeFcn)FreeComponentPrintableString, (PrintFcn)NULL); + + InstallAnyByComponentOid (printableStringOid7_ANY_ID, &oid9, sizeof (ComponentTeletexString), (EncodeFcn)BEncTeletexString, (gser_decoder_func*)GDecComponentTeletexString, (ber_tag_decoder_func*)BDecComponentTeletexStringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentTeletexString,(FreeFcn)FreeComponentTeletexString, (PrintFcn)NULL); + + InstallAnyByComponentOid (iA5StringOid_ANY_ID, &oid10, sizeof (ComponentIA5String), (EncodeFcn)BEncIA5String, (gser_decoder_func*)GDecComponentIA5String, (ber_tag_decoder_func*)BDecComponentIA5StringTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentIA5String,(FreeFcn)FreeComponentIA5String, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid_ANY_ID, &oid11, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid2_ANY_ID, &oid12, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid3_ANY_ID, &oid13, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid4_ANY_ID, &oid14, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid5_ANY_ID, &oid15, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + + InstallAnyByComponentOid (octetStringOid7_ANY_ID, &oid17, sizeof (ComponentOcts), (EncodeFcn)BEncAsnOcts, (gser_decoder_func*)GDecComponentOcts, (ber_tag_decoder_func*)BDecComponentOctsTag, (ExtractFcn)NULL,(MatchFcn)MatchingComponentOcts,(FreeFcn)FreeComponentOcts, (PrintFcn)NULL); + +} /* InitAnyAuthenticationFramework */ + +int +MatchingComponentAlgorithmIdentifier ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentOid ( oid, (ComponentSyntaxInfo*)&((ComponentAlgorithmIdentifier*)csi_attr)->algorithm, (ComponentSyntaxInfo*)&((ComponentAlgorithmIdentifier*)csi_assert)->algorithm ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = SetAnyTypeByComponentOid ((ComponentSyntaxInfo*)&((ComponentAlgorithmIdentifier*)csi_attr)->parameters, (&((ComponentAlgorithmIdentifier*)csi_attr)->algorithm)); + rc = MatchingComponentAnyDefinedBy ( oid, (ComponentAny*)&((ComponentAlgorithmIdentifier*)csi_attr)->parameters, (ComponentAny*)&((ComponentAlgorithmIdentifier*)csi_assert)->parameters); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentAlgorithmIdentifier */ + +void* +ExtractingComponentAlgorithmIdentifier ( void* mem_op, ComponentReference* cr, ComponentAlgorithmIdentifier *comp ) +{ + + if ( ( comp->algorithm.identifier.bv_val && strncmp(comp->algorithm.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->algorithm.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->algorithm; + else + return NULL; + } + if ( ( comp->parameters.identifier.bv_val && strncmp(comp->parameters.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->parameters.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->parameters; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->parameters; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentAlgorithmIdentifier */ + +int +BDecComponentAlgorithmIdentifier PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentAlgorithmIdentifier **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentAlgorithmIdentifier *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOid (mem_op, b, tagId1, elmtLen1, (&k->algorithm), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->algorithm)->identifier.bv_val = (&k->algorithm)->id_buf; + (&k->algorithm)->identifier.bv_len = strlen("algorithm"); + strcpy( (&k->algorithm)->identifier.bv_val, "algorithm"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BufPeekByte (b); + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDecEoc (b, &totalElmtsLen1 ); + seqDone = TRUE; + } + } + } + else + return -1; + + + + if (!seqDone) { + rc = SetAnyTypeByComponentOid ((&k->parameters), (&k->algorithm)); + rc = BDecComponentAnyDefinedBy (mem_op,b, (&k->parameters), &totalElmtsLen1, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->parameters)->identifier.bv_val = (&k->parameters)->id_buf; + (&k->parameters)->identifier.bv_len = strlen("parameters"); + strcpy( (&k->parameters)->identifier.bv_val, "parameters"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAlgorithmIdentifier*) CompAlloc( mem_op, sizeof(ComponentAlgorithmIdentifier) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAlgorithmIdentifier ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAlgorithmIdentifier ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAlgorithmIdentifier; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAlgorithmIdentifier; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecAlgorithmIdentifier*/ + +int +GDecComponentAlgorithmIdentifier PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentAlgorithmIdentifier **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentAlgorithmIdentifier *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "algorithm", strlen("algorithm") ) == 0 ) { + rc = GDecComponentOid (mem_op, b, (&k->algorithm), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->algorithm)->identifier.bv_val = peek_head; + (&k->algorithm)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "parameters", strlen("parameters") ) == 0 ) { + rc = rc = SetAnyTypeByComponentOid ((&k->parameters), (&k->algorithm)); + rc = GDecComponentAnyDefinedBy (mem_op, b, (&k->parameters), bytesDecoded, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->parameters)->identifier.bv_val = peek_head; + (&k->parameters)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAlgorithmIdentifier*) CompAlloc( mem_op, sizeof(ComponentAlgorithmIdentifier) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAlgorithmIdentifier ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAlgorithmIdentifier ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAlgorithmIdentifier; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAlgorithmIdentifier; + return LDAP_SUCCESS; +} /* GDecAlgorithmIdentifier*/ + + +int +MatchingComponentTime ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + ComponentTime *v1, *v2; + + + v1 = (ComponentTime*)csi_attr; + v2 = (ComponentTime*)csi_assert; + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + if( (v1->choiceId != v2->choiceId ) ) + return LDAP_COMPARE_FALSE; + switch( v1->choiceId ) + { + case TIME_UTCTIME : + rc = MatchingComponentUTCTime ( oid, (ComponentSyntaxInfo*)(v1->a.utcTime), (ComponentSyntaxInfo*)(v2->a.utcTime) ); + break; + case TIME_GENERALIZEDTIME : + rc = MatchingComponentGeneralizedTime ( oid, (ComponentSyntaxInfo*)(v1->a.generalizedTime), (ComponentSyntaxInfo*)(v2->a.generalizedTime) ); + break; + default : + return LDAP_PROTOCOL_ERROR; + } + return rc; +} /* BMatchingComponentTimeContent */ + +void* +ExtractingComponentTime ( void* mem_op, ComponentReference* cr, ComponentTime *comp ) +{ + + + if( (comp->choiceId) == TIME_UTCTIME && + (( comp->a.utcTime->identifier.bv_val && strncmp(comp->a.utcTime->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.utcTime->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.utcTime); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentUTCTime ( mem_op, cr, (comp->a.utcTime) ); + }; + } + if( (comp->choiceId) == TIME_GENERALIZEDTIME && + (( comp->a.generalizedTime->identifier.bv_val && strncmp(comp->a.generalizedTime->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.generalizedTime->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.generalizedTime); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentGeneralizedTime ( mem_op, cr, (comp->a.generalizedTime) ); + }; + } + return NULL; +} /* ExtractingComponentTime */ + +int +BDecComponentTime PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentTime **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentTime *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + switch (tagId0) + { + case MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE): + (k->choiceId) = TIME_UTCTIME; + rc = BDecComponentUTCTime (mem_op, b, tagId0, elmtLen0, (&k->a.utcTime), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.utcTime)->identifier.bv_val = (k->a.utcTime)->id_buf; + (k->a.utcTime)->identifier.bv_len = strlen("utcTime"); + strcpy( (k->a.utcTime)->identifier.bv_val, "utcTime"); + break; + + case MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE): + case MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE): + (k->choiceId) = TIME_GENERALIZEDTIME; + rc = BDecComponentGeneralizedTime (mem_op, b, tagId0, elmtLen0, (&k->a.generalizedTime), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.generalizedTime)->identifier.bv_val = (k->a.generalizedTime)->id_buf; + (k->a.generalizedTime)->identifier.bv_len = strlen("generalizedTime"); + strcpy( (k->a.generalizedTime)->identifier.bv_val, "generalizedTime"); + break; + + default: + Asn1Error ("ERROR - unexpected tag in CHOICE\n"); + return -1; + break; + } /* end switch */ + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTime*) CompAlloc( mem_op, sizeof(ComponentTime) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTime ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTime ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTime; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTime; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecTimeContent */ + +int +GDecComponentTime PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentTime **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentTime *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen2 = LocateNextGSERToken(mem_op,b,&peek_head2,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head2 != ':'){ + Asn1Error("Missing : in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if( strncmp("utcTime",peek_head, strlen("utcTime")) == 0){ + (k->choiceId) = TIME_UTCTIME; + rc = GDecComponentUTCTime (mem_op, b, (&k->a.utcTime), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.utcTime)->identifier.bv_val = peek_head; + (k->a.utcTime)->identifier.bv_len = strLen; + } + else if( strncmp("generalizedTime",peek_head,strlen("generalizedTime")) == 0){ + (k->choiceId) = TIME_GENERALIZEDTIME; + rc = GDecComponentGeneralizedTime (mem_op, b, (&k->a.generalizedTime), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.generalizedTime)->identifier.bv_val = peek_head; + (k->a.generalizedTime)->identifier.bv_len = strLen; + } + else { + Asn1Error("Undefined Identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTime*) CompAlloc( mem_op, sizeof(ComponentTime) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTime ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTime ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTime; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTime; + return LDAP_SUCCESS; +} /* GDecTimeContent */ + + +int +MatchingComponentExtension ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentOid ( oid, (ComponentSyntaxInfo*)&((ComponentExtension*)csi_attr)->extnID, (ComponentSyntaxInfo*)&((ComponentExtension*)csi_assert)->extnID ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentBool ( oid, (ComponentSyntaxInfo*)((ComponentExtension*)csi_attr)->critical, (ComponentSyntaxInfo*)((ComponentExtension*)csi_assert)->critical ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentOcts ( oid, (ComponentSyntaxInfo*)&((ComponentExtension*)csi_attr)->extnValue, (ComponentSyntaxInfo*)&((ComponentExtension*)csi_assert)->extnValue ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentExtension */ + +void* +ExtractingComponentExtension ( void* mem_op, ComponentReference* cr, ComponentExtension *comp ) +{ + + if ( ( comp->extnID.identifier.bv_val && strncmp(comp->extnID.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->extnID.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->extnID; + else + return NULL; + } + if ( ( comp->critical->identifier.bv_val && strncmp(comp->critical->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->critical->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->critical; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentBool ( mem_op, cr, comp->critical ); + } + } + if ( ( comp->extnValue.identifier.bv_val && strncmp(comp->extnValue.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->extnValue.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->extnValue; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->extnValue; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentExtension */ + +int +BDecComponentExtension PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentExtension **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentExtension *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOid (mem_op, b, tagId1, elmtLen1, (&k->extnID), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extnID)->identifier.bv_val = (&k->extnID)->id_buf; + (&k->extnID)->identifier.bv_len = strlen("extnID"); + strcpy( (&k->extnID)->identifier.bv_val, "extnID"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, BOOLEAN_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentBool (mem_op, b, tagId1, elmtLen1, (&k->critical), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->critical)->identifier.bv_val = (k->critical)->id_buf; + (k->critical)->identifier.bv_len = strlen("critical"); + strcpy( (k->critical)->identifier.bv_val, "critical"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OCTETSTRING_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, OCTETSTRING_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentOcts (mem_op, b, tagId1, elmtLen1, (&k->extnValue), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extnValue)->identifier.bv_val = (&k->extnValue)->id_buf; + (&k->extnValue)->identifier.bv_len = strlen("extnValue"); + strcpy( (&k->extnValue)->identifier.bv_val, "extnValue"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if(!COMPONENTNOT_NULL ((k->critical))) + { +(k->critical) = CompAlloc( mem_op, sizeof(ComponentBool)); + (k->critical)->identifier.bv_val = (k->critical)->id_buf; + (k->critical)->identifier.bv_len = strlen("critical"); + strcpy( (k->critical)->identifier.bv_val, "critical"); + (k->critical)->value = 0; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentExtension*) CompAlloc( mem_op, sizeof(ComponentExtension) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentExtension ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentExtension ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentExtension; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentExtension; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecExtension*/ + +int +GDecComponentExtension PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentExtension **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentExtension *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "extnID", strlen("extnID") ) == 0 ) { + rc = GDecComponentOid (mem_op, b, (&k->extnID), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extnID)->identifier.bv_val = peek_head; + (&k->extnID)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "critical", strlen("critical") ) == 0 ) { + rc = GDecComponentBool (mem_op, b, (&k->critical), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->critical)->identifier.bv_val = peek_head; + ( k->critical)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + else { +(k->critical) = CompAlloc( mem_op, sizeof(ComponentBool)); + (k->critical)->value = 0; + } + if ( strncmp( peek_head, "extnValue", strlen("extnValue") ) == 0 ) { + rc = GDecComponentOcts (mem_op, b, (&k->extnValue), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->extnValue)->identifier.bv_val = peek_head; + (&k->extnValue)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentExtension*) CompAlloc( mem_op, sizeof(ComponentExtension) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentExtension ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentExtension ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentExtension; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentExtension; + return LDAP_SUCCESS; +} /* GDecExtension*/ + + +int +MatchingComponentAttributeTypeAndValue ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentAttributeType ( oid, (ComponentSyntaxInfo*)&((ComponentAttributeTypeAndValue*)csi_attr)->type, (ComponentSyntaxInfo*)&((ComponentAttributeTypeAndValue*)csi_assert)->type ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = SetAnyTypeByComponentOid ((ComponentSyntaxInfo*)&((ComponentAttributeTypeAndValue*)csi_attr)->value, (&((ComponentAttributeTypeAndValue*)csi_attr)->type)); + rc = MatchingComponentAnyDefinedBy ( oid, (ComponentAny*)&((ComponentAttributeTypeAndValue*)csi_attr)->value, (ComponentAny*)&((ComponentAttributeTypeAndValue*)csi_assert)->value); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentAttributeTypeAndValue */ + +void* +ExtractingComponentAttributeTypeAndValue ( void* mem_op, ComponentReference* cr, ComponentAttributeTypeAndValue *comp ) +{ + + if ( ( comp->type.identifier.bv_val && strncmp(comp->type.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->type.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->type; + else + return NULL; + } + if ( ( comp->value.identifier.bv_val && strncmp(comp->value.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->value.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->value; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_SELECT ) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->value; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentAttributeTypeAndValue */ + +int +BDecComponentAttributeTypeAndValue PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentAttributeTypeAndValue **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentAttributeTypeAndValue *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, OID_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAttributeType (mem_op, b, tagId1, elmtLen1, (&k->type), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type)->identifier.bv_val = (&k->type)->id_buf; + (&k->type)->identifier.bv_len = strlen("type"); + strcpy( (&k->type)->identifier.bv_val, "type"); + } + else + return -1; + + + + { + rc = SetAnyTypeByComponentOid ((&k->value), (&k->type)); + rc = BDecComponentAnyDefinedBy (mem_op,b, (&k->value), &totalElmtsLen1, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = (&k->value)->id_buf; + (&k->value)->identifier.bv_len = strlen("value"); + strcpy( (&k->value)->identifier.bv_val, "value"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAttributeTypeAndValue*) CompAlloc( mem_op, sizeof(ComponentAttributeTypeAndValue) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAttributeTypeAndValue ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAttributeTypeAndValue ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAttributeTypeAndValue; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAttributeTypeAndValue; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecAttributeTypeAndValue*/ + +int +GDecComponentAttributeTypeAndValue PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentAttributeTypeAndValue **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentAttributeTypeAndValue *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "type", strlen("type") ) == 0 ) { + rc = GDecComponentAttributeType (mem_op, b, (&k->type), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->type)->identifier.bv_val = peek_head; + (&k->type)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "value", strlen("value") ) == 0 ) { + rc = rc = SetAnyTypeByComponentOid ((&k->value), (&k->type)); + rc = GDecComponentAnyDefinedBy (mem_op, b, (&k->value), bytesDecoded, mode ); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->value)->identifier.bv_val = peek_head; + (&k->value)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentAttributeTypeAndValue*) CompAlloc( mem_op, sizeof(ComponentAttributeTypeAndValue) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAttributeTypeAndValue ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAttributeTypeAndValue ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentAttributeTypeAndValue; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAttributeTypeAndValue; + return LDAP_SUCCESS; +} /* GDecAttributeTypeAndValue*/ + + +int +MatchingComponentValidity ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentTime ( oid, (ComponentSyntaxInfo*)((ComponentValidity*)csi_attr)->notBefore, (ComponentSyntaxInfo*)((ComponentValidity*)csi_assert)->notBefore ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentTime ( oid, (ComponentSyntaxInfo*)((ComponentValidity*)csi_attr)->notAfter, (ComponentSyntaxInfo*)((ComponentValidity*)csi_assert)->notAfter ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentValidity */ + +void* +ExtractingComponentValidity ( void* mem_op, ComponentReference* cr, ComponentValidity *comp ) +{ + + if ( ( comp->notBefore->identifier.bv_val && strncmp(comp->notBefore->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->notBefore->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->notBefore; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTime ( mem_op, cr, comp->notBefore ); + } + } + if ( ( comp->notAfter->identifier.bv_val && strncmp(comp->notAfter->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->notAfter->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->notAfter; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTime ( mem_op, cr, comp->notAfter ); + } + } + return NULL; +} /* ExtractingComponentValidity */ + +int +BDecComponentValidity PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentValidity **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentValidity *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE)) || + (tagId1 ==MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE))|| + (tagId1 == MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTime (mem_op, b, tagId1, elmtLen1, (&k->notBefore), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->notBefore)->identifier.bv_val = (k->notBefore)->id_buf; + (k->notBefore)->identifier.bv_len = strlen("notBefore"); + strcpy( (k->notBefore)->identifier.bv_val, "notBefore"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE)) || + (tagId1 ==MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE))|| + (tagId1 == MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTime (mem_op, b, tagId1, elmtLen1, (&k->notAfter), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->notAfter)->identifier.bv_val = (k->notAfter)->id_buf; + (k->notAfter)->identifier.bv_len = strlen("notAfter"); + strcpy( (k->notAfter)->identifier.bv_val, "notAfter"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentValidity*) CompAlloc( mem_op, sizeof(ComponentValidity) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentValidity ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentValidity ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentValidity; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentValidity; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecValidity*/ + +int +GDecComponentValidity PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentValidity **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentValidity *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "notBefore", strlen("notBefore") ) == 0 ) { + rc = GDecComponentTime (mem_op, b, (&k->notBefore), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->notBefore)->identifier.bv_val = peek_head; + ( k->notBefore)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "notAfter", strlen("notAfter") ) == 0 ) { + rc = GDecComponentTime (mem_op, b, (&k->notAfter), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->notAfter)->identifier.bv_val = peek_head; + ( k->notAfter)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentValidity*) CompAlloc( mem_op, sizeof(ComponentValidity) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentValidity ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentValidity ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentValidity; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentValidity; + return LDAP_SUCCESS; +} /* GDecValidity*/ + + +int +MatchingComponentSubjectPublicKeyInfo ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentAlgorithmIdentifier ( oid, (ComponentSyntaxInfo*)((ComponentSubjectPublicKeyInfo*)csi_attr)->algorithm, (ComponentSyntaxInfo*)((ComponentSubjectPublicKeyInfo*)csi_assert)->algorithm ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentBits ( oid, (ComponentSyntaxInfo*)&((ComponentSubjectPublicKeyInfo*)csi_attr)->subjectPublicKey, (ComponentSyntaxInfo*)&((ComponentSubjectPublicKeyInfo*)csi_assert)->subjectPublicKey ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentSubjectPublicKeyInfo */ + +void* +ExtractingComponentSubjectPublicKeyInfo ( void* mem_op, ComponentReference* cr, ComponentSubjectPublicKeyInfo *comp ) +{ + + if ( ( comp->algorithm->identifier.bv_val && strncmp(comp->algorithm->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->algorithm->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->algorithm; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAlgorithmIdentifier ( mem_op, cr, comp->algorithm ); + } + } + if ( ( comp->subjectPublicKey.identifier.bv_val && strncmp(comp->subjectPublicKey.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->subjectPublicKey.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->subjectPublicKey; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->subjectPublicKey; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentSubjectPublicKeyInfo */ + +int +BDecComponentSubjectPublicKeyInfo PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentSubjectPublicKeyInfo **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentSubjectPublicKeyInfo *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAlgorithmIdentifier (mem_op, b, tagId1, elmtLen1, (&k->algorithm), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->algorithm)->identifier.bv_val = (k->algorithm)->id_buf; + (k->algorithm)->identifier.bv_len = strlen("algorithm"); + strcpy( (k->algorithm)->identifier.bv_val, "algorithm"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, BITSTRING_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, BITSTRING_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentBits (mem_op, b, tagId1, elmtLen1, (&k->subjectPublicKey), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->subjectPublicKey)->identifier.bv_val = (&k->subjectPublicKey)->id_buf; + (&k->subjectPublicKey)->identifier.bv_len = strlen("subjectPublicKey"); + strcpy( (&k->subjectPublicKey)->identifier.bv_val, "subjectPublicKey"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentSubjectPublicKeyInfo*) CompAlloc( mem_op, sizeof(ComponentSubjectPublicKeyInfo) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentSubjectPublicKeyInfo ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentSubjectPublicKeyInfo ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentSubjectPublicKeyInfo; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentSubjectPublicKeyInfo; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecSubjectPublicKeyInfo*/ + +int +GDecComponentSubjectPublicKeyInfo PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentSubjectPublicKeyInfo **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentSubjectPublicKeyInfo *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "algorithm", strlen("algorithm") ) == 0 ) { + rc = GDecComponentAlgorithmIdentifier (mem_op, b, (&k->algorithm), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->algorithm)->identifier.bv_val = peek_head; + ( k->algorithm)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "subjectPublicKey", strlen("subjectPublicKey") ) == 0 ) { + rc = GDecComponentBits (mem_op, b, (&k->subjectPublicKey), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->subjectPublicKey)->identifier.bv_val = peek_head; + (&k->subjectPublicKey)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentSubjectPublicKeyInfo*) CompAlloc( mem_op, sizeof(ComponentSubjectPublicKeyInfo) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentSubjectPublicKeyInfo ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentSubjectPublicKeyInfo ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentSubjectPublicKeyInfo; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentSubjectPublicKeyInfo; + return LDAP_SUCCESS; +} /* GDecSubjectPublicKeyInfo*/ + + +int +MatchingComponentExtensions ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + void* component1, *component2; + AsnList *v1, *v2, t_list; + + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + v1 = &((ComponentExtensions*)csi_attr)->comp_list; + v2 = &((ComponentExtensions*)csi_assert)->comp_list; + FOR_EACH_LIST_PAIR_ELMT(component1, component2, v1, v2) + { + if( MatchingComponentExtension(oid, (ComponentSyntaxInfo*)component1, (ComponentSyntaxInfo*)component2) == LDAP_COMPARE_FALSE) { + return LDAP_COMPARE_FALSE; + } + } /* end of for */ + + AsnListFirst( v1 ); + AsnListFirst( v2 ); + if( (!component1 && component2) || (component1 && !component2)) + return LDAP_COMPARE_FALSE; + else + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentExtensionsContent */ + +void* +ExtractingComponentExtensions ( void* mem_op, ComponentReference* cr, ComponentExtensions *comp ) +{ + int count = 0; + int total; + AsnList *v = &comp->comp_list; + ComponentInt *k; + ComponentExtension *component; + + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_FROM_BEGINNING : + count = cr->cr_curr->ci_val.ci_from_beginning; + FOR_EACH_LIST_ELMT( component , v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentExtension ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_FROM_END : + total = AsnListCount ( v ); + count = cr->cr_curr->ci_val.ci_from_end; + count = total + count +1; + FOR_EACH_LIST_ELMT ( component, v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentExtension ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_ALL : + return comp; + case LDAP_COMPREF_COUNT : + k = (ComponentInt*)CompAlloc( mem_op, sizeof(ComponentInt)); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + k->comp_desc->cd_tag = (-1); + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentInt; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentInt; + k->comp_desc->cd_extract_i = (extract_component_from_id_func*)NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_INTEGER; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentInt; + k->value = AsnListCount(v); + return k; + default : + return NULL; + } +} /* ExtractingComponentExtensions */ + +int +BDecComponentExtensions PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentExtensions **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentExtensions *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit(&k->comp_list,sizeof(ComponentExtension)); + for (totalElmtsLen1 = 0; (totalElmtsLen1 < elmtLen0) || (elmtLen0 == INDEFINITE_LEN);) + { + ComponentExtension **tmpVar; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((tagId1 == EOC_TAG_ID) && (elmtLen0 == INDEFINITE_LEN)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + break; /* got EOC so can exit this SET OF/SEQ OF's for loop*/ + } + if ((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tmpVar = (ComponentExtension**) CompAsnListAppend (mem_op,&k->comp_list); + rc = BDecComponentExtension (mem_op, b, tagId1, elmtLen1, tmpVar, &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of tag check if */ + else /* wrong tag */ + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentExtensions*) CompAlloc( mem_op, sizeof(ComponentExtensions) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentExtensions ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentExtensions ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentExtensions; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentExtensions; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecExtensionsContent */ + +int +GDecComponentExtensions PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentExtensions **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentExtensions *k,*t, c_temp; + + + int ElmtsLen1; + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit( &k->comp_list, sizeof( ComponentExtension ) ); + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_PEEK)) ){ + Asn1Error("Error during Reading { in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + for (ElmtsLen1 = 0; ElmtsLen1 >= INDEFINITE_LEN; ElmtsLen1++) + { + ComponentExtension **tmpVar; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_NO_COPY)) ){ + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head == '}') break; + if( !(*peek_head == '{' || *peek_head ==',') ) { + return LDAP_PROTOCOL_ERROR; + } + tmpVar = (ComponentExtension**) CompAsnListAppend (mem_op, &k->comp_list); + if ( tmpVar == NULL ) { + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + rc = GDecComponentExtension (mem_op, b, tmpVar, bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentExtensions*) CompAlloc( mem_op, sizeof(ComponentExtensions) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentExtensions ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentExtensions ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentExtensions; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentExtensions; + return LDAP_SUCCESS; +} /* GDecExtensionsContent */ + + +int +MatchingComponentRelativeDistinguishedName ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + void* component1, *component2; + AsnList *v1, *v2, t_list; + + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + v1 = &((ComponentRelativeDistinguishedName*)csi_attr)->comp_list; + v2 = &((ComponentRelativeDistinguishedName*)csi_assert)->comp_list; + AsnListInit( &t_list, 0 ); + if( AsnListCount( v1 ) != AsnListCount( v2 ) ) + return LDAP_COMPARE_FALSE; + FOR_EACH_LIST_ELMT (component1, v1) + { + FOR_EACH_LIST_ELMT(component2, v2) + { + if( MatchingComponentAttributeTypeAndValue(oid, (ComponentSyntaxInfo*)component1,(ComponentSyntaxInfo*)component2) == LDAP_COMPARE_TRUE ) { + AsnElmtMove( v2, &t_list ); + break; + } + } /* end of inner for */ + } /* end of outer for */ + + if( AsnListCount( v2 ) == 0 ) + rc = LDAP_COMPARE_TRUE; + else + rc = LDAP_COMPARE_FALSE; + AsnListMove( &t_list, v2 ); + AsnListFirst( v1 ); + AsnListFirst( v2 ); + return rc; +} /* BMatchingComponentRelativeDistinguishedNameContent */ + +void* +ExtractingComponentRelativeDistinguishedName ( void* mem_op, ComponentReference* cr, ComponentRelativeDistinguishedName *comp ) +{ + int count = 0; + int total; + AsnList *v = &comp->comp_list; + ComponentInt *k; + ComponentAttributeTypeAndValue *component; + + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_FROM_BEGINNING : + count = cr->cr_curr->ci_val.ci_from_beginning; + FOR_EACH_LIST_ELMT( component , v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAttributeTypeAndValue ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_FROM_END : + total = AsnListCount ( v ); + count = cr->cr_curr->ci_val.ci_from_end; + count = total + count +1; + FOR_EACH_LIST_ELMT ( component, v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAttributeTypeAndValue ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_ALL : + return comp; + case LDAP_COMPREF_COUNT : + k = (ComponentInt*)CompAlloc( mem_op, sizeof(ComponentInt)); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + k->comp_desc->cd_tag = (-1); + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentInt; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentInt; + k->comp_desc->cd_extract_i = (extract_component_from_id_func*)NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_INTEGER; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentInt; + k->value = AsnListCount(v); + return k; + default : + return NULL; + } +} /* ExtractingComponentRelativeDistinguishedName */ + +int +BDecComponentRelativeDistinguishedName PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentRelativeDistinguishedName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentRelativeDistinguishedName *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit(&k->comp_list,sizeof(ComponentAttributeTypeAndValue)); + for (totalElmtsLen1 = 0; (totalElmtsLen1 < elmtLen0) || (elmtLen0 == INDEFINITE_LEN);) + { + ComponentAttributeTypeAndValue **tmpVar; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((tagId1 == EOC_TAG_ID) && (elmtLen0 == INDEFINITE_LEN)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + break; /* got EOC so can exit this SET OF/SEQ OF's for loop*/ + } + if ((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tmpVar = (ComponentAttributeTypeAndValue**) CompAsnListAppend (mem_op,&k->comp_list); + rc = BDecComponentAttributeTypeAndValue (mem_op, b, tagId1, elmtLen1, tmpVar, &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of tag check if */ + else /* wrong tag */ + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentRelativeDistinguishedName*) CompAlloc( mem_op, sizeof(ComponentRelativeDistinguishedName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ldap_encoder = (encoder_func*)ConvertRDN2RFC2253; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentRelativeDistinguishedName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentRelativeDistinguishedName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentRelativeDistinguishedName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = RelativeDistinguishedName; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentRelativeDistinguishedName; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecRelativeDistinguishedNameContent */ + +int +GDecComponentRelativeDistinguishedName PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentRelativeDistinguishedName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentRelativeDistinguishedName *k,*t, c_temp; + + + int ElmtsLen1; + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit( &k->comp_list, sizeof( ComponentAttributeTypeAndValue ) ); + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_PEEK)) ){ + Asn1Error("Error during Reading { in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + for (ElmtsLen1 = 0; ElmtsLen1 >= INDEFINITE_LEN; ElmtsLen1++) + { + ComponentAttributeTypeAndValue **tmpVar; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_NO_COPY)) ){ + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head == '}') break; + if( !(*peek_head == '{' || *peek_head ==',') ) { + return LDAP_PROTOCOL_ERROR; + } + tmpVar = (ComponentAttributeTypeAndValue**) CompAsnListAppend (mem_op, &k->comp_list); + if ( tmpVar == NULL ) { + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + rc = GDecComponentAttributeTypeAndValue (mem_op, b, tmpVar, bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentRelativeDistinguishedName*) CompAlloc( mem_op, sizeof(ComponentRelativeDistinguishedName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentRelativeDistinguishedName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentRelativeDistinguishedName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentRelativeDistinguishedName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = RelativeDistinguishedName; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentRelativeDistinguishedName; + return LDAP_SUCCESS; +} /* GDecRelativeDistinguishedNameContent */ + + +int +MatchingComponentRDNSequence ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + void* component1, *component2; + AsnList *v1, *v2, t_list; + + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + v1 = &((ComponentRDNSequence*)csi_attr)->comp_list; + v2 = &((ComponentRDNSequence*)csi_assert)->comp_list; + FOR_EACH_LIST_PAIR_ELMT(component1, component2, v1, v2) + { + if( MatchingComponentRelativeDistinguishedName(oid, (ComponentSyntaxInfo*)component1, (ComponentSyntaxInfo*)component2) == LDAP_COMPARE_FALSE) { + return LDAP_COMPARE_FALSE; + } + } /* end of for */ + + AsnListFirst( v1 ); + AsnListFirst( v2 ); + if( (!component1 && component2) || (component1 && !component2)) + return LDAP_COMPARE_FALSE; + else + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentRDNSequenceContent */ + +void* +ExtractingComponentRDNSequence ( void* mem_op, ComponentReference* cr, ComponentRDNSequence *comp ) +{ + int count = 0; + int total; + AsnList *v = &comp->comp_list; + ComponentInt *k; + ComponentRelativeDistinguishedName *component; + + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_FROM_BEGINNING : + count = cr->cr_curr->ci_val.ci_from_beginning; + FOR_EACH_LIST_ELMT( component , v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentRelativeDistinguishedName ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_FROM_END : + total = AsnListCount ( v ); + count = cr->cr_curr->ci_val.ci_from_end; + count = total + count +1; + FOR_EACH_LIST_ELMT ( component, v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentRelativeDistinguishedName ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_ALL : + return comp; + case LDAP_COMPREF_COUNT : + k = (ComponentInt*)CompAlloc( mem_op, sizeof(ComponentInt)); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + k->comp_desc->cd_tag = (-1); + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentInt; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentInt; + k->comp_desc->cd_extract_i = (extract_component_from_id_func*)NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_INTEGER; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentInt; + k->value = AsnListCount(v); + return k; + default : + return NULL; + } +} /* ExtractingComponentRDNSequence */ + +int +BDecComponentRDNSequence PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentRDNSequence **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentRDNSequence *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit(&k->comp_list,sizeof(ComponentRelativeDistinguishedName)); + for (totalElmtsLen1 = 0; (totalElmtsLen1 < elmtLen0) || (elmtLen0 == INDEFINITE_LEN);) + { + ComponentRelativeDistinguishedName **tmpVar; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((tagId1 == EOC_TAG_ID) && (elmtLen0 == INDEFINITE_LEN)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + break; /* got EOC so can exit this SET OF/SEQ OF's for loop*/ + } + if ((tagId1 == MAKE_TAG_ID (UNIV, CONS, SET_TAG_CODE))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tmpVar = (ComponentRelativeDistinguishedName**) CompAsnListAppend (mem_op,&k->comp_list); + rc = BDecComponentRelativeDistinguishedName (mem_op, b, tagId1, elmtLen1, tmpVar, &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of tag check if */ + else /* wrong tag */ + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentRDNSequence*) CompAlloc( mem_op, sizeof(ComponentRDNSequence) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ldap_encoder = (encoder_func*) ConvertRDNSequence2RFC2253; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentRDNSequence ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentRDNSequence ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentRDNSequence; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = RDNSequence; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentRDNSequence; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecRDNSequenceContent */ + +int +GDecComponentRDNSequence PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentRDNSequence **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentRDNSequence *k,*t, c_temp; + + + int ElmtsLen1; + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit( &k->comp_list, sizeof( ComponentRelativeDistinguishedName ) ); + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_PEEK)) ){ + Asn1Error("Error during Reading { in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + for (ElmtsLen1 = 0; ElmtsLen1 >= INDEFINITE_LEN; ElmtsLen1++) + { + ComponentRelativeDistinguishedName **tmpVar; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_NO_COPY)) ){ + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head == '}') break; + if( !(*peek_head == '{' || *peek_head ==',') ) { + return LDAP_PROTOCOL_ERROR; + } + tmpVar = (ComponentRelativeDistinguishedName**) CompAsnListAppend (mem_op, &k->comp_list); + if ( tmpVar == NULL ) { + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + rc = GDecComponentRelativeDistinguishedName (mem_op, b, tmpVar, bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentRDNSequence*) CompAlloc( mem_op, sizeof(ComponentRDNSequence) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ldap_encoder = (encoder_func*)ConvertRDNSequence2RFC2253; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentRDNSequence ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentRDNSequence ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentRDNSequence; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = RDNSequence ; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentRDNSequence; + return LDAP_SUCCESS; +} /* GDecRDNSequenceContent */ + + +int +MatchingComponentName ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + ComponentName *v1, *v2; + + + v1 = (ComponentName*)csi_attr; + v2 = (ComponentName*)csi_assert; + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + if( (v1->choiceId != v2->choiceId ) ) + return LDAP_COMPARE_FALSE; + switch( v1->choiceId ) + { + case NAME_RDNSEQUENCE : + rc = MatchingComponentRDNSequence ( oid, (ComponentSyntaxInfo*)(v1->a.rdnSequence), (ComponentSyntaxInfo*)(v2->a.rdnSequence) ); + break; + default : + return LDAP_PROTOCOL_ERROR; + } + return rc; +} /* BMatchingComponentNameContent */ + +void* +ExtractingComponentName ( void* mem_op, ComponentReference* cr, ComponentName *comp ) +{ + + + if( (comp->choiceId) == NAME_RDNSEQUENCE && + (( comp->a.rdnSequence->identifier.bv_val && strncmp(comp->a.rdnSequence->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0) || + ( strncmp(comp->a.rdnSequence->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0))) { + if ( cr->cr_curr->ci_next == NULL ) + return (comp->a.rdnSequence); + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentRDNSequence ( mem_op, cr, (comp->a.rdnSequence) ); + }; + } + return NULL; +} /* ExtractingComponentName */ + +int +BDecComponentName PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentName *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + switch (tagId0) + { + case MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE): + (k->choiceId) = NAME_RDNSEQUENCE; + rc = BDecComponentRDNSequence (mem_op, b, tagId0, elmtLen0, (&k->a.rdnSequence), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.rdnSequence)->identifier.bv_val = (k->a.rdnSequence)->id_buf; + (k->a.rdnSequence)->identifier.bv_len = strlen("rdnSequence"); + strcpy( (k->a.rdnSequence)->identifier.bv_val, "rdnSequence"); + break; + + default: + Asn1Error ("ERROR - unexpected tag in CHOICE\n"); + return -1; + break; + } /* end switch */ + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentName*) CompAlloc( mem_op, sizeof(ComponentName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentName; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecNameContent */ + +int +GDecComponentName PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentName **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentName *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen2 = LocateNextGSERToken(mem_op,b,&peek_head2,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head2 != ':'){ + Asn1Error("Missing : in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if( strncmp("rdnSequence",peek_head, strlen("rdnSequence")) == 0){ + (k->choiceId) = NAME_RDNSEQUENCE; + rc = GDecComponentRDNSequence (mem_op, b, (&k->a.rdnSequence), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->a.rdnSequence)->identifier.bv_val = peek_head; + (k->a.rdnSequence)->identifier.bv_len = strLen; + } + else { + Asn1Error("Undefined Identifier"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentName*) CompAlloc( mem_op, sizeof(ComponentName) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentName ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentName ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentName; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentName; + return LDAP_SUCCESS; +} /* GDecNameContent */ + + +int +MatchingComponentTBSCertificate ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentVersion ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->version, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->version ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentCertificateSerialNumber ( oid, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_attr)->serialNumber, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_assert)->serialNumber ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentAlgorithmIdentifier ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->signature, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->signature ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentName ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->issuer, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->issuer ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentValidity ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->validity, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->validity ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentName ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->subject, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->subject ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentSubjectPublicKeyInfo ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->subjectPublicKeyInfo, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->subjectPublicKeyInfo ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentUniqueIdentifier ( oid, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_attr)->issuerUniqueIdentifier, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_assert)->issuerUniqueIdentifier ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentUniqueIdentifier ( oid, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_attr)->subjectUniqueIdentifier, (ComponentSyntaxInfo*)&((ComponentTBSCertificate*)csi_assert)->subjectUniqueIdentifier ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + if(COMPONENTNOT_NULL( ((ComponentTBSCertificate*)csi_attr)->extensions ) ) { + rc = MatchingComponentExtensions ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_attr)->extensions, (ComponentSyntaxInfo*)((ComponentTBSCertificate*)csi_assert)->extensions ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentTBSCertificate */ + +void* +ExtractingComponentTBSCertificate ( void* mem_op, ComponentReference* cr, ComponentTBSCertificate *comp ) +{ + + if ( ( comp->version->identifier.bv_val && strncmp(comp->version->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->version->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->version; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentVersion ( mem_op, cr, comp->version ); + } + } + if ( ( comp->serialNumber.identifier.bv_val && strncmp(comp->serialNumber.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->serialNumber.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->serialNumber; + else + return NULL; + } + if ( ( comp->signature->identifier.bv_val && strncmp(comp->signature->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signature->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->signature; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAlgorithmIdentifier ( mem_op, cr, comp->signature ); + } + } + if ( ( comp->issuer->identifier.bv_val && strncmp(comp->issuer->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->issuer->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->issuer; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentName ( mem_op, cr, comp->issuer ); + } + } + if ( ( comp->validity->identifier.bv_val && strncmp(comp->validity->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->validity->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->validity; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentValidity ( mem_op, cr, comp->validity ); + } + } + if ( ( comp->subject->identifier.bv_val && strncmp(comp->subject->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->subject->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->subject; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentName ( mem_op, cr, comp->subject ); + } + } + if ( ( comp->subjectPublicKeyInfo->identifier.bv_val && strncmp(comp->subjectPublicKeyInfo->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->subjectPublicKeyInfo->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->subjectPublicKeyInfo; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentSubjectPublicKeyInfo ( mem_op, cr, comp->subjectPublicKeyInfo ); + } + } + if ( ( comp->issuerUniqueIdentifier.identifier.bv_val && strncmp(comp->issuerUniqueIdentifier.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->issuerUniqueIdentifier.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->issuerUniqueIdentifier; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->issuerUniqueIdentifier; + } else { + return NULL; + } + } + if ( ( comp->subjectUniqueIdentifier.identifier.bv_val && strncmp(comp->subjectUniqueIdentifier.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->subjectUniqueIdentifier.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->subjectUniqueIdentifier; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->subjectUniqueIdentifier; + } else { + return NULL; + } + } + if ( ( comp->extensions->identifier.bv_val && strncmp(comp->extensions->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->extensions->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->extensions; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentExtensions ( mem_op, cr, comp->extensions ); + } + } + return NULL; +} /* ExtractingComponentTBSCertificate */ + +int +BDecComponentTBSCertificate PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentTBSCertificate **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentTBSCertificate *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (CNTX, CONS, 0)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tagId2 = BDecTag (b, &totalElmtsLen1 ); + + if (tagId2 != MAKE_TAG_ID (UNIV, PRIM, INTEGER_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen2 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentVersion (mem_op, b, tagId2, elmtLen2, (&k->version), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->version)->identifier.bv_val = (k->version)->id_buf; + (k->version)->identifier.bv_len = strlen("version"); + strcpy( (k->version)->identifier.bv_val, "version"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, INTEGER_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentCertificateSerialNumber (mem_op, b, tagId1, elmtLen1, (&k->serialNumber), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->serialNumber)->identifier.bv_val = (&k->serialNumber)->id_buf; + (&k->serialNumber)->identifier.bv_len = strlen("serialNumber"); + strcpy( (&k->serialNumber)->identifier.bv_val, "serialNumber"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAlgorithmIdentifier (mem_op, b, tagId1, elmtLen1, (&k->signature), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->signature)->identifier.bv_val = (k->signature)->id_buf; + (k->signature)->identifier.bv_len = strlen("signature"); + strcpy( (k->signature)->identifier.bv_val, "signature"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentName (mem_op, b, tagId1, elmtLen1, (&k->issuer), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->issuer)->identifier.bv_val = (k->issuer)->id_buf; + (k->issuer)->identifier.bv_len = strlen("issuer"); + strcpy( (k->issuer)->identifier.bv_val, "issuer"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentValidity (mem_op, b, tagId1, elmtLen1, (&k->validity), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->validity)->identifier.bv_val = (k->validity)->id_buf; + (k->validity)->identifier.bv_len = strlen("validity"); + strcpy( (k->validity)->identifier.bv_val, "validity"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentName (mem_op, b, tagId1, elmtLen1, (&k->subject), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->subject)->identifier.bv_val = (k->subject)->id_buf; + (k->subject)->identifier.bv_len = strlen("subject"); + strcpy( (k->subject)->identifier.bv_val, "subject"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentSubjectPublicKeyInfo (mem_op, b, tagId1, elmtLen1, (&k->subjectPublicKeyInfo), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->subjectPublicKeyInfo)->identifier.bv_val = (k->subjectPublicKeyInfo)->id_buf; + (k->subjectPublicKeyInfo)->identifier.bv_len = strlen("subjectPublicKeyInfo"); + strcpy( (k->subjectPublicKeyInfo)->identifier.bv_val, "subjectPublicKeyInfo"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + else + return -1; + + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, PRIM, 1)) || +(tagId1 == MAKE_TAG_ID (CNTX, CONS, 1)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentUniqueIdentifier (mem_op, b, tagId1, elmtLen1, (&k->issuerUniqueIdentifier), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->issuerUniqueIdentifier)->identifier.bv_val = (&k->issuerUniqueIdentifier)->id_buf; + (&k->issuerUniqueIdentifier)->identifier.bv_len = strlen("issuerUniqueIdentifier"); + strcpy( (&k->issuerUniqueIdentifier)->identifier.bv_val, "issuerUniqueIdentifier"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, PRIM, 2)) || +(tagId1 == MAKE_TAG_ID (CNTX, CONS, 2)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentUniqueIdentifier (mem_op, b, tagId1, elmtLen1, (&k->subjectUniqueIdentifier), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->subjectUniqueIdentifier)->identifier.bv_val = (&k->subjectUniqueIdentifier)->id_buf; + (&k->subjectUniqueIdentifier)->identifier.bv_len = strlen("subjectUniqueIdentifier"); + strcpy( (&k->subjectUniqueIdentifier)->identifier.bv_val, "subjectUniqueIdentifier"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, CONS, 3)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tagId2 = BDecTag (b, &totalElmtsLen1 ); + + if (tagId2 != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen2 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentExtensions (mem_op, b, tagId2, elmtLen2, (&k->extensions), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->extensions)->identifier.bv_val = (k->extensions)->id_buf; + (k->extensions)->identifier.bv_len = strlen("extensions"); + strcpy( (k->extensions)->identifier.bv_val, "extensions"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if(!COMPONENTNOT_NULL ((k->version))) + { +(k->version) = CompAlloc( mem_op, sizeof(ComponentVersion)); + (k->version)->identifier.bv_val = (k->version)->id_buf; + (k->version)->identifier.bv_len = strlen("version"); + strcpy( (k->version)->identifier.bv_val, "version"); + (k->version)->value = 0; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertificate*) CompAlloc( mem_op, sizeof(ComponentTBSCertificate) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertificate ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertificate ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertificate; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertificate; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecTBSCertificate*/ + +int +GDecComponentTBSCertificate PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentTBSCertificate **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentTBSCertificate *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "version", strlen("version") ) == 0 ) { + rc = GDecComponentVersion (mem_op, b, (&k->version), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->version)->identifier.bv_val = peek_head; + ( k->version)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + else { +(k->version) = CompAlloc( mem_op, sizeof(ComponentVersion)); + (k->version)->value = 0; + } + if ( strncmp( peek_head, "serialNumber", strlen("serialNumber") ) == 0 ) { + rc = GDecComponentCertificateSerialNumber (mem_op, b, (&k->serialNumber), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->serialNumber)->identifier.bv_val = peek_head; + (&k->serialNumber)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signature", strlen("signature") ) == 0 ) { + rc = GDecComponentAlgorithmIdentifier (mem_op, b, (&k->signature), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->signature)->identifier.bv_val = peek_head; + ( k->signature)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "issuer", strlen("issuer") ) == 0 ) { + rc = GDecComponentName (mem_op, b, (&k->issuer), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->issuer)->identifier.bv_val = peek_head; + ( k->issuer)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "validity", strlen("validity") ) == 0 ) { + rc = GDecComponentValidity (mem_op, b, (&k->validity), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->validity)->identifier.bv_val = peek_head; + ( k->validity)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "subject", strlen("subject") ) == 0 ) { + rc = GDecComponentName (mem_op, b, (&k->subject), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->subject)->identifier.bv_val = peek_head; + ( k->subject)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "subjectPublicKeyInfo", strlen("subjectPublicKeyInfo") ) == 0 ) { + rc = GDecComponentSubjectPublicKeyInfo (mem_op, b, (&k->subjectPublicKeyInfo), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->subjectPublicKeyInfo)->identifier.bv_val = peek_head; + ( k->subjectPublicKeyInfo)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "issuerUniqueIdentifier", strlen("issuerUniqueIdentifier") ) == 0 ) { + rc = GDecComponentUniqueIdentifier (mem_op, b, (&k->issuerUniqueIdentifier), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->issuerUniqueIdentifier)->identifier.bv_val = peek_head; + (&k->issuerUniqueIdentifier)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "subjectUniqueIdentifier", strlen("subjectUniqueIdentifier") ) == 0 ) { + rc = GDecComponentUniqueIdentifier (mem_op, b, (&k->subjectUniqueIdentifier), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->subjectUniqueIdentifier)->identifier.bv_val = peek_head; + (&k->subjectUniqueIdentifier)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "extensions", strlen("extensions") ) == 0 ) { + rc = GDecComponentExtensions (mem_op, b, (&k->extensions), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->extensions)->identifier.bv_val = peek_head; + ( k->extensions)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertificate*) CompAlloc( mem_op, sizeof(ComponentTBSCertificate) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertificate ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertificate ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertificate; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertificate; + return LDAP_SUCCESS; +} /* GDecTBSCertificate*/ + + +int +MatchingComponentCertificate ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentTBSCertificate ( oid, (ComponentSyntaxInfo*)((ComponentCertificate*)csi_attr)->toBeSigned, (ComponentSyntaxInfo*)((ComponentCertificate*)csi_assert)->toBeSigned ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentAlgorithmIdentifier ( oid, (ComponentSyntaxInfo*)((ComponentCertificate*)csi_attr)->signatureAlgorithm, (ComponentSyntaxInfo*)((ComponentCertificate*)csi_assert)->signatureAlgorithm ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentBits ( oid, (ComponentSyntaxInfo*)&((ComponentCertificate*)csi_attr)->signature, (ComponentSyntaxInfo*)&((ComponentCertificate*)csi_assert)->signature ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentCertificate */ + +void* +ExtractingComponentCertificate ( void* mem_op, ComponentReference* cr, ComponentCertificate *comp ) +{ + + if ( ( comp->toBeSigned->identifier.bv_val && strncmp(comp->toBeSigned->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->toBeSigned->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->toBeSigned; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTBSCertificate ( mem_op, cr, comp->toBeSigned ); + } + } + if ( ( comp->signatureAlgorithm->identifier.bv_val && strncmp(comp->signatureAlgorithm->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signatureAlgorithm->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->signatureAlgorithm; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAlgorithmIdentifier ( mem_op, cr, comp->signatureAlgorithm ); + } + } + if ( ( comp->signature.identifier.bv_val && strncmp(comp->signature.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signature.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->signature; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->signature; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentCertificate */ + +int +BDecComponentCertificate PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentCertificate **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentCertificate *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTBSCertificate (mem_op, b, tagId1, elmtLen1, (&k->toBeSigned), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->toBeSigned)->identifier.bv_val = (k->toBeSigned)->id_buf; + (k->toBeSigned)->identifier.bv_len = strlen("toBeSigned"); + strcpy( (k->toBeSigned)->identifier.bv_val, "toBeSigned"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAlgorithmIdentifier (mem_op, b, tagId1, elmtLen1, (&k->signatureAlgorithm), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->signatureAlgorithm)->identifier.bv_val = (k->signatureAlgorithm)->id_buf; + (k->signatureAlgorithm)->identifier.bv_len = strlen("signatureAlgorithm"); + strcpy( (k->signatureAlgorithm)->identifier.bv_val, "signatureAlgorithm"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, BITSTRING_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, BITSTRING_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentBits (mem_op, b, tagId1, elmtLen1, (&k->signature), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->signature)->identifier.bv_val = (&k->signature)->id_buf; + (&k->signature)->identifier.bv_len = strlen("signature"); + strcpy( (&k->signature)->identifier.bv_val, "signature"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentCertificate*) CompAlloc( mem_op, sizeof(ComponentCertificate) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentCertificate ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentCertificate ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentCertificate; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentCertificate; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecCertificate*/ + +int +GDecComponentCertificate PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentCertificate **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentCertificate *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "toBeSigned", strlen("toBeSigned") ) == 0 ) { + rc = GDecComponentTBSCertificate (mem_op, b, (&k->toBeSigned), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->toBeSigned)->identifier.bv_val = peek_head; + ( k->toBeSigned)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signatureAlgorithm", strlen("signatureAlgorithm") ) == 0 ) { + rc = GDecComponentAlgorithmIdentifier (mem_op, b, (&k->signatureAlgorithm), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->signatureAlgorithm)->identifier.bv_val = peek_head; + ( k->signatureAlgorithm)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signature", strlen("signature") ) == 0 ) { + rc = GDecComponentBits (mem_op, b, (&k->signature), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->signature)->identifier.bv_val = peek_head; + (&k->signature)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentCertificate*) CompAlloc( mem_op, sizeof(ComponentCertificate) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentCertificate ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentCertificate ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentCertificate; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentCertificate; + return LDAP_SUCCESS; +} /* GDecCertificate*/ + + diff --git a/contrib/slapd-modules/comp_match/certificate.h b/contrib/slapd-modules/comp_match/certificate.h new file mode 100644 index 0000000..d1df75f --- /dev/null +++ b/contrib/slapd-modules/comp_match/certificate.h @@ -0,0 +1,379 @@ + +#include "asn-incl.h" +/* + * certificate.h + * "AuthenticationFramework" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Sat Dec 11 11:22:49 2004 + * The generated files are strongly encouraged to be + * compiled as a module for OpenLDAP Software + */ + +#ifndef _certificate_h_ +#define _certificate_h_ + + + + +#ifdef __cplusplus +extern "C" { +#endif +#ifdef _WIN32 +#pragma warning( disable : 4101 ) +#endif +#include "componentlib.h" +typedef enum AuthenticationFrameworkAnyId +{ + nullOid_ANY_ID = 0, + nullOid2_ANY_ID = 1, + nullOid3_ANY_ID = 2, + printableStringOid_ANY_ID = 3, + printableStringOid2_ANY_ID = 4, + printableStringOid3_ANY_ID = 5, + printableStringOid4_ANY_ID = 6, + printableStringOid5_ANY_ID = 7, + printableStringOid6_ANY_ID = 8, + printableStringOid7_ANY_ID = 9, + iA5StringOid_ANY_ID = 10, + octetStringOid_ANY_ID = 11, + octetStringOid2_ANY_ID = 12, + octetStringOid3_ANY_ID = 13, + octetStringOid4_ANY_ID = 14, + octetStringOid5_ANY_ID = 15, + octetStringOid7_ANY_ID = 17} AuthenticationFrameworkAnyId; + +void InitAnyAuthenticationFramework(); + + +#define V1 0 +#define V2 1 +#define V3 2 + +typedef ComponentInt ComponentVersion; /* INTEGER { V1 (0), V2 (1), V3 (2) } */ + +#define MatchingComponentVersion MatchingComponentInt + +#define ExtractingComponentVersion ExtractingComponentInt + +#define BDecComponentVersion BDecComponentInt + +#define GDecComponentVersion GDecComponentInt + + +typedef ComponentInt ComponentCertificateSerialNumber; /* INTEGER */ + +#define MatchingComponentCertificateSerialNumber MatchingComponentInt + +#define ExtractingComponentCertificateSerialNumber ExtractingComponentInt + +#define BDecComponentCertificateSerialNumber BDecComponentInt + +#define GDecComponentCertificateSerialNumber GDecComponentInt + + +typedef ComponentOid ComponentAttributeType; /* OBJECT IDENTIFIER */ + +#define MatchingComponentAttributeType MatchingComponentOid + +#define ExtractingComponentAttributeType ExtractingComponentOid + +#define BDecComponentAttributeType BDecComponentOid + +#define GDecComponentAttributeType GDecComponentOid + + +typedef ComponentBits ComponentUniqueIdentifier; /* BIT STRING */ + +#define MatchingComponentUniqueIdentifier MatchingComponentBits + +#define ExtractingComponentUniqueIdentifier ExtractingComponentBits + +#define BDecComponentUniqueIdentifier BDecComponentBits + +#define GDecComponentUniqueIdentifier GDecComponentBits + + +typedef struct AlgorithmIdentifier /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid algorithm; /* OBJECT IDENTIFIER */ + ComponentAnyDefinedBy parameters; /* ANY DEFINED BY algorithm OPTIONAL */ +} ComponentAlgorithmIdentifier; + +int MatchingComponentAlgorithmIdentifier PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAlgorithmIdentifier PROTO (( void* mem_op, ComponentReference *cr, ComponentAlgorithmIdentifier *comp )); + + +int BDecComponentAlgorithmIdentifier PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAlgorithmIdentifier **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAlgorithmIdentifier PROTO (( void* mem_op, GenBuf * b, ComponentAlgorithmIdentifier **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Time /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum TimeChoiceId + { + TIME_UTCTIME, + TIME_GENERALIZEDTIME + } choiceId; + union TimeChoiceUnion + { + ComponentUTCTime* utcTime; /* < unknown type id ?! > */ + ComponentGeneralizedTime* generalizedTime; /* < unknown type id ?! > */ + } a; +} ComponentTime; + +int MatchingComponentTime PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTime PROTO (( void* mem_op, ComponentReference *cr, ComponentTime *comp )); + + +int BDecComponentTime PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTime **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTime PROTO (( void* mem_op, GenBuf * b, ComponentTime **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Extension /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid extnID; /* OBJECT IDENTIFIER */ + ComponentBool* critical; /* BOOLEAN DEFAULT FALSE */ + ComponentOcts extnValue; /* OCTET STRING */ +} ComponentExtension; + +int MatchingComponentExtension PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentExtension PROTO (( void* mem_op, ComponentReference *cr, ComponentExtension *comp )); + + +int BDecComponentExtension PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentExtension **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentExtension PROTO (( void* mem_op, GenBuf * b, ComponentExtension **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct AttributeTypeAndValue /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentAttributeType type; /* AttributeType */ + ComponentAnyDefinedBy value; /* ANY DEFINED BY type */ +} ComponentAttributeTypeAndValue; + +int MatchingComponentAttributeTypeAndValue PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAttributeTypeAndValue PROTO (( void* mem_op, ComponentReference *cr, ComponentAttributeTypeAndValue *comp )); + + +int BDecComponentAttributeTypeAndValue PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAttributeTypeAndValue PROTO (( void* mem_op, GenBuf * b, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Validity /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentTime* notBefore; /* Time */ + ComponentTime* notAfter; /* Time */ +} ComponentValidity; + +int MatchingComponentValidity PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentValidity PROTO (( void* mem_op, ComponentReference *cr, ComponentValidity *comp )); + + +int BDecComponentValidity PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentValidity **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentValidity PROTO (( void* mem_op, GenBuf * b, ComponentValidity **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct SubjectPublicKeyInfo /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentAlgorithmIdentifier* algorithm; /* AlgorithmIdentifier */ + ComponentBits subjectPublicKey; /* BIT STRING */ +} ComponentSubjectPublicKeyInfo; + +int MatchingComponentSubjectPublicKeyInfo PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentSubjectPublicKeyInfo PROTO (( void* mem_op, ComponentReference *cr, ComponentSubjectPublicKeyInfo *comp )); + + +int BDecComponentSubjectPublicKeyInfo PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentSubjectPublicKeyInfo **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentSubjectPublicKeyInfo PROTO (( void* mem_op, GenBuf * b, ComponentSubjectPublicKeyInfo **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentExtensions; /* SEQUENCE SIZE 1..MAX OF Extension */ + +int MatchingComponentExtensions PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentExtensions PROTO (( void* mem_op, ComponentReference *cr, ComponentExtensions *comp )); + + +int BDecComponentExtensions PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentExtensions **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentExtensions PROTO (( void* mem_op, GenBuf * b, ComponentExtensions **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRelativeDistinguishedName; /* SET OF AttributeTypeAndValue */ + +int MatchingComponentRelativeDistinguishedName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRelativeDistinguishedName PROTO (( void* mem_op, ComponentReference *cr, ComponentRelativeDistinguishedName *comp )); + + +int BDecComponentRelativeDistinguishedName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRelativeDistinguishedName PROTO (( void* mem_op, GenBuf * b, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRDNSequence; /* SEQUENCE OF RelativeDistinguishedName */ + +int MatchingComponentRDNSequence PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRDNSequence PROTO (( void* mem_op, ComponentReference *cr, ComponentRDNSequence *comp )); + + +int BDecComponentRDNSequence PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRDNSequence PROTO (( void* mem_op, GenBuf * b, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Name /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum NameChoiceId + { + NAME_RDNSEQUENCE + } choiceId; + union NameChoiceUnion + { + ComponentRDNSequence* rdnSequence; /* RDNSequence */ + } a; +} ComponentName; + +int MatchingComponentName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentName PROTO (( void* mem_op, ComponentReference *cr, ComponentName *comp )); + + +int BDecComponentName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentName PROTO (( void* mem_op, GenBuf * b, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct TBSCertificate /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentVersion* version; /* [0] Version DEFAULT v1 */ + ComponentCertificateSerialNumber serialNumber; /* CertificateSerialNumber */ + ComponentAlgorithmIdentifier* signature; /* AlgorithmIdentifier */ + ComponentName* issuer; /* Name */ + ComponentValidity* validity; /* Validity */ + ComponentName* subject; /* Name */ + ComponentSubjectPublicKeyInfo* subjectPublicKeyInfo; /* SubjectPublicKeyInfo */ + ComponentUniqueIdentifier issuerUniqueIdentifier; /* [1] IMPLICIT UniqueIdentifier OPTIONAL */ + ComponentUniqueIdentifier subjectUniqueIdentifier; /* [2] IMPLICIT UniqueIdentifier OPTIONAL */ + ComponentExtensions* extensions; /* [3] Extensions OPTIONAL */ +} ComponentTBSCertificate; + +int MatchingComponentTBSCertificate PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTBSCertificate PROTO (( void* mem_op, ComponentReference *cr, ComponentTBSCertificate *comp )); + + +int BDecComponentTBSCertificate PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTBSCertificate **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTBSCertificate PROTO (( void* mem_op, GenBuf * b, ComponentTBSCertificate **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Certificate /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentTBSCertificate* toBeSigned; /* TBSCertificate */ + ComponentAlgorithmIdentifier* signatureAlgorithm; /* AlgorithmIdentifier */ + ComponentBits signature; /* BIT STRING */ +} ComponentCertificate; + +int MatchingComponentCertificate PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentCertificate PROTO (( void* mem_op, ComponentReference *cr, ComponentCertificate *comp )); + + +int BDecComponentCertificate PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentCertificate **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentCertificate PROTO (( void* mem_op, GenBuf * b, ComponentCertificate **v, AsnLen *bytesDecoded, int mode)); + + + +/* ========== Object Declarations ========== */ + + +/* ========== Object Set Declarations ========== */ +#ifdef __cplusplus +extern "C" { +#endif + +#endif /* conditional include of certificate.h */ diff --git a/contrib/slapd-modules/comp_match/componentlib.c b/contrib/slapd-modules/comp_match/componentlib.c new file mode 100644 index 0000000..93141b3 --- /dev/null +++ b/contrib/slapd-modules/comp_match/componentlib.c @@ -0,0 +1,2370 @@ +/* Copyright 2004 IBM Corporation + * All rights reserved. + * Redisribution and use in source and binary forms, with or without + * modification, are permitted only as authorizd by the OpenLADP + * Public License. + */ +/* ACKNOWLEDGEMENTS + * This work originally developed by Sang Seok Lim + * 2004/06/18 03:20:00 slim@OpenLDAP.org + */ + +#include "portable.h" +#include <ac/string.h> +#include <ac/socket.h> +#include <ldap_pvt.h> +#include "lutil.h" +#include <ldap.h> +#include "slap.h" +#include "component.h" + +#include "componentlib.h" +#include "asn.h" +#include <asn-gser.h> +#include <stdlib.h> + +#include <string.h> + +#ifndef SLAPD_COMP_MATCH +#define SLAPD_COMP_MATCH SLAPD_MOD_DYNAMIC +#endif + +#ifdef SLAPD_COMP_MATCH +/* + * Matching function : BIT STRING + */ +int +MatchingComponentBits ( char* oid, ComponentSyntaxInfo *csi_attr, + ComponentSyntaxInfo *csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentBits *a, *b; + + if ( oid ) { + mr = retrieve_matching_rule(oid, (AsnTypeId)csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = ((ComponentBits*)csi_attr); + b = ((ComponentBits*)csi_assert); + rc = ( a->value.bitLen == b->value.bitLen && + strncmp( a->value.bits,b->value.bits,a->value.bitLen ) == 0 ); + return rc ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * Free function: BIT STRING + */ +void +FreeComponentBits ( ComponentBits* v ) { + FreeAsnBits( &v->value ); +} + +/* + * GSER Encoder : BIT STRING + */ +int +GEncComponentBits ( GenBuf *b, ComponentBits *in ) +{ + GAsnBits bits = {0}; + + bits.value = in->value; + if ( !in ) + return (-1); + return GEncAsnBitsContent ( b, &bits); +} + + +/* + * GSER Decoder : BIT STRING + */ +int +GDecComponentBits ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentBits* k, **k2; + GAsnBits result; + + k = (ComponentBits*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBits**) v; + *k2 = (ComponentBits*) CompAlloc( mem_op, sizeof( ComponentBits ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnBitsContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_BITSTRING); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : BIT STRING + */ +int +BDecComponentBitsTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentBits ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentBits ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentBits* k, **k2; + AsnBits result; + + k = (ComponentBits*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBits**) v; + *k2 = (ComponentBits*) CompAlloc( mem_op, sizeof( ComponentBits ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnBits ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnBitsContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + + if ( rc < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_BITSTRING); + + return LDAP_SUCCESS; +} + +/* + * Component GSER BMPString Encoder + */ +int +GEncComponentBMPString ( GenBuf *b, ComponentBMPString *in ) +{ + GBMPString t = {0}; + + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncBMPStringContent ( b, &t ); +} + +/* + * Component GSER BMPString Decoder + */ +int +GDecComponentBMPString ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentBMPString* k, **k2; + GBMPString result; + + k = (ComponentBMPString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBMPString**) v; + *k2 = (ComponentBMPString*) CompAlloc( mem_op, sizeof( ComponentBMPString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + *bytesDecoded = 0; + + if ( GDecBMPStringContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_BMP_STR); + + return LDAP_SUCCESS; + +} + +/* + * Component BER BMPString Decoder + */ +int +BDecComponentBMPStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentBMPString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentBMPString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentBMPString* k, **k2; + BMPString result; + + k = (ComponentBMPString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBMPString**) v; + *k2 = (ComponentBMPString*) CompAlloc( mem_op, sizeof( ComponentBMPString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecBMPString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecBMPStringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + + if ( rc < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_BMP_STR); + + return LDAP_SUCCESS; + +} + +/* + * Component GSER Encoder : UTF8 String + */ +int +GEncComponentUTF8String ( GenBuf *b, ComponentUTF8String *in ) +{ + GUTF8String t = {0}; + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncUTF8StringContent ( b, &t ); +} + +/* + * Component GSER Decoder : UTF8 String + */ +int +GDecComponentUTF8String ( void* mem_op, GenBuf *b, void *v, + AsnLen *bytesDecoded, int mode) { + char* peek_head; + int i, strLen; + void* component_values; + ComponentUTF8String* k, **k2; + GUTF8String result; + + k = (ComponentUTF8String*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentUTF8String**) v; + *k2 = (ComponentUTF8String*)CompAlloc( mem_op, sizeof( ComponentUTF8String ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + *bytesDecoded = 0; + + if ( GDecUTF8StringContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_UTF8_STR); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : UTF8String + */ +int +BDecComponentUTF8StringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentUTF8String ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentUTF8String ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, + void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentUTF8String* k, **k2; + UTF8String result; + + k = (ComponentUTF8String*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentUTF8String**) v; + *k2 = (ComponentUTF8String*) CompAlloc( mem_op, sizeof( ComponentUTF8String ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecUTF8String ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecUTF8StringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_UTF8_STR); + + return LDAP_SUCCESS; +} + +/* + * Component GSER Encoder : Teletex String + */ +int +GEncComponentTeletexString ( GenBuf *b, ComponentTeletexString *in ) +{ + GTeletexString t = {0}; + + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncTeletexStringContent ( b, &t ); +} + +/* + * Component GSER Decoder : Teletex String + */ +int +GDecComponentTeletexString ( void* mem_op, GenBuf *b, void *v, + AsnLen *bytesDecoded, int mode) { + char* peek_head; + int i, strLen; + void* component_values; + ComponentTeletexString* k, **k2; + GTeletexString result; + + k = (ComponentTeletexString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentTeletexString**) v; + *k2 = (ComponentTeletexString*)CompAlloc( mem_op, sizeof( ComponentTeletexString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + *bytesDecoded = 0; + + if ( GDecTeletexStringContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_VIDEOTEX_STR); + + return LDAP_SUCCESS; +} + + +/* + * Matching function : BOOLEAN + */ +int +MatchingComponentBool(char* oid, ComponentSyntaxInfo* csi_attr, + ComponentSyntaxInfo* csi_assert ) +{ + MatchingRule* mr; + ComponentBool *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + + a = ((ComponentBool*)csi_attr); + b = ((ComponentBool*)csi_assert); + + return (a->value == b->value) ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : BOOLEAN + */ +int +GEncComponentBool ( GenBuf *b, ComponentBool *in ) +{ + GAsnBool t = {0}; + + if ( !in ) + return (-1); + t.value = in->value; + return GEncAsnBoolContent ( b, &t ); +} + +/* + * GSER Decoder : BOOLEAN + */ +int +GDecComponentBool ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + ComponentBool* k, **k2; + GAsnBool result; + + k = (ComponentBool*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBool**) v; + *k2 = (ComponentBool*) CompAlloc( mem_op, sizeof( ComponentBool ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnBoolContent( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_BOOLEAN); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : BOOLEAN + */ +int +BDecComponentBoolTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentBool ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentBool ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + ComponentBool* k, **k2; + AsnBool result; + + k = (ComponentBool*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentBool**) v; + *k2 = (ComponentBool*) CompAlloc( mem_op, sizeof( ComponentBool ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnBool ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnBoolContent( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_BOOLEAN); + + return LDAP_SUCCESS; +} + +/* + * Matching function : ENUMERATE + */ +int +MatchingComponentEnum ( char* oid, ComponentSyntaxInfo *csi_attr, + ComponentSyntaxInfo *csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentEnum *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = ((ComponentEnum*)csi_attr); + b = ((ComponentEnum*)csi_assert); + rc = (a->value == b->value); + + return rc ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : ENUMERATE + */ +int +GEncComponentEnum ( GenBuf *b, ComponentEnum *in ) +{ + GAsnEnum t = {0}; + + if ( !in ) + return (-1); + t.value = in->value; + return GEncAsnEnumContent ( b, &t ); +} + +/* + * GSER Decoder : ENUMERATE + */ +int +GDecComponentEnum ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentEnum* k, **k2; + GAsnEnum result; + + k = (ComponentEnum*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentEnum**) v; + *k2 = (ComponentEnum*) CompAlloc( mem_op, sizeof( ComponentEnum ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnEnumContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value_identifier.bv_val = result.value_identifier; + k->value_identifier.bv_len = result.len; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentEnum; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentEnum; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentEnum; + k->comp_desc->cd_free = (comp_free_func*)NULL; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_ENUMERATED; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentEnum; + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : ENUMERATE + */ +int +BDecComponentEnumTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentEnum ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentEnum ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentEnum* k, **k2; + AsnEnum result; + + k = (ComponentEnum*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentEnum**) v; + *k2 = (ComponentEnum*) CompAlloc( mem_op, sizeof( ComponentEnum ) ); + if ( k ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnEnum ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnEnumContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentEnum; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentEnum; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentEnum; + k->comp_desc->cd_free = (comp_free_func*)NULL; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_ENUMERATED; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentEnum; + + return LDAP_SUCCESS; +} + +/* + * Component GSER Encoder : IA5String + */ +int +GEncComponentIA5Stirng ( GenBuf *b, ComponentIA5String* in ) +{ + GIA5String t = {0}; + t.value = in->value; + if ( !in || in->value.octetLen <= 0 ) return (-1); + return GEncIA5StringContent( b, &t ); +} + +/* + * Component BER Decoder : IA5String + */ +int +BDecComponentIA5StringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentIA5String ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentIA5String ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentIA5String* k, **k2; + IA5String result; + + k = (ComponentIA5String*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentIA5String**) v; + *k2 = (ComponentIA5String*) CompAlloc( mem_op, sizeof( ComponentIA5String ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecIA5String ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecIA5StringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + + k->value = result; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentIA5String; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentIA5String; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentIA5String; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentIA5String; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_IA5_STR; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentIA5String; + + return LDAP_SUCCESS; +} + +/* + * Matching function : INTEGER + */ +int +MatchingComponentInt(char* oid, ComponentSyntaxInfo* csi_attr, + ComponentSyntaxInfo* csi_assert ) +{ + MatchingRule* mr; + ComponentInt *a, *b; + + if( oid ) { + /* check if this ASN type's matching rule is overrided */ + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + /* if existing function is overrided, call the overriding +function*/ + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = ((ComponentInt*)csi_attr); + b = ((ComponentInt*)csi_assert); + + return ( a->value == b->value ) ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : INTEGER + */ +int +GEncComponentInt ( GenBuf *b, ComponentInt* in ) +{ + GAsnInt t = {0}; + + if ( !in ) + return (-1); + t.value = in->value; + return GEncAsnIntContent ( b, &t ); +} + +/* + * GSER Decoder : INTEGER + */ +int +GDecComponentInt( void* mem_op, GenBuf * b, void *v, AsnLen *bytesDecoded, int mode) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentInt* k, **k2; + GAsnInt result; + + k = (ComponentInt*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentInt**) v; + *k2 = (ComponentInt*) CompAlloc( mem_op, sizeof( ComponentInt ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnIntContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_INTEGER ); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : INTEGER + */ +int +BDecComponentIntTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentInt ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentInt ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentInt* k, **k2; + AsnInt result; + + k = (ComponentInt*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentInt**) v; + *k2 = (ComponentInt*) CompAlloc( mem_op, sizeof( ComponentInt ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnInt ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnIntContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + k->value = result; + + k->comp_desc = get_component_description (BASICTYPE_INTEGER ); + + return LDAP_SUCCESS; +} + +/* + * Matching function : NULL + */ +int +MatchingComponentNull ( char *oid, ComponentSyntaxInfo *csi_attr, + ComponentSyntaxInfo *csi_assert ) +{ + MatchingRule* mr; + ComponentNull *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = ((ComponentNull*)csi_attr); + b = ((ComponentNull*)csi_assert); + + return (a->value == b->value) ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : NULL + */ +int +GEncComponentNull ( GenBuf *b, ComponentNull *in ) +{ + GAsnNull t = {0}; + + if ( !in ) + return (-1); + t.value = in->value; + return GEncAsnNullContent ( b, &t ); +} + +/* + * GSER Decoder : NULL + */ +int +GDecComponentNull ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentNull* k, **k2; + GAsnNull result; + + k = (ComponentNull*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentNull**) v; + *k2 = (ComponentNull*) CompAlloc( mem_op, sizeof( ComponentNull ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnNullContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentNull; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentNull; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentNull; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentNull; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_NULL; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentNull; + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : NULL + */ +int +BDecComponentNullTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + return BDecComponentNull ( mem_op, b, 0, 0, v,bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentNull ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentNull* k, **k2; + AsnNull result; + + k = (ComponentNull*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentNull**) v; + *k2 = (ComponentNull*) CompAlloc( mem_op, sizeof( ComponentNull ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnNull ( mem_op, b, &result, bytesDecoded ); + } + else { + rc = BDecAsnNullContent ( mem_op, b, tagId, len, &result, bytesDecoded); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentNull; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentNull; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentNull; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentNull; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_NULL; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentNull; + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : NumericString + */ +int +BDecComponentNumericStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentNumericString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentNumericString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentNumericString* k, **k2; + NumericString result; + + k = (ComponentNumericString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentNumericString**) v; + *k2 = (ComponentNumericString*) CompAlloc( mem_op, sizeof( ComponentNumericString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecNumericString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecNumericStringContent ( mem_op, b, tagId, len, &result, bytesDecoded); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentNumericString; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentNumericString; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentNumericString; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentNumericString; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_NUMERIC_STR; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentNumericString; + + return LDAP_SUCCESS; +} + + +/* + * Free function : OCTET STRING + */ +void +FreeComponentOcts ( ComponentOcts* v) { + FreeAsnOcts( &v->value ); +} + +/* + * Matching function : OCTET STRING + */ +int +MatchingComponentOcts ( char* oid, ComponentSyntaxInfo* csi_attr, + ComponentSyntaxInfo* csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentOcts *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = (ComponentOcts*) csi_attr; + b = (ComponentOcts*) csi_assert; + /* Assume that both of OCTET string has end of string character */ + if ( (a->value.octetLen == b->value.octetLen) && + strncmp ( a->value.octs, b->value.octs, a->value.octetLen ) == 0 ) + return LDAP_COMPARE_TRUE; + else + return LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : OCTET STRING + */ +int +GEncComponentOcts ( GenBuf* b, ComponentOcts *in ) +{ + GAsnOcts t = {0}; + if ( !in || in->value.octetLen <= 0 ) + return (-1); + + t.value = in->value; + return GEncAsnOctsContent ( b, &t ); +} + +/* + * GSER Decoder : OCTET STRING + */ +int +GDecComponentOcts ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char *peek_head, *data; + int i, j, strLen; + void* component_values; + ComponentOcts* k, **k2; + GAsnOcts result; + + k = (ComponentOcts*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentOcts**) v; + *k2 = (ComponentOcts*) CompAlloc( mem_op, sizeof( ComponentOcts ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnOctsContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentOcts; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentOcts; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentOcts; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentOcts; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_OCTETSTRING; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentOcts; + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : OCTET STRING + */ +int +BDecComponentOctsTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentOcts ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentOcts ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char *peek_head, *data; + int i, strLen, rc; + void* component_values; + ComponentOcts* k, **k2; + AsnOcts result; + + k = (ComponentOcts*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentOcts**) v; + *k2 = (ComponentOcts*) CompAlloc( mem_op, sizeof( ComponentOcts ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnOcts ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnOctsContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentOcts; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentOcts; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentOcts; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentOcts; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_OCTETSTRING; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentOcts; + return LDAP_SUCCESS; +} + +/* + * Matching function : OBJECT IDENTIFIER + */ +int +MatchingComponentOid ( char *oid, ComponentSyntaxInfo *csi_attr , + ComponentSyntaxInfo *csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentOid *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + + a = (ComponentOid*)csi_attr; + b = (ComponentOid*)csi_assert; + if ( a->value.octetLen != b->value.octetLen ) + return LDAP_COMPARE_FALSE; + rc = ( strncmp( a->value.octs, b->value.octs, a->value.octetLen ) == 0 ); + + return rc ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : OID + */ +GEncComponentOid ( GenBuf *b, ComponentOid *in ) +{ + GAsnOid t = {0}; + + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncAsnOidContent( b, (GAsnOcts*)&t ); +} + +/* + * GSER Decoder : OID + */ +int +GDecAsnDescOidContent ( void* mem_op, GenBuf *b, GAsnOid *result, AsnLen *bytesDecoded ){ + AttributeType *ad_type; + struct berval name; + char* peek_head; + int strLen; + + strLen = LocateNextGSERToken ( mem_op, b, &peek_head, GSER_NO_COPY ); + name.bv_val = peek_head; + name.bv_len = strLen; + + ad_type = at_bvfind( &name ); + + if ( !ad_type ) + return LDAP_DECODING_ERROR; + + peek_head = ad_type->sat_atype.at_oid; + strLen = strlen ( peek_head ); + + result->value.octs = (char*)EncodeComponentOid ( mem_op, peek_head , &strLen ); + result->value.octetLen = strLen; + return LDAP_SUCCESS; +} + +int +IsNumericOid ( char* peek_head , int strLen ) { + int i; + int num_dot; + for ( i = 0, num_dot = 0 ; i < strLen ; i++ ) { + if ( peek_head[i] == '.' ) num_dot++; + else if ( peek_head[i] > '9' || peek_head[i] < '0' ) + return (-1); + } + if ( num_dot ) + return (1); + else + return (-1); +} + +int +GDecComponentOid ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentOid* k, **k2; + GAsnOid result; + + k = (ComponentOid*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentOid**) v; + *k2 = (ComponentOid*) CompAlloc( mem_op, sizeof( ComponentOid ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + strLen = LocateNextGSERToken ( mem_op, b, &peek_head, GSER_PEEK ); + if ( IsNumericOid ( peek_head , strLen ) >= 1 ) { + /* numeric-oid */ + if ( GDecAsnOidContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + } + else { + /*descr*/ + if ( GDecAsnDescOidContent ( mem_op, b, &result, bytesDecoded ) < 0 ){ + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + } + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_OID); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : OID + */ +int +BDecComponentOidTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentOid ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentOid ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, + AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentOid* k, **k2; + AsnOid result; + + k = (ComponentOid*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentOid**) v; + *k2 = (ComponentOid*) CompAlloc( mem_op, sizeof( ComponentOid ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnOid ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnOidContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = get_component_description (BASICTYPE_OID); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : PrintiableString + */ + +int +BDecComponentPrintableStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + return BDecComponentPrintableString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentPrintableString( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentPrintableString* k, **k2; + AsnOid result; + + k = (ComponentPrintableString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentPrintableString**) v; + *k2 = (ComponentPrintableString*) CompAlloc( mem_op, sizeof( ComponentPrintableString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ) { + mode = mode & CALL_CONTENT_DECODER; + rc = BDecPrintableString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecPrintableStringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = get_component_description (BASICTYPE_PRINTABLE_STR); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : TeletexString + */ + +int +BDecComponentTeletexStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + return BDecComponentTeletexString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentTeletexString( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentTeletexString* k, **k2; + AsnOid result; + + k = (ComponentTeletexString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentTeletexString**) v; + *k2 = (ComponentTeletexString*) CompAlloc( mem_op, sizeof( ComponentTeletexString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ) { + mode = mode & CALL_CONTENT_DECODER; + rc = BDecTeletexString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecTeletexStringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + + k->comp_desc = get_component_description (BASICTYPE_T61_STR); + + return LDAP_SUCCESS; +} + + +/* + * Matching function : Real + */ +int +MatchingComponentReal (char* oid, ComponentSyntaxInfo *csi_attr, + ComponentSyntaxInfo *csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentReal *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + a = (ComponentReal*)csi_attr; + b = (ComponentReal*)csi_assert; + rc = (a->value == b->value); + + return rc ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : Real + */ +int +GEncComponentReal ( GenBuf *b, ComponentReal *in ) +{ + GAsnReal t = {0}; + if ( !in ) + return (-1); + t.value = in->value; + return GEncAsnRealContent ( b, &t ); +} + +/* + * GSER Decoder : Real + */ +int +GDecComponentReal ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentReal* k, **k2; + GAsnReal result; + + k = (ComponentReal*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentReal**) v; + *k2 = (ComponentReal*) CompAlloc( mem_op, sizeof( ComponentReal ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnRealContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_REAL); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : Real + */ +int +BDecComponentRealTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentReal ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentReal ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentReal* k, **k2; + AsnReal result; + + k = (ComponentReal*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentReal**) v; + *k2 = (ComponentReal*) CompAlloc( mem_op, sizeof( ComponentReal ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnReal ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnRealContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_REAL); + + return LDAP_SUCCESS; +} + +/* + * Matching function : Relative OID + */ +int +MatchingComponentRelativeOid ( char* oid, ComponentSyntaxInfo *csi_attr, + ComponentSyntaxInfo *csi_assert ) +{ + int rc; + MatchingRule* mr; + ComponentRelativeOid *a, *b; + + if( oid ) { + mr = retrieve_matching_rule(oid, csi_attr->csi_comp_desc->cd_type_id ); + if ( mr ) + return component_value_match( mr, csi_attr , csi_assert ); + } + + a = (ComponentRelativeOid*)csi_attr; + b = (ComponentRelativeOid*)csi_assert; + + if ( a->value.octetLen != b->value.octetLen ) + return LDAP_COMPARE_FALSE; + rc = ( strncmp( a->value.octs, b->value.octs, a->value.octetLen ) == 0 ); + + return rc ? LDAP_COMPARE_TRUE:LDAP_COMPARE_FALSE; +} + +/* + * GSER Encoder : RELATIVE_OID. + */ +int +GEncComponentRelativeOid ( GenBuf *b, ComponentRelativeOid *in ) +{ + GAsnRelativeOid t = {0}; + + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncAsnRelativeOidContent ( b , (GAsnOcts*)&t ); +} + +/* + * GSER Decoder : RELATIVE_OID. + */ +int +GDecComponentRelativeOid ( void* mem_op, GenBuf *b,void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen; + void* component_values; + ComponentRelativeOid* k, **k2; + GAsnRelativeOid result; + + k = (ComponentRelativeOid*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentRelativeOid**) v; + *k2 = (ComponentRelativeOid*) CompAlloc( mem_op, sizeof( ComponentRelativeOid ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( GDecAsnRelativeOidContent ( mem_op, b, &result, bytesDecoded ) < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result.value; + k->comp_desc = get_component_description (BASICTYPE_OID); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : RELATIVE_OID. + */ +int +BDecComponentRelativeOidTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentRelativeOid ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentRelativeOid ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentRelativeOid* k, **k2; + AsnRelativeOid result; + + k = (ComponentRelativeOid*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentRelativeOid**) v; + *k2 = (ComponentRelativeOid*) CompAlloc( mem_op, sizeof( ComponentRelativeOid ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecAsnRelativeOid ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecAsnRelativeOidContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_OID); + + return LDAP_SUCCESS; +} + +/* + * GSER Encoder : UniversalString + */ +int +GEncComponentUniversalString ( GenBuf *b, ComponentUniversalString *in ) +{ + GUniversalString t = {0}; + if ( !in || in->value.octetLen <= 0 ) + return (-1); + t.value = in->value; + return GEncUniversalStringContent( b, &t ); +} + +/* + * GSER Decoder : UniversalString + */ +static int +UTF8toUniversalString( char* octs, int len){ + /* Need to be Implemented */ + return LDAP_SUCCESS; +} + +int +GDecComponentUniversalString ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) +{ + if ( GDecComponentUTF8String ( mem_op, b, v, bytesDecoded, mode) < 0 ) + UTF8toUniversalString( ((ComponentUniversalString*)v)->value.octs, ((ComponentUniversalString*)v)->value.octetLen ); + return LDAP_DECODING_ERROR; +} + +/* + * Component BER Decoder : UniverseString + */ +int +BDecComponentUniversalStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentUniversalString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentUniversalString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentUniversalString* k, **k2; + UniversalString result; + + k = (ComponentUniversalString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentUniversalString**) v; + *k2 = (ComponentUniversalString*) CompAlloc( mem_op, sizeof( ComponentUniversalString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecUniversalString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecUniversalStringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + if ( rc < 0 ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_UNIVERSAL_STR); + + return LDAP_SUCCESS; +} + +/* + * Component BER Decoder : VisibleString + */ +int +BDecComponentVisibleStringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ) { + return BDecComponentVisibleString ( mem_op, b, 0, 0, v, bytesDecoded, mode|CALL_TAG_DECODER ); +} + +int +BDecComponentVisibleString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ) +{ + char* peek_head; + int i, strLen, rc; + void* component_values; + ComponentVisibleString* k, **k2; + VisibleString result; + + k = (ComponentVisibleString*) v; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentVisibleString**) v; + *k2 = (ComponentVisibleString*) CompAlloc( mem_op, sizeof( ComponentVisibleString ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ( mode & CALL_TAG_DECODER ){ + mode = mode & CALL_CONTENT_DECODER; + rc = BDecVisibleString ( mem_op, b, &result, bytesDecoded ); + } else { + rc = BDecVisibleStringContent ( mem_op, b, tagId, len, &result, bytesDecoded ); + } + k->value = result; + k->comp_desc = get_component_description (BASICTYPE_VISIBLE_STR); + + return LDAP_SUCCESS; +} + +/* + * Routines for handling an ANY DEFINED Type + */ + +/* Check if the <select> type CR and the OID of the given ANY type */ +int +CheckSelectTypeCorrect ( void* mem_op, ComponentAnyInfo* cai, struct berval* select ) { + int strLen; + AttributeType* ad_type; + char* oid; + char* result; + + if ( IsNumericOid ( select->bv_val , select->bv_len ) ) { + oid = select->bv_val; + strLen = select->bv_len; + } else { + ad_type = at_bvfind( select ); + + if ( !ad_type ) + return LDAP_DECODING_ERROR; + + oid = ad_type->sat_atype.at_oid; + strLen = strlen ( oid ); + } + result = EncodeComponentOid ( mem_op, oid , &strLen ); + if ( !result || strLen <= 0 ) return (-1); + + if ( cai->oid.octetLen == strLen && + strncmp ( cai->oid.octs, result, strLen ) == 0 ) + return (1); + else + return (-1); +} + +int +SetAnyTypeByComponentOid ( ComponentAny *v, ComponentOid *id ) { + Hash hash; + void *anyInfo; + + /* use encoded oid as hash string */ + hash = MakeHash (id->value.octs, id->value.octetLen); + if (CheckForAndReturnValue (anyOidHashTblG, hash, &anyInfo)) + v->cai = (ComponentAnyInfo*) anyInfo; + else + v->cai = NULL; + + if ( !v->cai ) { + /* + * If not found, the data considered as octet chunk + * Yet-to-be-Implemented + */ + } + return LDAP_SUCCESS; +} + +void +SetAnyTypeByComponentInt( ComponentAny *v, ComponentInt id) { + Hash hash; + void *anyInfo; + + hash = MakeHash ((char*)&id, sizeof (id)); + if (CheckForAndReturnValue (anyIntHashTblG, hash, &anyInfo)) + v->cai = (ComponentAnyInfo*) anyInfo; + else + v->cai = NULL; +} + +int +GEncComponentAny ( GenBuf *b, ComponentAny *in ) +{ + if ( in->cai != NULL && in->cai->Encode != NULL ) + return in->cai->Encode(b, &in->value ); + else + return (-1); +} + +int +BEncComponentAny ( void* mem_op, GenBuf *b, ComponentAny *result, AsnLen *bytesDecoded, int mode) +{ + ComponentAny *k, **k2; + + k = (ComponentAny*) result; + + if ( !k ) return (-1); + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentAny**) result; + *k2 = (ComponentAny*) CompAlloc( mem_op, sizeof( ComponentAny ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ((result->cai != NULL) && (result->cai->BER_Decode != NULL)) { + result->value = (void*) CompAlloc ( mem_op, result->cai->size ); + if ( !result->value ) return 0; + result->cai->BER_Decode ( mem_op, b, result->value, (int*)bytesDecoded, DEC_ALLOC_MODE_1); + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentAny; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAny; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAny; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentAny; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_ANY; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAny; + return LDAP_SUCCESS; + } + else { + Asn1Error ("ERROR - Component ANY Decode routine is NULL\n"); + return 0; + } +} + +int +BDecComponentAny ( void* mem_op, GenBuf *b, ComponentAny *result, AsnLen *bytesDecoded, int mode) { + int rc; + ComponentAny *k, **k2; + + k = (ComponentAny*) result; + + if ( !k ) return (-1); + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentAny**) result; + *k2 = (ComponentAny*) CompAlloc( mem_op, sizeof( ComponentAny ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + + if ((result->cai != NULL) && (result->cai->BER_Decode != NULL)) { + result->cai->BER_Decode ( mem_op, b, (ComponentSyntaxInfo*)&result->value, (int*)bytesDecoded, DEC_ALLOC_MODE_0 ); + + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentAny; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAny; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAny; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentAny; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_ANY; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAny; + return LDAP_SUCCESS; + } + else { + Asn1Error ("ERROR - Component ANY Decode routine is NULL\n"); + return 0; + } +} + +int +GDecComponentAny ( void* mem_op, GenBuf *b, ComponentAny *result, AsnLen *bytesDecoded, int mode) { + ComponentAny *k, **k2; + + k = (ComponentAny*) result; + + if ( mode & DEC_ALLOC_MODE_0 ) { + k2 = (ComponentAny**) result; + *k2 = (ComponentAny*) CompAlloc( mem_op, sizeof( ComponentAny ) ); + if ( !*k2 ) return LDAP_DECODING_ERROR; + k = *k2; + } + if ((result->cai != NULL) && (result->cai->GSER_Decode != NULL)) { + result->value = (void*) CompAlloc ( mem_op, result->cai->size ); + if ( !result->value ) return 0; + result->cai->GSER_Decode ( mem_op, b, result->value, (int*)bytesDecoded, DEC_ALLOC_MODE_1); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !k->comp_desc ) { + if ( k ) CompFree ( mem_op, k ); + return LDAP_DECODING_ERROR; + } + k->comp_desc->cd_gser_encoder = (encoder_func*)GEncComponentAny; + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentAny; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentAny; + k->comp_desc->cd_free = (comp_free_func*)FreeComponentAny; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_extract_i = NULL; + k->comp_desc->cd_type_id = BASICTYPE_ANY; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentAny; + return LDAP_SUCCESS; + } + else { + Asn1Error ("ERROR - ANY Decode routine is NULL\n"); + return 0; + } +} + +int +MatchingComponentAny (char* oid, ComponentAny *result, ComponentAny *result2) { + void *comp1, *comp2; + + if ( result->comp_desc->cd_type_id == BASICTYPE_ANY ) + comp1 = result->value; + else + comp1 = result; + + if ( result2->comp_desc->cd_type_id == BASICTYPE_ANY ) + comp2 = result2->value; + else + comp2 = result2; + + if ((result->cai != NULL) && (result->cai->Match != NULL)) { + if ( result->comp_desc->cd_type_id == BASICTYPE_ANY ) + return result->cai->Match(oid, comp1, comp2 ); + else if ( result2->comp_desc->cd_type_id == BASICTYPE_ANY ) + return result2->cai->Match(oid, comp1, comp2); + else + return LDAP_INVALID_SYNTAX; + } + else { + Asn1Error ("ERROR - ANY Matching routine is NULL\n"); + return LDAP_INVALID_SYNTAX; + } +} + +void* +ExtractingComponentAny ( void* mem_op, ComponentReference* cr, ComponentAny *result ) { + if ((result->cai != NULL) && (result->cai->Extract != NULL)) { + return (void*) result->cai->Extract( mem_op, cr , result->value ); + } + else { + Asn1Error ("ERROR - ANY Extracting routine is NULL\n"); + return (void*)NULL; + } +} + +void +FreeComponentAny (ComponentAny* any) { + if ( any->cai != NULL && any->cai->Free != NULL ) { + any->cai->Free( any->value ); + free ( ((ComponentSyntaxInfo*)any->value)->csi_comp_desc ); + free ( any->value ); + } + else + Asn1Error ("ERROR - ANY Free routine is NULL\n"); +} + +void +InstallAnyByComponentInt (int anyId, ComponentInt intId, unsigned int size, + EncodeFcn encode, gser_decoder_func* G_decode, + ber_tag_decoder_func* B_decode, ExtractFcn extract, + MatchFcn match, FreeFcn free, + PrintFcn print) +{ + ComponentAnyInfo *a; + Hash h; + + a = (ComponentAnyInfo*) malloc(sizeof (ComponentAnyInfo)); + a->anyId = anyId; + a->oid.octs = NULL; + a->oid.octetLen = 0; + a->intId = intId; + a->size = size; + a->Encode = encode; + a->GSER_Decode = G_decode; + a->BER_Decode = B_decode; + a->Match = match; + a->Extract = extract; + a->Free = free; + a->Print = print; + + if (anyIntHashTblG == NULL) + anyIntHashTblG = InitHash(); + + h = MakeHash ((char*)&intId, sizeof (intId)); + + if(anyIntHashTblG != NULL) + Insert(anyIntHashTblG, a, h); +} + + +/* + * OID and its corresponding decoder can be registerd with this func. + * If contained types constrained by <select> are used, + * their OID and decoder MUST be registered, otherwise it will return no entry. + * An open type(ANY type) also need be registered. + */ +void +InstallOidDecoderMapping ( char* ch_oid, EncodeFcn encode, gser_decoder_func* G_decode, ber_tag_decoder_func* B_decode, ExtractFcn extract, MatchFcn match ) { + AsnOid oid; + int strLen; + void* mem_op; + + strLen = strlen( ch_oid ); + if( strLen <= 0 ) return; + mem_op = comp_nibble_memory_allocator ( 128, 16 ); + oid.octs = EncodeComponentOid ( mem_op, ch_oid, &strLen ); + oid.octetLen = strLen; + if( strLen <= 0 ) return; + + + InstallAnyByComponentOid ( 0, &oid, 0, encode, G_decode, B_decode, + extract, match, NULL, NULL); + comp_nibble_memory_free(mem_op); +} + +/* + * Look up Oid-decoder mapping table by berval have either + * oid or description + */ +OidDecoderMapping* +RetrieveOidDecoderMappingbyBV( struct berval* in ) { + if ( IsNumericOid ( in->bv_val, in->bv_len ) ) + return RetrieveOidDecoderMappingbyOid( in->bv_val, in->bv_len ); + else + return RetrieveOidDecoderMappingbyDesc( in->bv_val, in->bv_len ); +} + +/* + * Look up Oid-decoder mapping table by dotted OID + */ +OidDecoderMapping* +RetrieveOidDecoderMappingbyOid( char* ch_oid, int oid_len ) { + Hash hash; + void *anyInfo; + AsnOid oid; + int strLen; + void* mem_op; + + mem_op = comp_nibble_memory_allocator ( 128, 16 ); + oid.octs = EncodeComponentOid ( mem_op, ch_oid, &oid_len); + oid.octetLen = oid_len; + if( oid_len <= 0 ) { + comp_nibble_memory_free( mem_op ); + return NULL; + } + + /* use encoded oid as hash string */ + hash = MakeHash ( oid.octs, oid.octetLen); + comp_nibble_memory_free( mem_op ); + if (CheckForAndReturnValue (anyOidHashTblG, hash, &anyInfo)) + return (OidDecoderMapping*) anyInfo; + else + return (OidDecoderMapping*) NULL; + +} + +/* + * Look up Oid-decoder mapping table by description + */ +OidDecoderMapping* +RetrieveOidDecoderMappingbyDesc( char* desc, int desc_len ) { + Hash hash; + void *anyInfo; + AsnOid oid; + AttributeType* ad_type; + struct berval bv; + void* mem_op; + + bv.bv_val = desc; + bv.bv_len = desc_len; + ad_type = at_bvfind( &bv ); + + oid.octs = ad_type->sat_atype.at_oid; + oid.octetLen = strlen ( oid.octs ); + + if ( !ad_type ) + return (OidDecoderMapping*) NULL; + + mem_op = comp_nibble_memory_allocator ( 128, 16 ); + + oid.octs = EncodeComponentOid ( mem_op, oid.octs , (int*)&oid.octetLen ); + if( oid.octetLen <= 0 ) { + comp_nibble_memory_free( mem_op ); + return (OidDecoderMapping*) NULL; + } + + /* use encoded oid as hash string */ + hash = MakeHash ( oid.octs, oid.octetLen); + comp_nibble_memory_free( mem_op ); + if (CheckForAndReturnValue (anyOidHashTblG, hash, &anyInfo)) + return (OidDecoderMapping*) anyInfo; + else + return (OidDecoderMapping*) NULL; + +} +void +InstallAnyByComponentOid (int anyId, AsnOid *oid, unsigned int size, + EncodeFcn encode, gser_decoder_func* G_decode, + ber_tag_decoder_func* B_decode, ExtractFcn extract, + MatchFcn match, FreeFcn free, PrintFcn print) +{ + ComponentAnyInfo *a; + Hash h; + + a = (ComponentAnyInfo*) malloc (sizeof (ComponentAnyInfo)); + a->anyId = anyId; + if ( oid ) { + a->oid.octs = malloc( oid->octetLen ); + memcpy ( a->oid.octs, oid->octs, oid->octetLen ); + a->oid.octetLen = oid->octetLen; + } + a->size = size; + a->Encode = encode; + a->GSER_Decode = G_decode; + a->BER_Decode = B_decode; + a->Match = match; + a->Extract = extract; + a->Free = free; + a->Print = print; + + h = MakeHash (oid->octs, oid->octetLen); + + if (anyOidHashTblG == NULL) + anyOidHashTblG = InitHash(); + + if(anyOidHashTblG != NULL) + Insert(anyOidHashTblG, a, h); +} + +int +BDecComponentTop ( +ber_decoder_func *decoder _AND_ +void* mem_op _AND_ +GenBuf *b _AND_ +AsnTag tag _AND_ +AsnLen elmtLen _AND_ +void **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) { + tag = BDecTag ( b, bytesDecoded ); + elmtLen = BDecLen ( b, bytesDecoded ); + if ( elmtLen <= 0 ) return (-1); + if ( tag != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE) ) { + return (-1); + } + + return (*decoder)( mem_op, b, tag, elmtLen, (ComponentSyntaxInfo*)v,(int*)bytesDecoded, mode ); +} + +/* + * ASN.1 specification of a distinguished name + * DistinguishedName ::= RDNSequence + * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + * RelativeDistinguishedName ::= SET SIZE(1..MAX) OF AttributeTypeandValue + * AttributeTypeandValue ::= SEQUENCE { + * type AttributeType + * value AttributeValue + * } + * When dnMatch/rdnMatch is used in a component assertion value + * the component in DistinguishedName/RelativeDistinguishedName + * need to be converted to the LDAP encodings in RFC2253 + * in order to be matched against the assertion value + * If allComponentMatch is used, the assertion value may be + * decoded into the Internal Representation(Component Tree) + * by the corresponding GSER or BER decoder + * Following routine converts a component tree(DistinguishedName) into + * LDAP encodings in RFC2253 + * Example) + * IR : ComponentRDNSequence + * GSER : { { type cn, value sang },{ type o, value ibm}, {type c, value us} } + * LDAP Encodings : cn=sang,o=ibm,c=us + */ + +increment_bv_mem_by_size ( struct berval* in, int size ) { + int new_size = in->bv_len + size; + in->bv_val = realloc( in->bv_val, new_size ); + in->bv_len = new_size; +} + +int +ConvertBER2Desc( char* in, int size, struct berval* out, int* pos ) { + int desc_size; + char* desc_ptr; + unsigned int firstArcNum; + unsigned int arcNum; + int i, rc, start_pos = *pos; + char buf[MAX_OID_LEN]; + AttributeType *at; + struct berval bv_name; + + /*convert BER oid to desc*/ + for ( i = 0, arcNum = 0; (i < size) && (in[i] & 0x80 ); i++ ) + arcNum = (arcNum << 7) + (in[i] & 0x7f); + arcNum = (arcNum << 7) + (in[i] & 0x7f); + i++; + firstArcNum = (unsigned short)(arcNum/40); + if ( firstArcNum > 2 ) + firstArcNum = 2; + + arcNum = arcNum - (firstArcNum * 40 ); + + rc = intToAscii ( arcNum, buf ); + + /*check if the buffer can store the first/second arc and two dots*/ + if ( out->bv_len < *pos + 2 + 1 + rc ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + + if ( firstArcNum == 1) + out->bv_val[*pos] = '1'; + else + out->bv_val[*pos] = '2'; + (*pos)++; + out->bv_val[*pos] = '.'; + (*pos)++; + + memcpy( out->bv_val + *pos, buf, rc ); + *pos += rc; + out->bv_val[*pos] = '.'; + (*pos)++; + + for ( ; i < size ; ) { + for ( arcNum=0; (i < size) && (in[i] & 0x80) ; i++ ) + arcNum = (arcNum << 7) + (in[i] & 0x7f); + arcNum = (arcNum << 7) + (in[i] & 0x7f); + i++; + + rc = intToAscii ( arcNum, buf ); + + if ( out->bv_len < *pos + rc + 1 ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + + memcpy( out->bv_val + *pos, buf, rc ); + *pos += rc; + out->bv_val[*pos] = '.'; + (*pos)++; + } + (*pos)--;/*remove the last '.'*/ + + /* + * lookup OID database to locate desc + * then overwrite OID with desc in *out + * If failed to look up desc, OID form is used + */ + bv_name.bv_val = out->bv_val + start_pos; + bv_name.bv_len = *pos - start_pos; + at = at_bvfind( &bv_name ); + if ( !at ) + return LDAP_SUCCESS; + desc_size = at->sat_cname.bv_len; + memcpy( out->bv_val + start_pos, at->sat_cname.bv_val, desc_size ); + *pos = start_pos + desc_size; + return LDAP_SUCCESS; +} + +int +ConvertComponentAttributeTypeAndValue2RFC2253 ( irAttributeTypeAndValue* in, struct berval* out, int *pos ) { + int rc; + int value_size = ((ComponentUTF8String*)in->value.value)->value.octetLen; + char* value_ptr = ((ComponentUTF8String*)in->value.value)->value.octs; + + rc = ConvertBER2Desc( in->type.value.octs, in->type.value.octetLen, out, pos ); + if ( rc != LDAP_SUCCESS ) return rc; + if ( out->bv_len < *pos + 1/*for '='*/ ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + /*Between type and value, put '='*/ + out->bv_val[*pos] = '='; + (*pos)++; + + /*Assume it is string*/ + if ( out->bv_len < *pos + value_size ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + memcpy( out->bv_val + *pos, value_ptr, value_size ); + out->bv_len += value_size; + *pos += value_size; + + return LDAP_SUCCESS; +} + +int +ConvertRelativeDistinguishedName2RFC2253 ( irRelativeDistinguishedName* in, struct berval *out , int* pos) { + irAttributeTypeAndValue* attr_typeNvalue; + int rc; + + + FOR_EACH_LIST_ELMT( attr_typeNvalue, &in->comp_list) + { + rc = ConvertComponentAttributeTypeAndValue2RFC2253( attr_typeNvalue, out, pos ); + if ( rc != LDAP_SUCCESS ) return LDAP_INVALID_SYNTAX; + + if ( out->bv_len < *pos + 1/*for '+'*/ ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + /*between multivalued RDNs, put comma*/ + out->bv_val[(*pos)++] = '+'; + } + (*pos)--;/*remove the last '+'*/ + return LDAP_SUCCESS; +} + +int +ConvertRDN2RFC2253 ( irRelativeDistinguishedName* in, struct berval *out ) { + int rc, pos = 0; + out->bv_val = (char*)malloc( INITIAL_DN_SIZE ); + out->bv_len = INITIAL_DN_SIZE; + + rc = ConvertRelativeDistinguishedName2RFC2253 ( in, out , &pos); + if ( rc != LDAP_SUCCESS ) return rc; + out->bv_val[pos] = '\0'; + out->bv_len = pos; + return LDAP_SUCCESS; +} + +int +ConvertRDNSequence2RFC2253( irRDNSequence *in, struct berval* out ) { + irRelativeDistinguishedName* rdn_seq; + AsnList* seq = &in->comp_list; + int pos = 0, rc ; + + out->bv_val = (char*)malloc( INITIAL_DN_SIZE ); + out->bv_len = INITIAL_DN_SIZE; + + FOR_EACH_LIST_ELMT( rdn_seq, seq ) + { + rc = ConvertRelativeDistinguishedName2RFC2253( rdn_seq, out, &pos ); + if ( rc != LDAP_SUCCESS ) return LDAP_INVALID_SYNTAX; + + if ( out->bv_len < pos + 1/*for ','*/ ) + increment_bv_mem_by_size ( out, INCREMENT_SIZE ); + /*Between RDN, put comma*/ + out->bv_val[pos++] = ','; + } + pos--;/*remove the last '+'*/ + out->bv_val[pos] = '\0'; + out->bv_len =pos; + return LDAP_SUCCESS; +} + +#endif diff --git a/contrib/slapd-modules/comp_match/componentlib.h b/contrib/slapd-modules/comp_match/componentlib.h new file mode 100644 index 0000000..31bf375 --- /dev/null +++ b/contrib/slapd-modules/comp_match/componentlib.h @@ -0,0 +1,593 @@ +/* Copyright 2004 IBM Corporation + * All rights reserved. + * Redisribution and use in source and binary forms, with or without + * modification, are permitted only as authorizd by the OpenLADP + * Public License. + */ +/* ACKNOWLEDGEMENTS + * This work originally developed by Sang Seok Lim + * 2004/06/18 03:20:00 slim@OpenLDAP.org + */ + +#ifndef _H_COMPONENT_MODULE +#define _H_COMPONENT_MODULE + +#include "portable.h" +#include <ac/string.h> +#include <ac/socket.h> +#include <ldap_pvt.h> +#include "lutil.h" +#include <ldap.h> +#include <slap.h> +#include <component.h> + +#include <asn-incl.h> +#include "asn.h" +#include <asn-gser.h> +#include <string.h> + +#define MAX_IDENTIFIER_LEN 32 +#define COMPONENTNOT_NULL(ptr) ((ptr) != NULL) + +typedef struct slap_component_type { + /* + * Don't change the order of following fields + * They are identical the first 9 fields of + * AttributeType + */ + LDAPAttributeType ct_atype; + struct berval ct_cname; + struct slap_attribute_type *ct_sup; + struct slap_attribute_type **ct_subtypes; + MatchingRule *ct_equality; + MatchingRule *ct_approx; + MatchingRule *ct_ordering; + MatchingRule *ct_substr; + Syntax *ct_syntax; +} ComponentType; + + +/* + * BIT STRING + */ +typedef struct ComponentBits { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnBits value; +} ComponentBits; + +#define GASNBITS_PRESENT(abits) ((abits)->value.bits != NULL) +#define COMPONENTBITS_PRESENT(abits) ((abits)->value.bits != NULL) +int GEncComponentBits (GenBuf *b, ComponentBits* bits); +int GDecComponentBits (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentBits (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentBits (char* oid, ComponentSyntaxInfo *bits1 , ComponentSyntaxInfo* bits2); +#define ExtractingComponentBits( mem_op, cr,data ) NULL + +/* + * BMP String + */ +typedef struct ComponentBMPString { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + BMPString value; +} ComponentBMPString; + +int GEncComponentBMPString (GenBuf *b, ComponentBMPString* bmp); +int GDecComponentBMPString (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentBMPString (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentBMPString MatchingComponentOcts +#define ExtractingComponentBMPString( mem_op, cr, data ) NULL +#define FreeComponentBMPString FreeComponentOcts + +/* + * BOOLEAN + */ +typedef struct ComponentBool { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnBool value; +} ComponentBool; + +int GEncComponentBool (GenBuf *b, ComponentBool * bool ); +int GDecComponentBool ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentBool ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentBool (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentBool( mem_op, cr, data ) NULL +#define FreeComponentBool(v) NULL + +/* + * ENUMERTED + */ +typedef struct ComponentEnum { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnEnum value; + struct berval value_identifier;/*Why this value is defined here?*/ +} ComponentEnum; + +int GEncComponentEnum (GenBuf *b, ComponentEnum* comp_enum); +int GDecComponentEnum ( void* mem_op, GenBuf *a, void *result, AsnLen *bytesDecoded,int mode); +int BDecComponentEnum ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentEnum (char *oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo * b); +#define ExtractingComponentEnum( mem_op, cr, data ) NULL +#define FreeComponentEnum FreeComponentInt + +/* + * IA5 String + */ +typedef struct ComponentIA5String { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + IA5String value; +} ComponentIA5String; + +#define GEncComponentIA5String GEncComponentUTF8String +#define GDecComponentIA5String GDecComponentUTF8String +int +BDecComponentIA5StringTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ); +int BDecComponentIA5String ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentIA5String MatchingComponentOcts +#define ExtractingComponentIA5String(mem_op, cr,data) NULL +#define FreeComponentIA5String FreeComponentOcts + + +/* + * INTEGER + */ +typedef struct ComponentInt { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + int value; +} ComponentInt; + +#define GNOT_NULL(ptr) ((ptr) != NULL) +int GEncComponentInt (GenBuf *b, ComponentInt *comp_int); +int GDecComponentInt ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode ); +int BDecComponentInt ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentInt (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentInt(mem_op, cr,data) NULL +#define FreeComponentInt(v) NULL + +/* + * LIST Data Structure for C_LIST + */ +typedef struct ComponentList { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnList comp_list; +} ComponentList; + +/* + * NULL + */ +typedef struct ComponentNull { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnNull value; +} ComponentNull; + +int GEncComponentNull (GenBuf *b, ComponentNull* comp_null); +int GDecComponentNull ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentNull ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentNullTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ); +int MatchingComponentNull (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentNull(mem_op, cr, data) NULL +#define FreeComponentNull NULL + +/* + * Numeric String + */ +typedef struct ComponentNumericString { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + NumericString value; +} ComponentNumericString; + +#define GEncComponentNumericString GEncComponentUTF8String +#define GDecComponentNumericString GDecComponentUTF8String +int BDecComponentNumericString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentNumericString MatchingComponentOcts +#define ExtractingComponentNumericString(mem_op, cr,data) NULL +#define FreeComponentNumericString FreeComponentOcts + +/* + * OCTETS STRING + */ +typedef struct ComponentOcts { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnOcts value; +} ComponentOcts; + +#define GASNOCTS_PRESENT(aocts) ((aocts)->value.octs != NULL) +int GEncComponentOcts (GenBuf *b, ComponentOcts *octs); +int GDecComponentOcts (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentOctsTag ( void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ); +int BDecComponentOcts (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentOcts (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentOcts(mem_op,cr,data) NULL +void FreeComponentOcts( ComponentOcts* octs ); + +/* + * OID (Object Identifier) + */ +typedef struct ComponentOid { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnOid value; +} ComponentOid; + +#define GASNOID_PRESENT(aoid) ASNOCTS_PRESENT(aoid) +int GEncComponentOid (GenBuf *b, ComponentOid *oid); +int GDecComponentOid (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentOid (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentOid (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentOid(mem_op, cr, data) NULL +#define FreeComponentOid FreeComponentOcts + +/* + * Printable String + */ +typedef struct ComponentPrintableString{ + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + PrintableString value; +} ComponentPrintableString; +#define GEncComponentPrintableString GEncComponentUTF8String +#define GDecComponentPrintableString GDecComponentUTF8String +int BDecComponentPrintableString (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentPrintableStringTag (void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ); +#define MatchingComponentPrintableString MatchingComponentOcts +#define ExtractingComponentPrintableString(mem_op, cr, data) NULL +#define FreeComponentPrintableString FreeComponentOcts + +/* + * REAL + */ +typedef struct ComponentReal{ + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnReal value; +} ComponentReal; + +int GEncComponentReal (GenBuf *b, ComponentReal* comp_real); +int GDecComponentReal (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentReal (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentReal (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentReal( mem_op, cr, data ) NULL +#define FreeComponentReal(v) NULL + +/* + * Relative OID + */ + +typedef struct ComponentRelativeOid { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + AsnRelativeOid value; +} ComponentRelativeOid; + +int GEncComponentRelativeOid (GenBuf *b, ComponentRelativeOid *r_oid); +int GDecComponentRelativeOid ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentRelativeOid ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentRelativeOid (char* oid, ComponentSyntaxInfo *a, ComponentSyntaxInfo *b); +#define ExtractingComponentRelativeOid( mem_op, cr, data ) NULL +#define FreeComponentRelativeOid FreeComponentOid + +/* + * Teletex String + */ +typedef struct ComponentTeletexString { + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + TeletexString value; +} ComponentTeletexString; + +int GEncComponentTeletexString (GenBuf *b, ComponentTeletexString * tel_str); +int GDecComponentTeletexString ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode ); +int BDecComponentTeletexStringTag (void* mem_op, GenBuf *b, void *v, AsnLen *bytesDecoded, int mode ); +int BDecComponentTeletexString( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *v, AsnLen *bytesDecoded, int mode ); +#define MatchingComponentTeletexString MatchingComponentOcts +#define ExtractingComponentTeletexString(mem_op,cr,data) +#define FreeComponentTeletexString FreeComponentOcts + + +/* + * Universal String + */ +typedef struct ComponentUniversalString{ + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + UniversalString value; +} ComponentUniversalString; + +int GEncComponentUniversalString (GenBuf *b, ComponentUniversalString* uni_str); +int GDecComponentUniversalString ( void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentUniversalString ( void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentUniversalString MatchingComponentOcts +#define ExtractingComponentUniversalString(mem_op,cr,data) +#define FreeComponentUniversalString FreeComponentOcts + +/* + * UTF8 String + */ +typedef struct ComponentUTF8String{ + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + UTF8String value; +} ComponentUTF8String; + +int GEncComponentUTF8String (GenBuf *b, ComponentUTF8String * utf_str); +int GDecComponentUTF8String (void* mem_op, GenBuf *b, void *result, AsnLen *bytesDecoded, int mode); +int BDecComponentUTF8String (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentUTF8String MatchingComponentOcts +#define ExtractingComponentUTF8String(mem_op,cr,data) +#define FreeComponentUTF8String FreeComponentOcts + +/* + * Visible String + */ +typedef struct ComponentVisibleString{ + void* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + VisibleString value; +} ComponentVisibleString; + +#define GEncComponentVisibleString GEncComponentUTF8String +#define GDecComponentVisibleString GDecComponentUTF8String +int BDecComponentVisibleString (void* mem_op, GenBuf *b, AsnTag tagId, AsnLen len, void *result, AsnLen *bytesDecoded, int mode); +#define MatchingComponentVisibleString MatchingComponentOcts +#define ExtractingComponentVisibleString(mem_op,cr,data) +#define FreeComponentVisibleString FreeComponentOcts + +/* + * ANY and ANY DEFINED BY + */ + +typedef int (*MatchFcn) (char*, void*, void*); +typedef void* (*ExtractFcn) (void*, ComponentReference*, void * ); + +typedef struct ComponentAnyInfo +{ + int anyId; + AsnOid oid; + ComponentInt intId; + unsigned int size; + EncodeFcn Encode; + gser_decoder_func* GSER_Decode; + ber_tag_decoder_func* BER_Decode; + ExtractFcn Extract; + MatchFcn Match; + FreeFcn Free; + PrintFcn Print; +} ComponentAnyInfo; + +typedef struct ComponentAnyInfo OidDecoderMapping ; + +typedef struct ComponentAny{ + void* syntax; + ComponentDesc *comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentAnyInfo *cai; + void *value; +} ComponentAny; + +typedef ComponentAny ComponentAnyDefinedBy; + +#define BDecComponentAnyDefinedBy BDecComponentAny +#define GDecComponentAnyDefinedBy GDecComponentAny +#define MatchingComponentAnyDefinedBy MatchingComponentAny +#define FreeComponentAnyDefinedBy FreeComponentAny + +int GEncComponentAny (GenBuf *b, ComponentAny *comp_any); +int BDecComponentAny ( void* mem_op, GenBuf *b, ComponentAny *result, AsnLen *bytesDecoded, int mode); +int GDecComponentAny ( void* mem_op, GenBuf *b, ComponentAny *result, AsnLen *bytesDecoded, int mode); +int MatchingComponentAny (char* oid, ComponentAny *a, ComponentAny *b); +void FreeComponentAny ( ComponentAny*); + +void InstallAnyByComponentInt (int anyId, ComponentInt intId, unsigned int size, EncodeFcn encode, gser_decoder_func* G_decode, ber_tag_decoder_func B_decode, ExtractFcn extract, MatchFcn match, FreeFcn free, PrintFcn print); + +void InstallAnyByComponentOid (int anyId, AsnOid *oid, unsigned int size, EncodeFcn encode, gser_decoder_func* G_decode, ber_tag_decoder_func* B_decode, ExtractFcn extract, MatchFcn match, FreeFcn free, PrintFcn print); + +int CheckSelectTypeCorrect ( void* mem_op, ComponentAnyInfo *v, struct berval* select ); + +OidDecoderMapping* RetrieveOidDecoderMappingbyBV( struct berval* in ); +OidDecoderMapping* RetrieveOidDecoderMappingbyOid( char* ch_oid, int oid_len ); +OidDecoderMapping* RetrieveOidDecoderMappingbyDesc( char* desc, int desc_len ); +/* + * UTCTime + */ +typedef ComponentVisibleString ComponentUTCTime; +#define GEncComponentUTCTime GEncComponentUTF8String +#define GDecComponentUTCTime GDecComponentVisibleString +#define BDecComponentUTCTime BDecComponentOcts +#define MatchingComponentUTCTime MatchingComponentOcts +#define ExtractingComponentUTCTime(mem_op,cr,data) NULL +#define FreeComponentUTCTime FreeComponentOcts + +/* + * GeneralizedTime + */ +typedef ComponentVisibleString ComponentGeneralizedTime; +int GEncComponentGeneralizedTime (GenBuf *b, ComponentGeneralizedTime *gen_time); +#define GDecComponentGeneralizedTime GDecComponentVisibleString +#define BDecComponentGeneralizedTime BDecComponentOcts +#define MatchingComponentGeneralizedTime MatchingComponentOcts +#define ExtractingComponentGeneralizedTime(mem_op,cr,data) NULL +#define FreeComponentGeneralizedTime FreeComponentOcts + +typedef int converter_func LDAP_P (( + struct berval* in )); + +typedef struct asntype_to_syntax { + AsnTypeId ats_typeId; + /* Syntax Descriptor */ + char *ats_syn_name; + /* Syntax OID */ + char *ats_syn_oid; + Syntax *ats_syn; +} AsnTypetoSyntax; + +typedef struct asntype_to_comp_matchingrule { + AsnTypeId atc_typeId; + char* atc_equality; + char* atc_approx; + char* atc_ordering; + char* atc_substr; +} AsnTypetoCompMatchingRule; + +typedef struct asntype_to_comp_desc { + AsnTypeId atcd_typeId; + ComponentDesc atcd_cd; +} AsnTypetoCompDesc; + +typedef struct asntype_to_comp_type { + AsnTypeId ac_asn_id; + ComponentType ac_comp_type; +} AsnTypetoCompType; + +/* refined matching purpose */ +typedef struct asntype_to_matchingrule { + AsnTypeId atmr_typeId; + char* atmr_mr_name; + /*Implicitly corresponding LDAP syntax OID*/ + char* atmr_syn_oid; + MatchingRule *atmr_mr; +} AsnTypetoMatchingRule; + +typedef struct asntype_to_matchingrule_table { + char* atmr_oid; + struct asntype_to_matchingrule atmr_table[ASNTYPE_END]; + struct asntype_to_matchingrule_table* atmr_table_next; +} AsnTypetoMatchingRuleTable; + +#define MAX_OID_LEN 256 +#define MAX_OD_ENTRY 8 + +/* + * Object Identifier and corresponding Syntax Decoder Table + */ +typedef struct OID_Decoder_entry { + char oe_oid[MAX_OID_LEN]; + gser_decoder_func* oe_gser_decoder; + ber_decoder_func* oe_ber_decoder; + converter_func* oe_converter; + struct OID_Decoder_entry* oe_next; + struct OID_Decoder_entry* oe_prev; +} OD_entry; + +void +m_convert_asn_to_ldap ( ComponentSyntaxInfo* csi, struct berval* bv); +int +m_convert_assert_to_comp ( gser_decoder_func* decoder, struct berval* bv, + ComponentSyntaxInfo** csi, int len, int mode ); +void* +m_convert_attr_to_comp ( Attribute* a, struct berval* bv ); + +/* + * Decoder Modes + * Different operation is required to handle Decoding(2), Extracted Component + * decoding(0), ANY DEFINED TYPe(2) + * b0 : Component Alloc(yes) + * Constructed type : Component Alloc (Yes) + * Primitive type : Component Alloc (Yes) + * set to mode 2 in inner decoders + * b1 : Component Alloc (No) + * Constructed type : Component Alloc (No) + * Primitive type : Component Alloc (No) + * set to mode 2 in inner decoders + * b2 : Default Mode + * Constructed type : Component Alloc (Yes) + * Primitive type : Component Alloc (No) + * in addition to above modes, the 4th bit has special meaning, + * b4 : if the 4th bit is clear, DecxxxContent is called + * b4 : if the 4th bit is set, Decxxx is called, then it is cleared. + */ +#define DEC_ALLOC_MODE_0 0x01 +#define DEC_ALLOC_MODE_1 0x02 +#define DEC_ALLOC_MODE_2 0x04 +#define CALL_TAG_DECODER 0x08 +#define CALL_CONTENT_DECODER ~0x08 + +#define OID_ALL_COMP_MATCH "1.2.36.79672281.1.13.6" +#define OID_COMP_FILTER_MATCH "1.2.36.79672281.1.13.2" +#define MAX_LDAP_STR_LEN 128 + +MatchingRule* +retrieve_matching_rule( char* mr_oid, AsnTypeId type ); + +#define INITIAL_DN_SIZE 128 +#define INITIAL_ATTR_SIZE 256 +#define INCREMENT_SIZE 32 +/* + * Followings are for conversion from ASN.1 RDN and DN to + * LDAP encodings + */ +#define MAX_ALIASING_ENTRY 128 +int increment_bv_mem ( struct berval* in ); +int intToAscii ( int value, char* buf ); +typedef ComponentList irRDNSequence; +typedef ComponentList irRelativeDistinguishedName; +typedef ComponentOid irAttributeType; +typedef struct comp_irAttributeTypeAndValue /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + irAttributeType type; /* AttributeType */ + ComponentAnyDefinedBy value; /* ANY DEFINED BY type */ +} irAttributeTypeAndValue; +#define RDN_MATCH_OID "1.2.36.79672281.1.13.3" +#define DN_MATCH_OID "2.5.13.1" + +extern AsnTypetoSyntax asn_to_syntax_mapping_tbl[]; +extern AsnTypetoCompMatchingRule asntype_to_compMR_mapping_tbl[]; +extern AsnTypetoCompType asntype_to_compType_mapping_tbl[]; +extern AsnTypetoCompDesc asntype_to_compdesc_mapping_tbl[]; + +int ConvertRDN2RFC2253 ( irRelativeDistinguishedName* in, struct berval *out ); +int ConvertRDNSequence2RFC2253( irRDNSequence *in, struct berval* out ); + +void* comp_nibble_memory_allocator ( int init_mem, int inc_mem ); + +ComponentDesc* get_ComponentDesc( int id ); +#endif diff --git a/contrib/slapd-modules/comp_match/crl.c b/contrib/slapd-modules/comp_match/crl.c new file mode 100644 index 0000000..abd82cd --- /dev/null +++ b/contrib/slapd-modules/comp_match/crl.c @@ -0,0 +1,1294 @@ +/* + * crl.c + * "CertificateRevokationList" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Fri Jan 21 11:25:24 2005 + * The generated files are supposed to be compiled as a module for OpenLDAP Software + */ + +#include "crl.h" + +BDecComponentCertificateListTop( void* mem_op, GenBuf* b, void *v, AsnLen* bytesDecoded,int mode) { + AsnTag tag; + AsnLen elmtLen; + + tag = BDecTag ( b, bytesDecoded ); + elmtLen = BDecLen ( b, bytesDecoded ); + if ( elmtLen <= 0 ) return (-1); + if ( tag != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE) ) { + return (-1); + } + + return BDecComponentCertificateList( mem_op, b, tag, elmtLen, ( ComponentCertificateList**)v, (AsnLen*)bytesDecoded, mode ); +} + + +void init_module_CertificateRevokationList() { + InstallOidDecoderMapping( "2.5.4.39", NULL, + GDecComponentCertificateList, + BDecComponentCertificateListTop, + ExtractingComponentCertificateList, + MatchingComponentCertificateList); +} + +int +MatchingComponentTBSCertListSeqOfSeq ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentCertificateSerialNumber ( oid, (ComponentSyntaxInfo*)&((ComponentTBSCertListSeqOfSeq*)csi_attr)->userCertificate, (ComponentSyntaxInfo*)&((ComponentTBSCertListSeqOfSeq*)csi_assert)->userCertificate ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentTime ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertListSeqOfSeq*)csi_attr)->revocationDate, (ComponentSyntaxInfo*)((ComponentTBSCertListSeqOfSeq*)csi_assert)->revocationDate ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + if(COMPONENTNOT_NULL( ((ComponentTBSCertListSeqOfSeq*)csi_attr)->crlEntryExtensions ) ) { + rc = MatchingComponentExtensions ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertListSeqOfSeq*)csi_attr)->crlEntryExtensions, (ComponentSyntaxInfo*)((ComponentTBSCertListSeqOfSeq*)csi_assert)->crlEntryExtensions ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentTBSCertListSeqOfSeq */ + +void* +ExtractingComponentTBSCertListSeqOfSeq ( void* mem_op, ComponentReference* cr, ComponentTBSCertListSeqOfSeq *comp ) +{ + + if ( ( comp->userCertificate.identifier.bv_val && strncmp(comp->userCertificate.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->userCertificate.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->userCertificate; + else + return NULL; + } + if ( ( comp->revocationDate->identifier.bv_val && strncmp(comp->revocationDate->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->revocationDate->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->revocationDate; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTime ( mem_op, cr, comp->revocationDate ); + } + } + if ( ( comp->crlEntryExtensions->identifier.bv_val && strncmp(comp->crlEntryExtensions->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->crlEntryExtensions->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->crlEntryExtensions; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentExtensions ( mem_op, cr, comp->crlEntryExtensions ); + } + } + return NULL; +} /* ExtractingComponentTBSCertListSeqOfSeq */ + +int +BDecComponentTBSCertListSeqOfSeq PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentTBSCertListSeqOfSeq **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentTBSCertListSeqOfSeq *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, INTEGER_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentCertificateSerialNumber (mem_op, b, tagId1, elmtLen1, (&k->userCertificate), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->userCertificate)->identifier.bv_val = (&k->userCertificate)->id_buf; + (&k->userCertificate)->identifier.bv_len = strlen("userCertificate"); + strcpy( (&k->userCertificate)->identifier.bv_val, "userCertificate"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE)) || + (tagId1 ==MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE))|| + (tagId1 == MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTime (mem_op, b, tagId1, elmtLen1, (&k->revocationDate), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->revocationDate)->identifier.bv_val = (k->revocationDate)->id_buf; + (k->revocationDate)->identifier.bv_len = strlen("revocationDate"); + strcpy( (k->revocationDate)->identifier.bv_val, "revocationDate"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + else + return -1; + + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentExtensions (mem_op, b, tagId1, elmtLen1, (&k->crlEntryExtensions), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->crlEntryExtensions)->identifier.bv_val = (k->crlEntryExtensions)->id_buf; + (k->crlEntryExtensions)->identifier.bv_len = strlen("crlEntryExtensions"); + strcpy( (k->crlEntryExtensions)->identifier.bv_val, "crlEntryExtensions"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertListSeqOfSeq*) CompAlloc( mem_op, sizeof(ComponentTBSCertListSeqOfSeq) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertListSeqOfSeq ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertListSeqOfSeq ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertListSeqOfSeq; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertListSeqOfSeq; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecTBSCertListSeqOfSeq*/ + +int +GDecComponentTBSCertListSeqOfSeq PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentTBSCertListSeqOfSeq **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentTBSCertListSeqOfSeq *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "userCertificate", strlen("userCertificate") ) == 0 ) { + rc = GDecComponentCertificateSerialNumber (mem_op, b, (&k->userCertificate), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->userCertificate)->identifier.bv_val = peek_head; + (&k->userCertificate)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "revocationDate", strlen("revocationDate") ) == 0 ) { + rc = GDecComponentTime (mem_op, b, (&k->revocationDate), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->revocationDate)->identifier.bv_val = peek_head; + ( k->revocationDate)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "crlEntryExtensions", strlen("crlEntryExtensions") ) == 0 ) { + rc = GDecComponentExtensions (mem_op, b, (&k->crlEntryExtensions), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->crlEntryExtensions)->identifier.bv_val = peek_head; + ( k->crlEntryExtensions)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertListSeqOfSeq*) CompAlloc( mem_op, sizeof(ComponentTBSCertListSeqOfSeq) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertListSeqOfSeq ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertListSeqOfSeq ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertListSeqOfSeq; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertListSeqOfSeq; + return LDAP_SUCCESS; +} /* GDecTBSCertListSeqOfSeq*/ + + +int +MatchingComponentTBSCertListSeqOf ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + void* component1, *component2; + AsnList *v1, *v2, t_list; + + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + v1 = &((ComponentTBSCertListSeqOf*)csi_attr)->comp_list; + v2 = &((ComponentTBSCertListSeqOf*)csi_assert)->comp_list; + FOR_EACH_LIST_PAIR_ELMT(component1, component2, v1, v2) + { + if( MatchingComponentTBSCertListSeqOfSeq(oid, (ComponentSyntaxInfo*)component1, (ComponentSyntaxInfo*)component2) == LDAP_COMPARE_FALSE) { + return LDAP_COMPARE_FALSE; + } + } /* end of for */ + + AsnListFirst( v1 ); + AsnListFirst( v2 ); + if( (!component1 && component2) || (component1 && !component2)) + return LDAP_COMPARE_FALSE; + else + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentTBSCertListSeqOfContent */ + +void* +ExtractingComponentTBSCertListSeqOf ( void* mem_op, ComponentReference* cr, ComponentTBSCertListSeqOf *comp ) +{ + int count = 0; + int total; + AsnList *v = &comp->comp_list; + ComponentInt *k; + ComponentTBSCertListSeqOfSeq *component; + + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_FROM_BEGINNING : + count = cr->cr_curr->ci_val.ci_from_beginning; + FOR_EACH_LIST_ELMT( component , v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTBSCertListSeqOfSeq ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_FROM_END : + total = AsnListCount ( v ); + count = cr->cr_curr->ci_val.ci_from_end; + count = total + count +1; + FOR_EACH_LIST_ELMT ( component, v ) { + if( --count == 0 ) { + if( cr->cr_curr->ci_next == NULL ) + return component; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTBSCertListSeqOfSeq ( mem_op, cr, component ); + } + } + } + break; + case LDAP_COMPREF_ALL : + return comp; + case LDAP_COMPREF_COUNT : + k = (ComponentInt*)CompAlloc( mem_op, sizeof(ComponentInt)); + k->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + k->comp_desc->cd_tag = (-1); + k->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentInt; + k->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentInt; + k->comp_desc->cd_extract_i = (extract_component_from_id_func*)NULL; + k->comp_desc->cd_type = ASN_BASIC; + k->comp_desc->cd_type_id = BASICTYPE_INTEGER; + k->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentInt; + k->value = AsnListCount(v); + return k; + default : + return NULL; + } +} /* ExtractingComponentTBSCertListSeqOf */ + +int +BDecComponentTBSCertListSeqOf PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentTBSCertListSeqOf **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentTBSCertListSeqOf *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit(&k->comp_list,sizeof(ComponentTBSCertListSeqOfSeq)); + for (totalElmtsLen1 = 0; (totalElmtsLen1 < elmtLen0) || (elmtLen0 == INDEFINITE_LEN);) + { + ComponentTBSCertListSeqOfSeq **tmpVar; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((tagId1 == EOC_TAG_ID) && (elmtLen0 == INDEFINITE_LEN)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + break; /* got EOC so can exit this SET OF/SEQ OF's for loop*/ + } + if ((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tmpVar = (ComponentTBSCertListSeqOfSeq**) CompAsnListAppend (mem_op,&k->comp_list); + rc = BDecComponentTBSCertListSeqOfSeq (mem_op, b, tagId1, elmtLen1, tmpVar, &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of tag check if */ + else /* wrong tag */ + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertListSeqOf*) CompAlloc( mem_op, sizeof(ComponentTBSCertListSeqOf) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertListSeqOf ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertListSeqOf ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertListSeqOf; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertListSeqOf; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecTBSCertListSeqOfContent */ + +int +GDecComponentTBSCertListSeqOf PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentTBSCertListSeqOf **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentTBSCertListSeqOf *k,*t, c_temp; + + + int ElmtsLen1; + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + AsnListInit( &k->comp_list, sizeof( ComponentTBSCertListSeqOfSeq ) ); + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_PEEK)) ){ + Asn1Error("Error during Reading { in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + for (ElmtsLen1 = 0; ElmtsLen1 >= INDEFINITE_LEN; ElmtsLen1++) + { + ComponentTBSCertListSeqOfSeq **tmpVar; + if( !(strLen = LocateNextGSERToken(mem_op,b, &peek_head, GSER_NO_COPY)) ){ + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head == '}') break; + if( !(*peek_head == '{' || *peek_head ==',') ) { + return LDAP_PROTOCOL_ERROR; + } + tmpVar = (ComponentTBSCertListSeqOfSeq**) CompAsnListAppend (mem_op, &k->comp_list); + if ( tmpVar == NULL ) { + Asn1Error("Error during Reading{ in encoding"); + return LDAP_PROTOCOL_ERROR; + } + rc = GDecComponentTBSCertListSeqOfSeq (mem_op, b, tmpVar, bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + } /* end of for */ + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertListSeqOf*) CompAlloc( mem_op, sizeof(ComponentTBSCertListSeqOf) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertListSeqOf ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertListSeqOf ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertListSeqOf; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertListSeqOf; + return LDAP_SUCCESS; +} /* GDecTBSCertListSeqOfContent */ + +int +MatchingComponentTBSCertList ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + if(COMPONENTNOT_NULL( ((ComponentTBSCertList*)csi_attr)->version ) ) { + rc = MatchingComponentVersion ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->version, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->version ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + rc = MatchingComponentAlgorithmIdentifier ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->signature, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->signature ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentName ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->issuer, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->issuer ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentTime ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->thisUpdate, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->thisUpdate ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + if(COMPONENTNOT_NULL( ((ComponentTBSCertList*)csi_attr)->nextUpdate ) ) { + rc = MatchingComponentTime ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->nextUpdate, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->nextUpdate ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + rc = MatchingComponentTBSCertListSeqOf ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->revokedCertificates, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->revokedCertificates ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + if(COMPONENTNOT_NULL( ((ComponentTBSCertList*)csi_attr)->crlExtensions ) ) { + rc = MatchingComponentExtensions ( oid, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_attr)->crlExtensions, (ComponentSyntaxInfo*)((ComponentTBSCertList*)csi_assert)->crlExtensions ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + } + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentTBSCertList */ + +void* +ExtractingComponentTBSCertList ( void* mem_op, ComponentReference* cr, ComponentTBSCertList *comp ) +{ + + if ( ( comp->version->identifier.bv_val && strncmp(comp->version->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->version->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->version; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentVersion ( mem_op, cr, comp->version ); + } + } + if ( ( comp->signature->identifier.bv_val && strncmp(comp->signature->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signature->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->signature; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAlgorithmIdentifier ( mem_op, cr, comp->signature ); + } + } + if ( ( comp->issuer->identifier.bv_val && strncmp(comp->issuer->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->issuer->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->issuer; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentName ( mem_op, cr, comp->issuer ); + } + } + if ( ( comp->thisUpdate->identifier.bv_val && strncmp(comp->thisUpdate->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->thisUpdate->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->thisUpdate; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTime ( mem_op, cr, comp->thisUpdate ); + } + } + if ( ( comp->nextUpdate->identifier.bv_val && strncmp(comp->nextUpdate->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->nextUpdate->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->nextUpdate; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTime ( mem_op, cr, comp->nextUpdate ); + } + } + if ( ( comp->revokedCertificates->identifier.bv_val && strncmp(comp->revokedCertificates->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->revokedCertificates->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->revokedCertificates; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTBSCertListSeqOf ( mem_op, cr, comp->revokedCertificates ); + } + } + if ( ( comp->crlExtensions->identifier.bv_val && strncmp(comp->crlExtensions->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->crlExtensions->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->crlExtensions; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentExtensions ( mem_op, cr, comp->crlExtensions ); + } + } + return NULL; +} /* ExtractingComponentTBSCertList */ + +int +BDecComponentTBSCertList PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentTBSCertList **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + AsnLen totalElmtsLen2 = 0; + AsnLen elmtLen2; + AsnTag tagId2; + int old_mode = mode; + int rc; + ComponentTBSCertList *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, INTEGER_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentVersion (mem_op, b, tagId1, elmtLen1, (&k->version), &totalElmtsLen1, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + (k->version)->identifier.bv_val = (k->version)->id_buf; + (k->version)->identifier.bv_len = strlen("version"); + strcpy( (k->version)->identifier.bv_val, "version"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAlgorithmIdentifier (mem_op, b, tagId1, elmtLen1, (&k->signature), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->signature)->identifier.bv_val = (k->signature)->id_buf; + (k->signature)->identifier.bv_len = strlen("signature"); + strcpy( (k->signature)->identifier.bv_val, "signature"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentName (mem_op, b, tagId1, elmtLen1, (&k->issuer), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->issuer)->identifier.bv_val = (k->issuer)->id_buf; + (k->issuer)->identifier.bv_len = strlen("issuer"); + strcpy( (k->issuer)->identifier.bv_val, "issuer"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE)) || + (tagId1 ==MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE))|| + (tagId1 == MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTime (mem_op, b, tagId1, elmtLen1, (&k->thisUpdate), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->thisUpdate)->identifier.bv_val = (k->thisUpdate)->id_buf; + (k->thisUpdate)->identifier.bv_len = strlen("thisUpdate"); + strcpy( (k->thisUpdate)->identifier.bv_val, "thisUpdate"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, UTCTIME_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, UTCTIME_TAG_CODE)) || + (tagId1 ==MAKE_TAG_ID (UNIV, PRIM, GENERALIZEDTIME_TAG_CODE))|| + (tagId1 == MAKE_TAG_ID (UNIV, CONS, GENERALIZEDTIME_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTime (mem_op, b, tagId1, elmtLen1, (&k->nextUpdate), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->nextUpdate)->identifier.bv_val = (k->nextUpdate)->id_buf; + (k->nextUpdate)->identifier.bv_len = strlen("nextUpdate"); + strcpy( (k->nextUpdate)->identifier.bv_val, "nextUpdate"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTBSCertListSeqOf (mem_op, b, tagId1, elmtLen1, (&k->revokedCertificates), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->revokedCertificates)->identifier.bv_val = (k->revokedCertificates)->id_buf; + (k->revokedCertificates)->identifier.bv_len = strlen("revokedCertificates"); + strcpy( (k->revokedCertificates)->identifier.bv_val, "revokedCertificates"); + if ((elmtLen0 != INDEFINITE_LEN) && (totalElmtsLen1 == elmtLen0)) + seqDone = TRUE; + else + { + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if ((elmtLen0 == INDEFINITE_LEN) && (tagId1 == EOC_TAG_ID)) + { + BDEC_2ND_EOC_OCTET (b, &totalElmtsLen1 ) + seqDone = TRUE; + } + } + } + else + return -1; + + + + if ((!seqDone) && ((tagId1 == MAKE_TAG_ID (CNTX, CONS, 0)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + tagId2 = BDecTag (b, &totalElmtsLen1 ); + + if (tagId2 != MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)) + { + Asn1Error ("Unexpected Tag\n"); + return -1; + } + + elmtLen2 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentExtensions (mem_op, b, tagId2, elmtLen2, (&k->crlExtensions), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->crlExtensions)->identifier.bv_val = (k->crlExtensions)->id_buf; + (k->crlExtensions)->identifier.bv_len = strlen("crlExtensions"); + strcpy( (k->crlExtensions)->identifier.bv_val, "crlExtensions"); + if (elmtLen1 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertList*) CompAlloc( mem_op, sizeof(ComponentTBSCertList) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertList ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertList ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertList; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertList; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecTBSCertList*/ + +int +GDecComponentTBSCertList PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentTBSCertList **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentTBSCertList *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "version", strlen("version") ) == 0 ) { + rc = GDecComponentVersion (mem_op, b, (&k->version), bytesDecoded, DEC_ALLOC_MODE_0 ); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->version)->identifier.bv_val = peek_head; + ( k->version)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signature", strlen("signature") ) == 0 ) { + rc = GDecComponentAlgorithmIdentifier (mem_op, b, (&k->signature), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->signature)->identifier.bv_val = peek_head; + ( k->signature)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "issuer", strlen("issuer") ) == 0 ) { + rc = GDecComponentName (mem_op, b, (&k->issuer), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->issuer)->identifier.bv_val = peek_head; + ( k->issuer)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "thisUpdate", strlen("thisUpdate") ) == 0 ) { + rc = GDecComponentTime (mem_op, b, (&k->thisUpdate), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->thisUpdate)->identifier.bv_val = peek_head; + ( k->thisUpdate)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "nextUpdate", strlen("nextUpdate") ) == 0 ) { + rc = GDecComponentTime (mem_op, b, (&k->nextUpdate), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->nextUpdate)->identifier.bv_val = peek_head; + ( k->nextUpdate)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "revokedCertificates", strlen("revokedCertificates") ) == 0 ) { + rc = GDecComponentTBSCertListSeqOf (mem_op, b, (&k->revokedCertificates), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->revokedCertificates)->identifier.bv_val = peek_head; + ( k->revokedCertificates)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "crlExtensions", strlen("crlExtensions") ) == 0 ) { + rc = GDecComponentExtensions (mem_op, b, (&k->crlExtensions), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->crlExtensions)->identifier.bv_val = peek_head; + ( k->crlExtensions)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentTBSCertList*) CompAlloc( mem_op, sizeof(ComponentTBSCertList) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentTBSCertList ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentTBSCertList ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentTBSCertList; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentTBSCertList; + return LDAP_SUCCESS; +} /* GDecTBSCertList*/ + + +int +MatchingComponentCertificateList ( char* oid, ComponentSyntaxInfo* csi_attr, ComponentSyntaxInfo* csi_assert ) { + int rc; + MatchingRule* mr; + + if ( oid ) { + mr = retrieve_matching_rule( oid, csi_attr->csi_comp_desc->cd_type_id); + if ( mr ) return component_value_match( mr, csi_attr, csi_assert ); + } + + rc = 1; + rc = MatchingComponentTBSCertList ( oid, (ComponentSyntaxInfo*)((ComponentCertificateList*)csi_attr)->tbsCertList, (ComponentSyntaxInfo*)((ComponentCertificateList*)csi_assert)->tbsCertList ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentAlgorithmIdentifier ( oid, (ComponentSyntaxInfo*)((ComponentCertificateList*)csi_attr)->signatureAlgorithm, (ComponentSyntaxInfo*)((ComponentCertificateList*)csi_assert)->signatureAlgorithm ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + rc = MatchingComponentBits ( oid, (ComponentSyntaxInfo*)&((ComponentCertificateList*)csi_attr)->signature, (ComponentSyntaxInfo*)&((ComponentCertificateList*)csi_assert)->signature ); + if ( rc != LDAP_COMPARE_TRUE ) + return rc; + return LDAP_COMPARE_TRUE; +} /* BMatchingComponentCertificateList */ + +void* +ExtractingComponentCertificateList ( void* mem_op, ComponentReference* cr, ComponentCertificateList *comp ) +{ + + if ( ( comp->tbsCertList->identifier.bv_val && strncmp(comp->tbsCertList->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->tbsCertList->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->tbsCertList; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentTBSCertList ( mem_op, cr, comp->tbsCertList ); + } + } + if ( ( comp->signatureAlgorithm->identifier.bv_val && strncmp(comp->signatureAlgorithm->identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signatureAlgorithm->id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return comp->signatureAlgorithm; + else { + cr->cr_curr = cr->cr_curr->ci_next; + return ExtractingComponentAlgorithmIdentifier ( mem_op, cr, comp->signatureAlgorithm ); + } + } + if ( ( comp->signature.identifier.bv_val && strncmp(comp->signature.identifier.bv_val, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) || ( strncmp(comp->signature.id_buf, cr->cr_curr->ci_val.ci_identifier.bv_val,cr->cr_curr->ci_val.ci_identifier.bv_len) == 0 ) ) { + if ( cr->cr_curr->ci_next == NULL ) + return &comp->signature; + else if ( cr->cr_curr->ci_next->ci_type == LDAP_COMPREF_CONTENT) { + cr->cr_curr = cr->cr_curr->ci_next; + return &comp->signature; + } else { + return NULL; + } + } + return NULL; +} /* ExtractingComponentCertificateList */ + +int +BDecComponentCertificateList PARAMS ((b, tagId0, elmtLen0, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +AsnTag tagId0 _AND_ +AsnLen elmtLen0 _AND_ +ComponentCertificateList **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + int seqDone = FALSE; + AsnLen totalElmtsLen1 = 0; + AsnLen elmtLen1; + AsnTag tagId1; + int mandatoryElmtCount1 = 0; + int old_mode = mode; + int rc; + ComponentCertificateList *k, *t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + tagId1 = BDecTag (b, &totalElmtsLen1 ); + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentTBSCertList (mem_op, b, tagId1, elmtLen1, (&k->tbsCertList), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->tbsCertList)->identifier.bv_val = (k->tbsCertList)->id_buf; + (k->tbsCertList)->identifier.bv_len = strlen("tbsCertList"); + strcpy( (k->tbsCertList)->identifier.bv_val, "tbsCertList"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, CONS, SEQ_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentAlgorithmIdentifier (mem_op, b, tagId1, elmtLen1, (&k->signatureAlgorithm), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (k->signatureAlgorithm)->identifier.bv_val = (k->signatureAlgorithm)->id_buf; + (k->signatureAlgorithm)->identifier.bv_len = strlen("signatureAlgorithm"); + strcpy( (k->signatureAlgorithm)->identifier.bv_val, "signatureAlgorithm"); + tagId1 = BDecTag (b, &totalElmtsLen1); + } + else + return -1; + + + + if (((tagId1 == MAKE_TAG_ID (UNIV, PRIM, BITSTRING_TAG_CODE)) || +(tagId1 == MAKE_TAG_ID (UNIV, CONS, BITSTRING_TAG_CODE)))) + { + elmtLen1 = BDecLen (b, &totalElmtsLen1 ); + rc = BDecComponentBits (mem_op, b, tagId1, elmtLen1, (&k->signature), &totalElmtsLen1, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->signature)->identifier.bv_val = (&k->signature)->id_buf; + (&k->signature)->identifier.bv_len = strlen("signature"); + strcpy( (&k->signature)->identifier.bv_val, "signature"); + seqDone = TRUE; + if (elmtLen0 == INDEFINITE_LEN) + BDecEoc (b, &totalElmtsLen1 ); + else if (totalElmtsLen1 != elmtLen0) + return -1; + + } + else + return -1; + + + + if (!seqDone) + return -1; + + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentCertificateList*) CompAlloc( mem_op, sizeof(ComponentCertificateList) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentCertificateList ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentCertificateList ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentCertificateList; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentCertificateList; + (*bytesDecoded) += totalElmtsLen1; + return LDAP_SUCCESS; +} /* BDecCertificateList*/ + +int +GDecComponentCertificateList PARAMS (( mem_op,b, v, bytesDecoded, mode), +void* mem_op _AND_ +GenBuf * b _AND_ +ComponentCertificateList **v _AND_ +AsnLen *bytesDecoded _AND_ +int mode) +{ + char* peek_head,*peek_head2; + int i, strLen,strLen2, rc, old_mode = mode; + ComponentCertificateList *k,*t, c_temp; + + + if ( !(mode & DEC_ALLOC_MODE_1) ) { + memset(&c_temp,0,sizeof(c_temp)); + k = &c_temp; + } else + k = t = *v; + mode = DEC_ALLOC_MODE_2; + *bytesDecoded = 0; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '{'){ + Asn1Error("Missing { in encoded data"); + return LDAP_PROTOCOL_ERROR; + } + + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + if ( strncmp( peek_head, "tbsCertList", strlen("tbsCertList") ) == 0 ) { + rc = GDecComponentTBSCertList (mem_op, b, (&k->tbsCertList), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->tbsCertList)->identifier.bv_val = peek_head; + ( k->tbsCertList)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signatureAlgorithm", strlen("signatureAlgorithm") ) == 0 ) { + rc = GDecComponentAlgorithmIdentifier (mem_op, b, (&k->signatureAlgorithm), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + ( k->signatureAlgorithm)->identifier.bv_val = peek_head; + ( k->signatureAlgorithm)->identifier.bv_len = strLen; + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading , "); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != ','){ + Asn1Error("Missing , in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ){ + Asn1Error("Error during Reading identifier"); + return LDAP_PROTOCOL_ERROR; + } + } + if ( strncmp( peek_head, "signature", strlen("signature") ) == 0 ) { + rc = GDecComponentBits (mem_op, b, (&k->signature), bytesDecoded, mode); + if ( rc != LDAP_SUCCESS ) return rc; + (&k->signature)->identifier.bv_val = peek_head; + (&k->signature)->identifier.bv_len = strLen; + } + if( !(strLen = LocateNextGSERToken(mem_op,b,&peek_head,GSER_NO_COPY)) ) { + Asn1Error("Error during Reading } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if(*peek_head != '}'){ + Asn1Error("Missing } in encoding"); + return LDAP_PROTOCOL_ERROR; + } + if( !(old_mode & DEC_ALLOC_MODE_1) ) { + *v = t = (ComponentCertificateList*) CompAlloc( mem_op, sizeof(ComponentCertificateList) ); + if ( !t ) return -1; + *t = *k; + } + t->syntax = (Syntax*)NULL; + t->comp_desc = CompAlloc( mem_op, sizeof( ComponentDesc ) ); + if ( !t->comp_desc ) { + free ( t ); + return -1; + } + t->comp_desc->cd_ldap_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_encoder = (encoder_func*)NULL; + t->comp_desc->cd_ber_encoder = (encoder_func*)NULL; + t->comp_desc->cd_gser_decoder = (gser_decoder_func*)GDecComponentCertificateList ; + t->comp_desc->cd_ber_decoder = (ber_decoder_func*)BDecComponentCertificateList ; + t->comp_desc->cd_free = (comp_free_func*)NULL; + t->comp_desc->cd_extract_i = (extract_component_from_id_func*)ExtractingComponentCertificateList; + t->comp_desc->cd_type = ASN_COMPOSITE; + t->comp_desc->cd_type_id = COMPOSITE_ASN1_TYPE; + t->comp_desc->cd_all_match = (allcomponent_matching_func*)MatchingComponentCertificateList; + return LDAP_SUCCESS; +} /* GDecCertificateList*/ diff --git a/contrib/slapd-modules/comp_match/crl.h b/contrib/slapd-modules/comp_match/crl.h new file mode 100644 index 0000000..f2b4a24 --- /dev/null +++ b/contrib/slapd-modules/comp_match/crl.h @@ -0,0 +1,359 @@ + +#include "asn-incl.h" +/* + * crl.h + * "CertificateRevokationList" ASN.1 module encode/decode/extracting/matching/free C src. + * This file was generated by modified eSMACC compiler Fri Jan 21 11:25:24 2005 + * The generated files are strongly encouraged to be + * compiled as a module for OpenLDAP Software + */ + +#ifndef _crl_h_ +#define _crl_h_ + + + + +#ifdef __cplusplus +extern "C" { +#endif +#ifdef _WIN32 +#pragma warning( disable : 4101 ) +#endif +#include "componentlib.h" + +#define V1 0 +#define V2 1 +#define V3 2 + +typedef ComponentInt ComponentVersion; /* INTEGER { V1 (0), V2 (1), V3 (2) } */ + +#define MatchingComponentVersion MatchingComponentInt + +#define ExtractingComponentVersion ExtractingComponentInt + +#define BDecComponentVersion BDecComponentInt + +#define GDecComponentVersion GDecComponentInt + + +typedef ComponentInt ComponentCertificateSerialNumber; /* INTEGER */ + +#define MatchingComponentCertificateSerialNumber MatchingComponentInt + +#define ExtractingComponentCertificateSerialNumber ExtractingComponentInt + +#define BDecComponentCertificateSerialNumber BDecComponentInt + +#define GDecComponentCertificateSerialNumber GDecComponentInt + + +typedef ComponentOid ComponentAttributeType; /* OBJECT IDENTIFIER */ + +#define MatchingComponentAttributeType MatchingComponentOid + +#define ExtractingComponentAttributeType ExtractingComponentOid + +#define BDecComponentAttributeType BDecComponentOid + +#define GDecComponentAttributeType GDecComponentOid + + +typedef struct AlgorithmIdentifier /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid algorithm; /* OBJECT IDENTIFIER */ + ComponentAnyDefinedBy parameters; /* ANY DEFINED BY algorithm OPTIONAL */ +} ComponentAlgorithmIdentifier; + +int MatchingComponentAlgorithmIdentifier PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAlgorithmIdentifier PROTO (( void* mem_op, ComponentReference *cr, ComponentAlgorithmIdentifier *comp )); + + +int BDecComponentAlgorithmIdentifier PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAlgorithmIdentifier **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAlgorithmIdentifier PROTO (( void* mem_op, GenBuf * b, ComponentAlgorithmIdentifier **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Time /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum TimeChoiceId + { + TIME_UTCTIME, + TIME_GENERALIZEDTIME + } choiceId; + union TimeChoiceUnion + { + ComponentUTCTime* utcTime; /* < unknown type id ?! > */ + ComponentGeneralizedTime* generalizedTime; /* < unknown type id ?! > */ + } a; +} ComponentTime; + +int MatchingComponentTime PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTime PROTO (( void* mem_op, ComponentReference *cr, ComponentTime *comp )); + + +int BDecComponentTime PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTime **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTime PROTO (( void* mem_op, GenBuf * b, ComponentTime **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Extension /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentOid extnID; /* OBJECT IDENTIFIER */ + ComponentBool* critical; /* BOOLEAN DEFAULT FALSE */ + ComponentOcts extnValue; /* OCTET STRING */ +} ComponentExtension; + +int MatchingComponentExtension PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentExtension PROTO (( void* mem_op, ComponentReference *cr, ComponentExtension *comp )); + + +int BDecComponentExtension PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentExtension **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentExtension PROTO (( void* mem_op, GenBuf * b, ComponentExtension **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct AttributeTypeAndValue /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentAttributeType type; /* AttributeType */ + ComponentAnyDefinedBy value; /* ANY DEFINED BY type */ +} ComponentAttributeTypeAndValue; + +int MatchingComponentAttributeTypeAndValue PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentAttributeTypeAndValue PROTO (( void* mem_op, ComponentReference *cr, ComponentAttributeTypeAndValue *comp )); + + +int BDecComponentAttributeTypeAndValue PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentAttributeTypeAndValue PROTO (( void* mem_op, GenBuf * b, ComponentAttributeTypeAndValue **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentExtensions; /* SEQUENCE SIZE 1..MAX OF Extension */ + +int MatchingComponentExtensions PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentExtensions PROTO (( void* mem_op, ComponentReference *cr, ComponentExtensions *comp )); + + +int BDecComponentExtensions PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentExtensions **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentExtensions PROTO (( void* mem_op, GenBuf * b, ComponentExtensions **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct TBSCertListSeqOfSeq /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentCertificateSerialNumber userCertificate; /* CertificateSerialNumber */ + ComponentTime* revocationDate; /* Time */ + ComponentExtensions* crlEntryExtensions; /* Extensions OPTIONAL */ +} ComponentTBSCertListSeqOfSeq; + +int MatchingComponentTBSCertListSeqOfSeq PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTBSCertListSeqOfSeq PROTO (( void* mem_op, ComponentReference *cr, ComponentTBSCertListSeqOfSeq *comp )); + + +int BDecComponentTBSCertListSeqOfSeq PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTBSCertListSeqOfSeq **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTBSCertListSeqOfSeq PROTO (( void* mem_op, GenBuf * b, ComponentTBSCertListSeqOfSeq **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentTBSCertListSeqOf; /* SEQUENCE OF TBSCertListSeqOfSeq */ + +int MatchingComponentTBSCertListSeqOf PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTBSCertListSeqOf PROTO (( void* mem_op, ComponentReference *cr, ComponentTBSCertListSeqOf *comp )); + + +int BDecComponentTBSCertListSeqOf PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTBSCertListSeqOf **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTBSCertListSeqOf PROTO (( void* mem_op, GenBuf * b, ComponentTBSCertListSeqOf **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRelativeDistinguishedName; /* SET OF AttributeTypeAndValue */ + +int MatchingComponentRelativeDistinguishedName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRelativeDistinguishedName PROTO (( void* mem_op, ComponentReference *cr, ComponentRelativeDistinguishedName *comp )); + + +int BDecComponentRelativeDistinguishedName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRelativeDistinguishedName PROTO (( void* mem_op, GenBuf * b, ComponentRelativeDistinguishedName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef ComponentList ComponentRDNSequence; /* SEQUENCE OF RelativeDistinguishedName */ + +int MatchingComponentRDNSequence PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentRDNSequence PROTO (( void* mem_op, ComponentReference *cr, ComponentRDNSequence *comp )); + + +int BDecComponentRDNSequence PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentRDNSequence PROTO (( void* mem_op, GenBuf * b, ComponentRDNSequence **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Name /* CHOICE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + enum NameChoiceId + { + NAME_RDNSEQUENCE + } choiceId; + union NameChoiceUnion + { + ComponentRDNSequence* rdnSequence; /* RDNSequence */ + } a; +} ComponentName; + +int MatchingComponentName PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentName PROTO (( void* mem_op, ComponentReference *cr, ComponentName *comp )); + + +int BDecComponentName PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentName PROTO (( void* mem_op, GenBuf * b, ComponentName **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct TBSCertList /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentVersion* version; /* Version OPTIONAL */ + ComponentAlgorithmIdentifier* signature; /* AlgorithmIdentifier */ + ComponentName* issuer; /* Name */ + ComponentTime* thisUpdate; /* Time */ + ComponentTime* nextUpdate; /* Time OPTIONAL */ + ComponentTBSCertListSeqOf* revokedCertificates; /* TBSCertListSeqOf */ + ComponentExtensions* crlExtensions; /* [0] EXPLICIT Extensions OPTIONAL */ +} ComponentTBSCertList; + +int MatchingComponentTBSCertList PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentTBSCertList PROTO (( void* mem_op, ComponentReference *cr, ComponentTBSCertList *comp )); + + +int BDecComponentTBSCertList PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentTBSCertList **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentTBSCertList PROTO (( void* mem_op, GenBuf * b, ComponentTBSCertList **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct CertificateList /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentTBSCertList* tbsCertList; /* TBSCertList */ + ComponentAlgorithmIdentifier* signatureAlgorithm; /* AlgorithmIdentifier */ + ComponentBits signature; /* BIT STRING */ +} ComponentCertificateList; + +int MatchingComponentCertificateList PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentCertificateList PROTO (( void* mem_op, ComponentReference *cr, ComponentCertificateList *comp )); + + +int BDecComponentCertificateList PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentCertificateList **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentCertificateList PROTO (( void* mem_op, GenBuf * b, ComponentCertificateList **v, AsnLen *bytesDecoded, int mode)); + + + +typedef struct Validity /* SEQUENCE */ +{ + Syntax* syntax; + ComponentDesc* comp_desc; + struct berval identifier; + char id_buf[MAX_IDENTIFIER_LEN]; + ComponentTime* notBefore; /* Time */ + ComponentTime* notAfter; /* Time */ +} ComponentValidity; + +int MatchingComponentValidity PROTO (( char *oid, ComponentSyntaxInfo *, ComponentSyntaxInfo *v2 )); + + +void* ExtractingComponentValidity PROTO (( void* mem_op, ComponentReference *cr, ComponentValidity *comp )); + + +int BDecComponentValidity PROTO ((void* mem_op, GenBuf * b, AsnTag tagId0, AsnLen elmtLen0, ComponentValidity **v, AsnLen *bytesDecoded, int mode)); + + +int GDecComponentValidity PROTO (( void* mem_op, GenBuf * b, ComponentValidity **v, AsnLen *bytesDecoded, int mode)); + + + +/* ========== Object Declarations ========== */ + + +/* ========== Object Set Declarations ========== */ +#ifdef __cplusplus +extern "C" { +#endif + +#endif /* conditional include of crl.h */ diff --git a/contrib/slapd-modules/comp_match/init.c b/contrib/slapd-modules/comp_match/init.c new file mode 100644 index 0000000..5f0d86d --- /dev/null +++ b/contrib/slapd-modules/comp_match/init.c @@ -0,0 +1,839 @@ +/* Copyright 2004 IBM Corporation + * All rights reserved. + * Redisribution and use in source and binary forms, with or without + * modification, are permitted only as authorizd by the OpenLADP + * Public License. + */ +/* ACKNOWLEDGEMENTS + * This work originally developed by Sang Seok Lim + * 2004/06/18 03:20:00 slim@OpenLDAP.org + */ + +#include "portable.h" +#include <ac/string.h> +#include <ac/socket.h> +#include <ldap_pvt.h> +#include "lutil.h" +#include <ldap.h> +#include "slap.h" +#include "component.h" + +#include "componentlib.h" +#include "asn.h" +#include <asn-gser.h> + +#include <string.h> + +#ifndef SLAPD_COMP_MATCH +#define SLAPD_COMP_MATCH SLAPD_MOD_DYNAMIC +#endif + +/* + * Attribute and MatchingRule aliasing table + */ +AttributeAliasing aa_table [ MAX_ALIASING_ENTRY ]; +MatchingRuleAliasing mra_table [ MAX_ALIASING_ENTRY ]; + +OD_entry* gOD_table = NULL; +AsnTypetoMatchingRuleTable* gATMR_table = NULL; + +int +load_derived_matching_rule ( char* cfg_path ){ +} + +AttributeAliasing* +comp_is_aliased_attribute( void *in ) +{ + AttributeAliasing* curr_aa; + int i; + AttributeDescription *ad = (AttributeDescription*)in; + + for ( i = 0; aa_table[i].aa_aliasing_ad && i < MAX_ALIASING_ENTRY; i++ ) { + if ( strncmp(aa_table[i].aa_aliasing_ad->ad_cname.bv_val , ad->ad_cname.bv_val, ad->ad_cname.bv_len) == 0 ) + return &aa_table[i]; + } + return NULL; +} + +static int +add_aa_entry( int index, char* aliasing_at_name, char* aliased_at_name, char* mr_name, char* component_filter ) +{ + char text[1][128]; + int rc; + struct berval type; + + /* get and store aliasing AttributeDescription */ + type.bv_val = aliasing_at_name; + type.bv_len = strlen ( aliasing_at_name ); + rc = slap_bv2ad ( &type, &aa_table[index].aa_aliasing_ad,(const char**)text ); + if ( rc != LDAP_SUCCESS ) return rc; + + /* get and store aliased AttributeDescription */ + type.bv_val = aliased_at_name; + type.bv_len = strlen ( aliased_at_name ); + rc = slap_bv2ad ( &type, &aa_table[index].aa_aliased_ad,(const char**)text ); + if ( rc != LDAP_SUCCESS ) return rc; + + /* get and store componentFilterMatch */ + type.bv_val = mr_name; + type.bv_len = strlen ( mr_name); + aa_table[index].aa_mr = mr_bvfind ( &type ); + + /* get and store a component filter */ + type.bv_val = component_filter; + type.bv_len = strlen ( component_filter ); + rc = get_comp_filter( NULL, &type, &aa_table[index].aa_cf,(const char**)text); + + aa_table[index].aa_cf_str = component_filter; + + return rc; +} + +/* + * Initialize attribute aliasing table when this module is loaded + * add_aa_entry ( index for the global table, + * name of the aliasing attribute, + * component filter with filling value parts "xxx" + * ) + * "xxx" will be replaced with effective values later. + * See RFC3687 to understand the content of a component filter. + */ +char* pre_processed_comp_filter[] = { +/*1*/"item:{ component \"toBeSigned.issuer.rdnSequence\", rule distinguishedNameMatch, value xxx }", +/*2*/"item:{ component \"toBeSigned.serialNumber\", rule integerMatch, value xxx }", +/*3*/"and:{ item:{ component \"toBeSigned.serialNumber\", rule integerMatch, value xxx }, item:{ component \"toBeSigned.issuer.rdnSequence\", rule distinguishedNameMatch, value xxx } }" +}; + +static int +init_attribute_aliasing_table () +{ + int rc; + int index = 0 ; + + rc = add_aa_entry ( index, "x509CertificateIssuer", "userCertificate","componentFilterMatch", pre_processed_comp_filter[index] ); + if ( rc != LDAP_SUCCESS ) return LDAP_PARAM_ERROR; + index++; + + rc = add_aa_entry ( index, "x509CertificateSerial","userCertificate", "componentFilterMatch", pre_processed_comp_filter[index] ); + if ( rc != LDAP_SUCCESS ) return LDAP_PARAM_ERROR; + index++; + + rc = add_aa_entry ( index, "x509CertificateSerialAndIssuer", "userCertificate", "componentFilterMatch", pre_processed_comp_filter[index] ); + if ( rc != LDAP_SUCCESS ) return LDAP_PARAM_ERROR; + index++; + + return LDAP_SUCCESS; +} + +void +init_component_description_table () { + AsnTypeId id; + struct berval mr; + AsnTypetoSyntax* asn_to_syn; + Syntax* syn; + + for ( id = BASICTYPE_BOOLEAN; id != ASNTYPE_END ; id++ ) { + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_subtypes = NULL; + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_syntax = NULL; + + /* Equality Matching Rule */ + if ( asntype_to_compMR_mapping_tbl[id].atc_equality ) { + mr.bv_val = asntype_to_compMR_mapping_tbl[id].atc_equality; + mr.bv_len = strlen(asntype_to_compMR_mapping_tbl[id].atc_equality); + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_equality = mr_bvfind( &mr ); + } + /* Approx Matching Rule */ + if ( asntype_to_compMR_mapping_tbl[id].atc_approx ) { + mr.bv_val = asntype_to_compMR_mapping_tbl[id].atc_approx; + mr.bv_len = strlen(asntype_to_compMR_mapping_tbl[id].atc_approx); + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_approx = mr_bvfind( &mr ); + } + + /* Ordering Matching Rule */ + if ( asntype_to_compMR_mapping_tbl[id].atc_ordering ) { + mr.bv_val = asntype_to_compMR_mapping_tbl[id].atc_ordering; + mr.bv_len = strlen(asntype_to_compMR_mapping_tbl[id].atc_ordering); + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_ordering= mr_bvfind( &mr ); + } + + /* Substr Matching Rule */ + if ( asntype_to_compMR_mapping_tbl[id].atc_substr ) { + mr.bv_val = asntype_to_compMR_mapping_tbl[id].atc_substr; + mr.bv_len = strlen(asntype_to_compMR_mapping_tbl[id].atc_substr); + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_substr = mr_bvfind( &mr ); + } + /* Syntax */ + + asn_to_syn = &asn_to_syntax_mapping_tbl[ id ]; + if ( asn_to_syn->ats_syn_oid ) + syn = syn_find ( asn_to_syn->ats_syn_oid ); + else + syn = NULL; + asntype_to_compType_mapping_tbl[id].ac_comp_type.ct_syntax = syn; + + /* Initialize Component Descriptions of primitive ASN.1 types */ + asntype_to_compdesc_mapping_tbl[id].atcd_cd.cd_comp_type = (AttributeType*)&asntype_to_compType_mapping_tbl[id].ac_comp_type; + } +} + +MatchingRule* +retrieve_matching_rule( char* mr_oid, AsnTypeId type ) { + char* tmp; + struct berval mr_name = BER_BVNULL; + AsnTypetoMatchingRuleTable* atmr; + + for ( atmr = gATMR_table ; atmr ; atmr = atmr->atmr_table_next ) { + if ( strcmp( atmr->atmr_oid, mr_oid ) == 0 ) { + tmp = atmr->atmr_table[type].atmr_mr_name; + if ( tmp ) { + mr_name.bv_val = tmp; + mr_name.bv_len = strlen( tmp ); + return mr_bvfind ( &mr_name ); + } + } + } + return (MatchingRule*)NULL; +} + +void* +comp_convert_attr_to_comp LDAP_P (( Attribute* a, Syntax *syn, struct berval* bv )) +{ + char* peek_head; + int mode, bytesDecoded, size, rc; + void* component; + char* oid = a->a_desc->ad_type->sat_atype.at_oid ; + GenBuf* b = NULL; + ExpBuf* buf = NULL; + OidDecoderMapping* odm; + + /* look for the decoder registered for the given attribute */ + odm = RetrieveOidDecoderMappingbyOid( oid, strlen(oid) ); + + if ( !odm || (!odm->BER_Decode && !odm->GSER_Decode) ) + return (void*)NULL; + + buf = ExpBufAllocBuf(); + ExpBuftoGenBuf( buf, &b ); + ExpBufInstallDataInBuf ( buf, bv->bv_val, bv->bv_len ); + BufResetInReadMode( b ); + + mode = DEC_ALLOC_MODE_2; + /* + * How can we decide which decoder will be called, GSER or BER? + * Currently BER decoder is called for a certificate. + * The flag of Attribute will say something about it in the future + */ + if ( syn && slap_syntax_is_ber ( syn ) ) { +#if 0 + rc =BDecComponentTop(odm->BER_Decode, a->a_comp_data->cd_mem_op, b, 0,0, &component,&bytesDecoded,mode ) ; +#endif + rc = odm->BER_Decode ( a->a_comp_data->cd_mem_op, b, (ComponentSyntaxInfo*)&component, &bytesDecoded, mode ); + } + else { + rc = odm->GSER_Decode( a->a_comp_data->cd_mem_op, b, (ComponentSyntaxInfo**)component, &bytesDecoded, mode); + } + + ExpBufFreeBuf( buf ); + GenBufFreeBuf( b ); + if ( rc == -1 ) { +#if 0 + ShutdownNibbleMemLocal ( a->a_comp_data->cd_mem_op ); + free ( a->a_comp_data ); + a->a_comp_data = NULL; +#endif + return (void*)NULL; + } + else { + return component; + } +} + +#include <nibble-alloc.h> +void +comp_free_component ( void* mem_op ) { + ShutdownNibbleMemLocal( (NibbleMem*)mem_op ); + return; +} + +void +comp_convert_assert_to_comp ( + void* mem_op, + ComponentSyntaxInfo *csi_attr, + struct berval* bv, + ComponentSyntaxInfo** csi, int* len, int mode ) +{ + int rc; + GenBuf* genBuf; + ExpBuf* buf; + gser_decoder_func *decoder = csi_attr->csi_comp_desc->cd_gser_decoder; + + buf = ExpBufAllocBuf(); + ExpBuftoGenBuf( buf, &genBuf ); + ExpBufInstallDataInBuf ( buf, bv->bv_val, bv->bv_len ); + BufResetInReadMode( genBuf ); + + if ( csi_attr->csi_comp_desc->cd_type_id == BASICTYPE_ANY ) + decoder = ((ComponentAny*)csi_attr)->cai->GSER_Decode; + + rc = (*decoder)( mem_op, genBuf, csi, len, mode ); + ExpBufFreeBuf ( buf ); + GenBufFreeBuf( genBuf ); +} + +int intToAscii( int value, char* buf ) { + int minus=0,i,temp; + int total_num_digits; + + if ( value == 0 ){ + buf[0] = '0'; + return 1; + } + + if ( value < 0 ){ + minus = 1; + value = value*(-1); + buf[0] = '-'; + } + + /* How many digits */ + for ( temp = value, total_num_digits=0 ; temp ; total_num_digits++ ) + temp = temp/10; + + total_num_digits += minus; + + for ( i = minus ; value ; i++ ) { + buf[ total_num_digits - i - 1 ]= (char)(value%10 + '0'); + value = value/10; + } + return i; +} + +int +comp_convert_asn_to_ldap ( MatchingRule* mr, ComponentSyntaxInfo* csi, struct berval* bv, int *allocated ) +{ + int rc; + struct berval prettied; + Syntax* syn; + + AsnTypetoSyntax* asn_to_syn = + &asn_to_syntax_mapping_tbl[csi->csi_comp_desc->cd_type_id]; + if ( asn_to_syn->ats_syn_oid ) + csi->csi_syntax = syn_find ( asn_to_syn->ats_syn_oid ); + else + csi->csi_syntax = NULL; + + + switch ( csi->csi_comp_desc->cd_type_id ) { + case BASICTYPE_BOOLEAN : + bv->bv_val = (char*)malloc( 5 ); + *allocated = 1; + bv->bv_len = 5; + if ( ((ComponentBool*)csi)->value > 0 ) { + strcpy ( bv->bv_val , "TRUE" ); + bv->bv_len = 4; + } + else { + strcpy ( bv->bv_val , "FALSE" ); + bv->bv_len = 5; + } + break ; + case BASICTYPE_NULL : + bv->bv_len = 0; + break; + case BASICTYPE_INTEGER : + bv->bv_val = (char*)malloc( INITIAL_ATTR_SIZE ); + *allocated = 1; + bv->bv_len = INITIAL_ATTR_SIZE; + bv->bv_len = intToAscii(((ComponentInt*)csi)->value, bv->bv_val ); + if ( bv->bv_len <= 0 ) + return LDAP_INVALID_SYNTAX; + break; + case BASICTYPE_REAL : + return LDAP_INVALID_SYNTAX; + case BASICTYPE_ENUMERATED : + bv->bv_val = (char*)malloc( INITIAL_ATTR_SIZE ); + *allocated = 1; + bv->bv_len = INITIAL_ATTR_SIZE; + bv->bv_len = intToAscii(((ComponentEnum*)csi)->value, bv->bv_val ); + if ( bv->bv_len <= 0 ) + return LDAP_INVALID_SYNTAX; + break; + case BASICTYPE_OID : + case BASICTYPE_OCTETSTRING : + case BASICTYPE_BITSTRING : + case BASICTYPE_NUMERIC_STR : + case BASICTYPE_PRINTABLE_STR : + case BASICTYPE_UNIVERSAL_STR : + case BASICTYPE_IA5_STR : + case BASICTYPE_BMP_STR : + case BASICTYPE_UTF8_STR : + case BASICTYPE_UTCTIME : + case BASICTYPE_GENERALIZEDTIME : + case BASICTYPE_GRAPHIC_STR : + case BASICTYPE_VISIBLE_STR : + case BASICTYPE_GENERAL_STR : + case BASICTYPE_OBJECTDESCRIPTOR : + case BASICTYPE_VIDEOTEX_STR : + case BASICTYPE_T61_STR : + case BASICTYPE_OCTETCONTAINING : + case BASICTYPE_BITCONTAINING : + case BASICTYPE_RELATIVE_OID : + bv->bv_val = ((ComponentOcts*)csi)->value.octs; + bv->bv_len = ((ComponentOcts*)csi)->value.octetLen; + break; + case BASICTYPE_ANY : + csi = ((ComponentAny*)csi)->value; + if ( csi->csi_comp_desc->cd_type != ASN_BASIC || + csi->csi_comp_desc->cd_type_id == BASICTYPE_ANY ) + return LDAP_INVALID_SYNTAX; + return comp_convert_asn_to_ldap( mr, csi, bv, allocated ); + case COMPOSITE_ASN1_TYPE : + break; + case RDNSequence : + /*dnMatch*/ + if( strncmp( mr->smr_mrule.mr_oid, DN_MATCH_OID, strlen(DN_MATCH_OID) ) != 0 ) + return LDAP_INVALID_SYNTAX; + *allocated = 1; + rc = ConvertRDNSequence2RFC2253( (irRDNSequence*)csi, bv ); + if ( rc != LDAP_SUCCESS ) return rc; + break; + case RelativeDistinguishedName : + /*rdnMatch*/ + if( strncmp( mr->smr_mrule.mr_oid, RDN_MATCH_OID, strlen(RDN_MATCH_OID) ) != 0 ) + return LDAP_INVALID_SYNTAX; + *allocated = 1; + rc = ConvertRDN2RFC2253((irRelativeDistinguishedName*)csi,bv); + if ( rc != LDAP_SUCCESS ) return rc; + break; + case TelephoneNumber : + case FacsimileTelephoneNumber__telephoneNumber : + break; + case DirectoryString : + return LDAP_INVALID_SYNTAX; + case ASN_COMP_CERTIFICATE : + case ASNTYPE_END : + break; + default : + /*Only ASN Basic Type can be converted into LDAP string*/ + return LDAP_INVALID_SYNTAX; + } + + if ( csi->csi_syntax ) { + if ( csi->csi_syntax->ssyn_validate ) { + rc = csi->csi_syntax->ssyn_validate(csi->csi_syntax, bv); + if ( rc != LDAP_SUCCESS ) + return LDAP_INVALID_SYNTAX; + } + if ( csi->csi_syntax->ssyn_pretty ) { + rc = csi->csi_syntax->ssyn_pretty(csi->csi_syntax, bv, &prettied , NULL ); + if ( rc != LDAP_SUCCESS ) + return LDAP_INVALID_SYNTAX; +#if 0 + free ( bv->bv_val );/*potential memory leak?*/ +#endif + bv->bv_val = prettied.bv_val; + bv->bv_len = prettied.bv_len; + } + } + + return LDAP_SUCCESS; +} + +/* + * If <all> type component referenced is used + * more than one component will be tested + */ +#define IS_TERMINAL_COMPREF(cr) (cr->cr_curr->ci_next == NULL) +int +comp_test_all_components ( + void* attr_mem_op, + void* assert_mem_op, + ComponentSyntaxInfo *csi_attr, + ComponentAssertion* ca ) +{ + int rc; + ComponentSyntaxInfo *csi_temp = NULL, *csi_assert = NULL, *comp_elmt = NULL; + ComponentReference *cr = ca->ca_comp_ref; + struct berval *ca_val = &ca->ca_ma_value; + + switch ( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_ALL: + if ( IS_TERMINAL_COMPREF(cr) ) { + FOR_EACH_LIST_ELMT( comp_elmt, &((ComponentList*)csi_attr)->comp_list ) + { + rc = comp_test_one_component( attr_mem_op, assert_mem_op, comp_elmt, ca ); + if ( rc == LDAP_COMPARE_TRUE ) { + break; + } + } + } else { + ComponentId *start_compid = ca->ca_comp_ref->cr_curr->ci_next; + FOR_EACH_LIST_ELMT( comp_elmt, &((ComponentList*)csi_attr)->comp_list ) + { + cr->cr_curr = start_compid; + rc = comp_test_components ( attr_mem_op, assert_mem_op, comp_elmt, ca ); + if ( rc != LDAP_COMPARE_FALSE ) { + break; + } +#if 0 + if ( rc == LDAP_COMPARE_TRUE ) { + break; + } +#endif + } + } + break; + case LDAP_COMPREF_CONTENT: + case LDAP_COMPREF_SELECT: + case LDAP_COMPREF_DEFINED: + case LDAP_COMPREF_UNDEFINED: + case LDAP_COMPREF_IDENTIFIER: + case LDAP_COMPREF_FROM_BEGINNING: + case LDAP_COMPREF_FROM_END: + case LDAP_COMPREF_COUNT: + rc = LDAP_OPERATIONS_ERROR; + break; + default: + rc = LDAP_OPERATIONS_ERROR; + } + return rc; +} + +void +eat_bv_whsp ( struct berval* in ) +{ + char* end = in->bv_val + in->bv_len; + for ( ; ( *in->bv_val == ' ' ) && ( in->bv_val < end ) ; ) { + in->bv_val++; + } +} + +/* + * Perform matching one referenced component against assertion + * If the matching rule in a component filter is allComponentsMatch + * or its derivatives the extracted component's ASN.1 specification + * is applied to the assertion value as its syntax + * Otherwise, the matching rule's syntax is applied to the assertion value + * By RFC 3687 + */ +int +comp_test_one_component ( + void* attr_mem_op, + void* assert_mem_op, + ComponentSyntaxInfo *csi_attr, + ComponentAssertion *ca ) +{ + int len, rc; + ComponentSyntaxInfo *csi_assert = NULL; + char* oid = NULL; + MatchingRule* mr = ca->ca_ma_rule; + + if ( mr->smr_usage & SLAP_MR_COMPONENT ) { + /* If allComponentsMatch or its derivatives */ + if ( !ca->ca_comp_data.cd_tree ) { + comp_convert_assert_to_comp( assert_mem_op, csi_attr, &ca->ca_ma_value, &csi_assert, &len, DEC_ALLOC_MODE_0 ); + ca->ca_comp_data.cd_tree = (void*)csi_assert; + } else { + csi_assert = ca->ca_comp_data.cd_tree; + } + + if ( !csi_assert ) + return LDAP_PROTOCOL_ERROR; + + if ( strcmp( mr->smr_mrule.mr_oid, OID_ALL_COMP_MATCH ) != 0 ) + { + /* allComponentMatch's derivatives */ + oid = mr->smr_mrule.mr_oid; + } + return csi_attr->csi_comp_desc->cd_all_match( + oid, csi_attr, csi_assert ); + + } else { + /* LDAP existing matching rules */ + struct berval attr_bv = BER_BVNULL; + struct berval n_attr_bv = BER_BVNULL; + struct berval* assert_bv = &ca->ca_ma_value; + int allocated = 0; + /*Attribute is converted to compatible LDAP encodings*/ + if ( comp_convert_asn_to_ldap( mr, csi_attr, &attr_bv, &allocated ) != LDAP_SUCCESS ) + return LDAP_INAPPROPRIATE_MATCHING; + /* extracted component value is not normalized */ + if ( ca->ca_ma_rule->smr_normalize ) { + rc = ca->ca_ma_rule->smr_normalize ( + SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + NULL, ca->ca_ma_rule, + &attr_bv, &n_attr_bv, NULL ); + if ( rc != LDAP_SUCCESS ) + return rc; + if ( allocated && attr_bv.bv_val ) + free (attr_bv.bv_val); + } else { + n_attr_bv = attr_bv; + } +#if 0 + /*Assertion value is validated by MR's syntax*/ + if ( !ca->ca_comp_data.cd_tree ) { + ca->ca_comp_data.cd_tree = assert_bv; + } + else { + assert_bv = ca->ca_comp_data.cd_tree; + } +#endif + if ( !n_attr_bv.bv_val ) + return LDAP_COMPARE_FALSE; + rc = csi_value_match( mr, &n_attr_bv, assert_bv ); + if ( n_attr_bv.bv_val ) + free ( n_attr_bv.bv_val ); + return rc; + } +} + +int +comp_test_components( void* attr_nm, void* assert_nm, ComponentSyntaxInfo* csi_attr, ComponentAssertion* ca) { + char* peek_head; + int mode, bytesDecoded = 0, rc; + GenBuf* b; + ExpBuf* buf; + OidDecoderMapping* odm; + struct berval bv; + char oid[MAX_OID_LEN]; + void* contained_comp, *anytype_comp; + ComponentReference* cr = ca->ca_comp_ref; + + if ( !cr ) + return comp_test_one_component ( attr_nm, assert_nm, csi_attr, ca ); + /* Extracting the component refrenced by ca->ca_comp_ref */ + csi_attr = (ComponentSyntaxInfo*)csi_attr->csi_comp_desc->cd_extract_i( attr_nm, cr, csi_attr ); + if ( !csi_attr ) return LDAP_INVALID_SYNTAX; + /* perform matching, considering the type of a Component Reference(CR)*/ + switch( cr->cr_curr->ci_type ) { + case LDAP_COMPREF_IDENTIFIER: + case LDAP_COMPREF_FROM_BEGINNING: + case LDAP_COMPREF_FROM_END: + case LDAP_COMPREF_COUNT: + /* + * Exactly one component is referenced + * Fast Path for matching for this case + */ + rc = comp_test_one_component ( attr_nm, assert_nm, csi_attr, ca ); + break; + case LDAP_COMPREF_ALL: + /* + * If <all> type CR is used + * more than one component will be tested + */ + rc = comp_test_all_components ( attr_nm, assert_nm, csi_attr, ca ); + break; + + case LDAP_COMPREF_CONTENT: + /* + * <content> type CR is used + * check if it is followed by <select> type CR. + * 1) If so, look up the corresponding decoder in the mapping + * table(OID to decoder) by <select> + * and then decode the OCTET/BIT STRING with the decoder + * Finially, extreact the target component with the remaining CR. + * 2) If not, just return the current component, It SHOULD not be + * extracted further, because the component MUST be BIT/OCTET + * string. + */ + + cr->cr_curr = cr->cr_curr->ci_next; + if ( !cr->cr_curr ) { + /* case 2) in above description */ + rc = comp_test_one_component ( attr_nm, assert_nm, csi_attr, ca ); + break; + } + + if ( cr->cr_curr->ci_type == LDAP_COMPREF_SELECT ) { + /* Look up OID mapping table */ + odm = RetrieveOidDecoderMappingbyBV( &cr->cr_curr->ci_val.ci_select_value ); + + if ( !odm || !odm->BER_Decode ) + return LDAP_PROTOCOL_ERROR; + + /* current componet MUST be either BIT or OCTET STRING */ + if ( csi_attr->csi_comp_desc->cd_type_id != BASICTYPE_BITSTRING ) { + bv.bv_val = ((ComponentBits*)csi_attr)->value.bits; + bv.bv_len = ((ComponentBits*)csi_attr)->value.bitLen; + } + else if ( csi_attr->csi_comp_desc->cd_type_id != BASICTYPE_BITSTRING ) { + bv.bv_val = ((ComponentOcts*)csi_attr)->value.octs; + bv.bv_len = ((ComponentOcts*)csi_attr)->value.octetLen; + } + else + return LDAP_PROTOCOL_ERROR; + + buf = ExpBufAllocBuf(); + ExpBuftoGenBuf( buf, &b ); + ExpBufInstallDataInBuf ( buf, bv.bv_val, bv.bv_len ); + BufResetInReadMode( b ); + mode = DEC_ALLOC_MODE_2; + + /* Try to decode with BER/DER decoder */ + rc = odm->BER_Decode ( attr_nm, b, (ComponentSyntaxInfo*)&contained_comp, &bytesDecoded, mode ); + + ExpBufFreeBuf( buf ); + GenBufFreeBuf( b ); + + if ( rc != LDAP_SUCCESS ) return LDAP_PROTOCOL_ERROR; + + /* xxx.content.(x.xy.xyz).rfc822Name */ + /* In the aboe Ex. move CR to the right to (x.xy.xyz)*/ + cr->cr_curr = cr->cr_curr->ci_next; + if (!cr->cr_curr ) + rc = comp_test_one_component ( attr_nm, assert_nm, csi_attr, ca ); + else + rc = comp_test_components( attr_nm, assert_nm, contained_comp, ca ); + } + else { + /* Ivalid Component reference */ + rc = LDAP_PROTOCOL_ERROR; + } + break; + case LDAP_COMPREF_SELECT: + if (csi_attr->csi_comp_desc->cd_type_id != BASICTYPE_ANY ) + return LDAP_INVALID_SYNTAX; + rc = CheckSelectTypeCorrect( attr_nm, ((ComponentAny*)csi_attr)->cai, &cr->cr_curr->ci_val.ci_select_value ); + if ( rc < 0 ) return LDAP_INVALID_SYNTAX; + + /* point to the real component, not any type component */ + csi_attr = ((ComponentAny*)csi_attr)->value; + cr->cr_curr = cr->cr_curr->ci_next; + if ( cr->cr_curr ) + rc = comp_test_components( attr_nm, assert_nm, csi_attr, ca); + else + rc = comp_test_one_component( attr_nm, assert_nm, csi_attr, ca); + break; + default: + rc = LDAP_INVALID_SYNTAX; + } + return rc; +} + + +void* +comp_nibble_memory_allocator ( int init_mem, int inc_mem ) { + void* nm; + nm = (void*)InitNibbleMemLocal( (unsigned long)init_mem, (unsigned long)inc_mem ); + if ( !nm ) return NULL; + else return (void*)nm; +} + +void +comp_nibble_memory_free ( void* nm ) { + ShutdownNibbleMemLocal( nm ); +} + +void* +comp_get_component_description ( int id ) { + if ( asntype_to_compdesc_mapping_tbl[id].atcd_typeId == id ) + return &asntype_to_compdesc_mapping_tbl[id].atcd_cd; + else + return NULL; +} + +int +comp_component_encoder ( void* mem_op, ComponentSyntaxInfo* csi , struct berval* nval ) { + int size, rc; + GenBuf* b; + ExpBuf* buf; + struct berval bv; + + buf = ExpBufAllocBufAndData(); + ExpBufResetInWriteRvsMode(buf); + ExpBuftoGenBuf( buf, &b ); + + if ( !csi->csi_comp_desc->cd_gser_encoder && !csi->csi_comp_desc->cd_ldap_encoder ) + return (-1); + + /* + * if an LDAP specific encoder is provided : + * dn and rdn have their LDAP specific encoder + */ + if ( csi->csi_comp_desc->cd_ldap_encoder ) { + rc = csi->csi_comp_desc->cd_ldap_encoder( csi, &bv ); + if ( rc != LDAP_SUCCESS ) + return rc; + if ( mem_op ) + nval->bv_val = CompAlloc( mem_op, bv.bv_len ); + else + nval->bv_val = malloc( size ); + memcpy( nval->bv_val, bv.bv_val, bv.bv_len ); + nval->bv_len = bv.bv_len; + /* + * This free will be eliminated by making ldap_encoder + * use nibble memory in it + */ + free ( bv.bv_val ); + GenBufFreeBuf( b ); + BufFreeBuf( buf ); + return LDAP_SUCCESS; + } + + rc = csi->csi_comp_desc->cd_gser_encoder( b, csi ); + if ( rc < 0 ) { + GenBufFreeBuf( b ); + BufFreeBuf( buf ); + return rc; + } + + size = ExpBufDataSize( buf ); + if ( size > 0 ) { + if ( mem_op ) + nval->bv_val = CompAlloc ( mem_op, size ); + else + nval->bv_val = malloc( size ); + nval->bv_len = size; + BufResetInReadMode(b); + BufCopy( nval->bv_val, b, size ); + } + ExpBufFreeBuf( buf ); + GenBufFreeBuf( b ); + + return LDAP_SUCCESS; +} + +#if SLAPD_COMP_MATCH == SLAPD_MOD_DYNAMIC + +#include "certificate.h" + +extern convert_attr_to_comp_func* attr_converter; +extern convert_assert_to_comp_func* assert_converter; +extern convert_asn_to_ldap_func* csi_converter; +extern free_component_func* component_destructor; +extern test_component_func* test_components; +extern alloc_nibble_func* nibble_mem_allocator; +extern free_nibble_func* nibble_mem_free; +extern test_membership_func* is_aliased_attribute; +extern get_component_info_func* get_component_description; +extern component_encoder_func* component_encoder; + + +int init_module(int argc, char *argv[]) { + /* + * Initialize function pointers in slapd + */ + attr_converter = (convert_attr_to_comp_func*)comp_convert_attr_to_comp; + assert_converter = (convert_assert_to_comp_func*)comp_convert_assert_to_comp; + component_destructor = (free_component_func*)comp_free_component; + test_components = (test_component_func*)comp_test_components; + nibble_mem_allocator = (free_nibble_func*)comp_nibble_memory_allocator; + nibble_mem_free = (free_nibble_func*)comp_nibble_memory_free; + is_aliased_attribute = (test_membership_func*)comp_is_aliased_attribute; + get_component_description = (get_component_info_func*)comp_get_component_description; + component_encoder = (component_encoder_func*)comp_component_encoder; + + /* file path needs to be */ + load_derived_matching_rule ("derived_mr.cfg"); + + /* the initialization for example X.509 certificate */ + init_module_AuthenticationFramework(); + init_module_AuthorityKeyIdentifierDefinition(); + init_module_CertificateRevokationList(); + init_attribute_aliasing_table (); + init_component_description_table (); + return 0; +} + +#endif /* SLAPD_PASSWD */ diff --git a/contrib/slapd-modules/denyop/Makefile b/contrib/slapd-modules/denyop/Makefile new file mode 100644 index 0000000..c837762 --- /dev/null +++ b/contrib/slapd-modules/denyop/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_DENYOP=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = denyop.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +denyop.la: denyop.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/denyop/denyop.c b/contrib/slapd-modules/denyop/denyop.c new file mode 100644 index 0000000..d75a0aa --- /dev/null +++ b/contrib/slapd-modules/denyop/denyop.c @@ -0,0 +1,259 @@ +/* denyop.c - Denies operations */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion in + * OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_DENYOP + +#include <stdio.h> + +#include <ac/string.h> +#include <ac/socket.h> + +#include "slap.h" + +/* This overlay provides a quick'n'easy way to deny selected operations + * for a database whose backend implements the operations. It is intended + * to be less expensive than ACLs because its evaluation occurs before + * any backend specific operation is actually even initiated. + */ + +enum { + denyop_add = 0, + denyop_bind, + denyop_compare, + denyop_delete, + denyop_extended, + denyop_modify, + denyop_modrdn, + denyop_search, + denyop_unbind +} denyop_e; + +typedef struct denyop_info { + int do_op[denyop_unbind + 1]; +} denyop_info; + +static int +denyop_func( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + denyop_info *oi = (denyop_info *)on->on_bi.bi_private; + int deny = 0; + + switch( op->o_tag ) { + case LDAP_REQ_BIND: + deny = oi->do_op[denyop_bind]; + break; + + case LDAP_REQ_ADD: + deny = oi->do_op[denyop_add]; + break; + + case LDAP_REQ_DELETE: + deny = oi->do_op[denyop_delete]; + break; + + case LDAP_REQ_MODRDN: + deny = oi->do_op[denyop_modrdn]; + break; + + case LDAP_REQ_MODIFY: + deny = oi->do_op[denyop_modify]; + break; + + case LDAP_REQ_COMPARE: + deny = oi->do_op[denyop_compare]; + break; + + case LDAP_REQ_SEARCH: + deny = oi->do_op[denyop_search]; + break; + + case LDAP_REQ_EXTENDED: + deny = oi->do_op[denyop_extended]; + break; + + case LDAP_REQ_UNBIND: + deny = oi->do_op[denyop_unbind]; + break; + } + + if ( !deny ) { + return SLAP_CB_CONTINUE; + } + + op->o_bd->bd_info = (BackendInfo *)on->on_info; + send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, + "operation not allowed within namingContext" ); + + return 0; +} + +static int +denyop_over_init( + BackendDB *be, ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + denyop_info *oi; + + oi = (denyop_info *)ch_malloc(sizeof(denyop_info)); + memset(oi, 0, sizeof(denyop_info)); + on->on_bi.bi_private = oi; + + return 0; +} + +static int +denyop_config( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + denyop_info *oi = (denyop_info *)on->on_bi.bi_private; + + if ( strcasecmp( argv[0], "denyop" ) == 0 ) { + char *op; + + if ( argc != 2 ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "operation list missing in " + "\"denyop <op-list>\" line.\n", + fname, lineno, 0 ); + return( 1 ); + } + + /* The on->on_bi.bi_private pointer can be used for + * anything this instance of the overlay needs. + */ + + op = argv[1]; + do { + char *next = strchr( op, ',' ); + + if ( next ) { + next[0] = '\0'; + next++; + } + + if ( strcmp( op, "add" ) == 0 ) { + oi->do_op[denyop_add] = 1; + + } else if ( strcmp( op, "bind" ) == 0 ) { + oi->do_op[denyop_bind] = 1; + + } else if ( strcmp( op, "compare" ) == 0 ) { + oi->do_op[denyop_compare] = 1; + + } else if ( strcmp( op, "delete" ) == 0 ) { + oi->do_op[denyop_delete] = 1; + + } else if ( strcmp( op, "extended" ) == 0 ) { + oi->do_op[denyop_extended] = 1; + + } else if ( strcmp( op, "modify" ) == 0 ) { + oi->do_op[denyop_modify] = 1; + + } else if ( strcmp( op, "modrdn" ) == 0 ) { + oi->do_op[denyop_modrdn] = 1; + + } else if ( strcmp( op, "search" ) == 0 ) { + oi->do_op[denyop_search] = 1; + + } else if ( strcmp( op, "unbind" ) == 0 ) { + oi->do_op[denyop_unbind] = 1; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "unknown operation \"%s\" at " + "\"denyop <op-list>\" line.\n", + fname, lineno, op ); + return( 1 ); + } + + op = next; + } while ( op ); + + } else { + return SLAP_CONF_UNKNOWN; + } + return 0; +} + +static int +denyop_destroy( + BackendDB *be, ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + denyop_info *oi = (denyop_info *)on->on_bi.bi_private; + + if ( oi ) { + ch_free( oi ); + } + + return 0; +} + +/* This overlay is set up for dynamic loading via moduleload. For static + * configuration, you'll need to arrange for the slap_overinst to be + * initialized and registered by some other function inside slapd. + */ + +static slap_overinst denyop; + +int +denyop_initialize( void ) +{ + memset( &denyop, 0, sizeof( slap_overinst ) ); + denyop.on_bi.bi_type = "denyop"; + denyop.on_bi.bi_db_init = denyop_over_init; + denyop.on_bi.bi_db_config = denyop_config; + denyop.on_bi.bi_db_destroy = denyop_destroy; + + denyop.on_bi.bi_op_bind = denyop_func; + denyop.on_bi.bi_op_search = denyop_func; + denyop.on_bi.bi_op_compare = denyop_func; + denyop.on_bi.bi_op_modify = denyop_func; + denyop.on_bi.bi_op_modrdn = denyop_func; + denyop.on_bi.bi_op_add = denyop_func; + denyop.on_bi.bi_op_delete = denyop_func; + denyop.on_bi.bi_extended = denyop_func; + denyop.on_bi.bi_op_unbind = denyop_func; + + denyop.on_response = NULL /* denyop_response */ ; + + return overlay_register( &denyop ); +} + +#if SLAPD_OVER_DENYOP == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return denyop_initialize(); +} +#endif /* SLAPD_OVER_DENYOP == SLAPD_MOD_DYNAMIC */ + +#endif /* defined(SLAPD_OVER_DENYOP) */ diff --git a/contrib/slapd-modules/dsaschema/Makefile b/contrib/slapd-modules/dsaschema/Makefile new file mode 100644 index 0000000..5ca4b4f --- /dev/null +++ b/contrib/slapd-modules/dsaschema/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = dsaschema.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +dsaschema.la: dsaschema.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/dsaschema/README b/contrib/slapd-modules/dsaschema/README new file mode 100644 index 0000000..f102bb9 --- /dev/null +++ b/contrib/slapd-modules/dsaschema/README @@ -0,0 +1,23 @@ +Copyright 2004-2021 The OpenLDAP Foundation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +This directory contains a native slapd plugin, dsaschema, that permits the +loading of DSA-specific schema from configuration files (including operational +attributes). + +To use the plugin, add: + +moduleload dsaschema.so + /etc/openldap/schema/foo1.schema + ...etc... + /etc/openldap/schema/fooN.schema + +to your slapd configuration file. + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -Wall -g -o dsaschema.so dsaschema.c + diff --git a/contrib/slapd-modules/dsaschema/dsaschema.c b/contrib/slapd-modules/dsaschema/dsaschema.c new file mode 100644 index 0000000..fa8d07c --- /dev/null +++ b/contrib/slapd-modules/dsaschema/dsaschema.c @@ -0,0 +1,438 @@ +/* dsaschema.c */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#include <ac/string.h> +#include <ac/ctype.h> +#include <ac/signal.h> +#include <ac/errno.h> +#include <ac/stdlib.h> +#include <ac/ctype.h> +#include <ac/time.h> +#include <ac/unistd.h> + +#include <stdio.h> + +/* + * Schema reader that allows us to define DSA schema (including + * operational attributes and non-user object classes) + * + * A kludge, at best, and in order to avoid including slapd + * headers we use fprintf() rather than slapd's native logging, + * which may confuse users... + * + */ + +#include <ldap.h> +#include <ldap_schema.h> + +extern int at_add(LDAPAttributeType *at, const char **err); +extern int oc_add(LDAPObjectClass *oc, int user, const char **err); +extern int cr_add(LDAPContentRule *cr, int user, const char **err); + +#define ARGS_STEP 512 + +static char *fp_getline(FILE *fp, int *lineno); +static void fp_getline_init(int *lineno); +static int fp_parse_line(int lineno, char *line); +static char *strtok_quote( char *line, char *sep ); + +static char **cargv = NULL; +static int cargv_size = 0; +static int cargc = 0; +static char *strtok_quote_ptr; + +int init_module(int argc, char *argv[]); + +static int dsaschema_parse_at(const char *fname, int lineno, char *line, char **argv) +{ + LDAPAttributeType *at; + int code; + const char *err; + + at = ldap_str2attributetype(line, &code, &err, LDAP_SCHEMA_ALLOW_ALL); + if (!at) { + fprintf(stderr, "%s: line %d: %s before %s\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + if (at->at_oid == NULL) { + fprintf(stderr, "%s: line %d: attributeType has no OID\n", + fname, lineno); + return 1; + } + + code = at_add(at, &err); + if (code) { + fprintf(stderr, "%s: line %d: %s: \"%s\"\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + ldap_memfree(at); + + return 0; +} + +static int dsaschema_parse_oc(const char *fname, int lineno, char *line, char **argv) +{ + LDAPObjectClass *oc; + int code; + const char *err; + + oc = ldap_str2objectclass(line, &code, &err, LDAP_SCHEMA_ALLOW_ALL); + if (!oc) { + fprintf(stderr, "%s: line %d: %s before %s\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + if (oc->oc_oid == NULL) { + fprintf(stderr, + "%s: line %d: objectclass has no OID\n", + fname, lineno); + return 1; + } + + code = oc_add(oc, 0, &err); + if (code) { + fprintf(stderr, "%s: line %d: %s: \"%s\"\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + ldap_memfree(oc); + return 0; +} + +static int dsaschema_parse_cr(const char *fname, int lineno, char *line, char **argv) +{ + LDAPContentRule *cr; + int code; + const char *err; + + cr = ldap_str2contentrule(line, &code, &err, LDAP_SCHEMA_ALLOW_ALL); + if (!cr) { + fprintf(stderr, "%s: line %d: %s before %s\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + if (cr->cr_oid == NULL) { + fprintf(stderr, + "%s: line %d: objectclass has no OID\n", + fname, lineno); + return 1; + } + + code = cr_add(cr, 0, &err); + if (code) { + fprintf(stderr, "%s: line %d: %s: \"%s\"\n", + fname, lineno, ldap_scherr2str(code), err); + return 1; + } + + ldap_memfree(cr); + return 0; +} + +static int dsaschema_read_config(const char *fname, int depth) +{ + FILE *fp; + char *line, *savefname, *saveline; + int savelineno, lineno; + int rc; + + if (depth == 0) { + cargv = calloc(ARGS_STEP + 1, sizeof(*cargv)); + if (cargv == NULL) { + return 1; + } + cargv_size = ARGS_STEP + 1; + } + + fp = fopen(fname, "r"); + if (fp == NULL) { + fprintf(stderr, "could not open config file \"%s\": %s (%d)\n", + fname, strerror(errno), errno); + return 1; + } + fp_getline_init(&lineno); + + while ((line = fp_getline(fp, &lineno)) != NULL) { + /* skip comments and blank lines */ + if (line[0] == '#' || line[0] == '\0') { + continue; + } + + saveline = strdup(line); + if (saveline == NULL) { + return 1; + } + + if (fp_parse_line(lineno, line) != 0) { + return 1; + } + + if (cargc < 1) { + continue; + } + + if (strcasecmp(cargv[0], "attributetype") == 0 || + strcasecmp(cargv[0], "attribute") == 0) { + if (cargc < 2) { + fprintf(stderr, "%s: line %d: illegal attribute type format\n", + fname, lineno); + return 1; + } else if (*cargv[1] == '(' /*')'*/) { + char *p; + + p = strchr(saveline, '(' /*')'*/); + rc = dsaschema_parse_at(fname, lineno, p, cargv); + if (rc != 0) + return rc; + } else { + fprintf(stderr, "%s: line %d: old attribute type format not supported\n", + fname, lineno); + } + } else if (strcasecmp(cargv[0], "ditcontentrule") == 0) { + char *p; + p = strchr(saveline, '(' /*')'*/); + rc = dsaschema_parse_cr(fname, lineno, p, cargv); + if (rc != 0) + return rc; + } else if (strcasecmp(cargv[0], "objectclass") == 0) { + if (cargc < 2) { + fprintf(stderr, "%s: line %d: illegal objectclass format\n", + fname, lineno); + return 1; + } else if (*cargv[1] == '(' /*')'*/) { + char *p; + + p = strchr(saveline, '(' /*')'*/); + rc = dsaschema_parse_oc(fname, lineno, p, cargv); + if (rc != 0) + return rc; + } else { + fprintf(stderr, "%s: line %d: object class format not supported\n", + fname, lineno); + } + } else if (strcasecmp(cargv[0], "include") == 0) { + if (cargc < 2) { + fprintf(stderr, "%s: line %d: missing file name in \"include <filename>\" line", + fname, lineno); + return 1; + } + savefname = strdup(cargv[1]); + if (savefname == NULL) { + return 1; + } + if (dsaschema_read_config(savefname, depth + 1) != 0) { + return 1; + } + free(savefname); + lineno = savelineno - 1; + } else { + fprintf(stderr, "%s: line %d: unknown directive \"%s\" (ignored)\n", + fname, lineno, cargv[0]); + } + } + + fclose(fp); + + if (depth == 0) + free(cargv); + + return 0; +} + +int init_module(int argc, char *argv[]) +{ + int i; + int rc; + + for (i = 0; i < argc; i++) { + rc = dsaschema_read_config(argv[i], 0); + if (rc != 0) { + break; + } + } + + return rc; +} + + +static int +fp_parse_line( + int lineno, + char *line +) +{ + char * token; + + cargc = 0; + token = strtok_quote( line, " \t" ); + + if ( strtok_quote_ptr ) { + *strtok_quote_ptr = ' '; + } + + if ( strtok_quote_ptr ) { + *strtok_quote_ptr = '\0'; + } + + for ( ; token != NULL; token = strtok_quote( NULL, " \t" ) ) { + if ( cargc == cargv_size - 1 ) { + char **tmp; + tmp = realloc( cargv, (cargv_size + ARGS_STEP) * + sizeof(*cargv) ); + if ( tmp == NULL ) { + return -1; + } + cargv = tmp; + cargv_size += ARGS_STEP; + } + cargv[cargc++] = token; + } + cargv[cargc] = NULL; + return 0; +} + +static char * +strtok_quote( char *line, char *sep ) +{ + int inquote; + char *tmp; + static char *next; + + strtok_quote_ptr = NULL; + if ( line != NULL ) { + next = line; + } + while ( *next && strchr( sep, *next ) ) { + next++; + } + + if ( *next == '\0' ) { + next = NULL; + return( NULL ); + } + tmp = next; + + for ( inquote = 0; *next; ) { + switch ( *next ) { + case '"': + if ( inquote ) { + inquote = 0; + } else { + inquote = 1; + } + AC_MEMCPY( next, next + 1, strlen( next + 1 ) + 1 ); + break; + + case '\\': + if ( next[1] ) + AC_MEMCPY( next, + next + 1, strlen( next + 1 ) + 1 ); + next++; /* dont parse the escaped character */ + break; + + default: + if ( ! inquote ) { + if ( strchr( sep, *next ) != NULL ) { + strtok_quote_ptr = next; + *next++ = '\0'; + return( tmp ); + } + } + next++; + break; + } + } + + return( tmp ); +} + +static char buf[BUFSIZ]; +static char *line; +static size_t lmax, lcur; + +#define CATLINE( buf ) \ + do { \ + size_t len = strlen( buf ); \ + while ( lcur + len + 1 > lmax ) { \ + lmax += BUFSIZ; \ + line = (char *) realloc( line, lmax ); \ + } \ + strcpy( line + lcur, buf ); \ + lcur += len; \ + } while( 0 ) + +static char * +fp_getline( FILE *fp, int *lineno ) +{ + char *p; + + lcur = 0; + CATLINE( buf ); + (*lineno)++; + + /* hack attack - keeps us from having to keep a stack of bufs... */ + if ( strncasecmp( line, "include", 7 ) == 0 ) { + buf[0] = '\0'; + return( line ); + } + + while ( fgets( buf, sizeof(buf), fp ) != NULL ) { + /* trim off \r\n or \n */ + if ( (p = strchr( buf, '\n' )) != NULL ) { + if( p > buf && p[-1] == '\r' ) --p; + *p = '\0'; + } + + /* trim off trailing \ and append the next line */ + if ( line[ 0 ] != '\0' + && (p = line + strlen( line ) - 1)[ 0 ] == '\\' + && p[ -1 ] != '\\' ) { + p[ 0 ] = '\0'; + lcur--; + + } else { + if ( ! isspace( (unsigned char) buf[0] ) ) { + return( line ); + } + + /* change leading whitespace to a space */ + buf[0] = ' '; + } + + CATLINE( buf ); + (*lineno)++; + } + buf[0] = '\0'; + + return( line[0] ? line : NULL ); +} + +static void +fp_getline_init( int *lineno ) +{ + *lineno = -1; + buf[0] = '\0'; +} + diff --git a/contrib/slapd-modules/dupent/Makefile b/contrib/slapd-modules/dupent/Makefile new file mode 100644 index 0000000..b771015 --- /dev/null +++ b/contrib/slapd-modules/dupent/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_DUPENT=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = dupent.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +dupent.la: dupent.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/dupent/dupent.c b/contrib/slapd-modules/dupent/dupent.c new file mode 100644 index 0000000..3c53c21 --- /dev/null +++ b/contrib/slapd-modules/dupent/dupent.c @@ -0,0 +1,557 @@ +/* dupent.c - LDAP Control for a Duplicate Entry Representation of Search Results */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2006-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion + * in OpenLDAP Software. + */ + +/* + * LDAP Control for a Duplicate Entry Representation of Search Results + * <draft-ietf-ldapext-ldapv3-dupent-08.txt> (EXPIRED) + * <http://tools.ietf.org/id/draft-ietf-ldapext-ldapv3-dupent-08.txt> + */ + +#include "portable.h" + +/* define SLAPD_OVER_DUPENT=2 to build as run-time loadable module */ +#ifdef SLAPD_OVER_DUPENT + +/* + * The macros + * + * LDAP_CONTROL_DUPENT_REQUEST "2.16.840.1.113719.1.27.101.1" + * LDAP_CONTROL_DUPENT_RESPONSE "2.16.840.1.113719.1.27.101.2" + * LDAP_CONTROL_DUPENT_ENTRY "2.16.840.1.113719.1.27.101.3" + * + * are already defined in <ldap.h> + */ + +/* + * support for no attrs and "*" in AttributeDescriptionList is missing + */ + +#include "slap.h" +#include "ac/string.h" + +#define o_dupent o_ctrlflag[dupent_cid] +#define o_ctrldupent o_controls[dupent_cid] + +static int dupent_cid; +static slap_overinst dupent; + +typedef struct dupent_t { + AttributeName *ds_an; + ber_len_t ds_nattrs; + slap_mask_t ds_flags; + ber_int_t ds_paa; +} dupent_t; + +static int +dupent_parseCtrl ( + Operation *op, + SlapReply *rs, + LDAPControl *ctrl ) +{ + ber_tag_t tag; + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + ber_len_t len; + BerVarray AttributeDescriptionList = NULL; + ber_len_t cnt = sizeof(struct berval); + ber_len_t off = 0; + ber_int_t PartialApplicationAllowed = 1; + dupent_t *ds = NULL; + int i; + + if ( op->o_dupent != SLAP_CONTROL_NONE ) { + rs->sr_text = "Dupent control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + if ( BER_BVISNULL( &ctrl->ldctl_value ) ) { + rs->sr_text = "Dupent control value is absent"; + return LDAP_PROTOCOL_ERROR; + } + + if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) { + rs->sr_text = "Dupent control value is empty"; + return LDAP_PROTOCOL_ERROR; + } + + ber_init2( ber, &ctrl->ldctl_value, 0 ); + + /* + + DuplicateEntryRequest ::= SEQUENCE { + AttributeDescriptionList, -- from [RFC2251] + PartialApplicationAllowed BOOLEAN DEFAULT TRUE } + + AttributeDescriptionList ::= SEQUENCE OF + AttributeDescription + + AttributeDescription ::= LDAPString + + attributeDescription = AttributeType [ ";" <options> ] + + */ + + tag = ber_skip_tag( ber, &len ); + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + if ( ber_scanf( ber, "{M}", &AttributeDescriptionList, &cnt, off ) + == LBER_ERROR ) + { + rs->sr_text = "Dupent control: dupentSpec decoding error"; + rs->sr_err = LDAP_PROTOCOL_ERROR; + goto done; + } + tag = ber_skip_tag( ber, &len ); + if ( tag == LBER_BOOLEAN ) { + /* NOTE: PartialApplicationAllowed is ignored, since the control + * can always be honored + */ + if ( ber_scanf( ber, "b", &PartialApplicationAllowed ) == LBER_ERROR ) + { + rs->sr_text = "Dupent control: dupentSpec decoding error"; + rs->sr_err = LDAP_PROTOCOL_ERROR; + goto done; + } + tag = ber_skip_tag( ber, &len ); + } + if ( len || tag != LBER_DEFAULT ) { + rs->sr_text = "Dupent control: dupentSpec decoding error"; + rs->sr_err = LDAP_PROTOCOL_ERROR; + goto done; + } + + ds = (dupent_t *)op->o_tmpcalloc( 1, + sizeof(dupent_t) + sizeof(AttributeName)*cnt, + op->o_tmpmemctx ); + + ds->ds_paa = PartialApplicationAllowed; + + if ( cnt == 0 ) { + ds->ds_flags |= SLAP_USERATTRS_YES; + + } else { + int c; + + ds->ds_an = (AttributeName *)&ds[ 1 ]; + + for ( i = 0, c = 0; i < cnt; i++ ) { + const char *text; + int j; + int rc; + AttributeDescription *ad = NULL; + + if ( bvmatch( &AttributeDescriptionList[i], + slap_bv_all_user_attrs ) ) + { + if ( ds->ds_flags & SLAP_USERATTRS_YES ) { + rs->sr_text = "Dupent control: AttributeDescription decoding error"; + rs->sr_err = LDAP_PROTOCOL_ERROR; + goto done; + } + + ds->ds_flags |= SLAP_USERATTRS_YES; + continue; + } + + rc = slap_bv2ad( &AttributeDescriptionList[i], &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + continue; + } + + ds->ds_an[c].an_desc = ad; + ds->ds_an[c].an_name = ad->ad_cname; + + /* FIXME: not specified; consider this an error, just in case */ + for ( j = 0; j < c; j++ ) { + if ( ds->ds_an[c].an_desc == ds->ds_an[j].an_desc ) { + rs->sr_text = "Dupent control: AttributeDescription must be unique within AttributeDescriptionList"; + rs->sr_err = LDAP_PROTOCOL_ERROR; + goto done; + } + } + + c++; + } + + ds->ds_nattrs = c; + + if ( ds->ds_flags & SLAP_USERATTRS_YES ) { + /* purge user attrs */ + for ( i = 0; i < ds->ds_nattrs; ) { + if ( is_at_operational( ds->ds_an[i].an_desc->ad_type ) ) { + i++; + continue; + } + + ds->ds_nattrs--; + if ( i < ds->ds_nattrs ) { + ds->ds_an[i] = ds->ds_an[ds->ds_nattrs]; + } + } + } + } + + op->o_ctrldupent = (void *)ds; + + op->o_dupent = ctrl->ldctl_iscritical + ? SLAP_CONTROL_CRITICAL + : SLAP_CONTROL_NONCRITICAL; + + rs->sr_err = LDAP_SUCCESS; + +done:; + if ( rs->sr_err != LDAP_SUCCESS ) { + op->o_tmpfree( ds, op->o_tmpmemctx ); + } + + if ( AttributeDescriptionList != NULL ) { + ber_memfree_x( AttributeDescriptionList, op->o_tmpmemctx ); + } + + return rs->sr_err; +} + +typedef struct dupent_cb_t { + slap_overinst *dc_on; + dupent_t *dc_ds; + int dc_skip; +} dupent_cb_t; + +typedef struct valnum_t { + Attribute *ap; + Attribute a; + struct berval vals[2]; + struct berval nvals[2]; + int cnt; +} valnum_t; + +static int +dupent_response_done( Operation *op, SlapReply *rs ) +{ + BerElementBuffer berbuf; + BerElement *ber = (BerElement *) &berbuf; + struct berval ctrlval; + LDAPControl *ctrl, *ctrlsp[2]; + + ber_init2( ber, NULL, LBER_USE_DER ); + + /* + + DuplicateEntryResponseDone ::= SEQUENCE { + resultCode, -- From [RFC2251] + errorMessage [0] LDAPString OPTIONAL, + attribute [1] AttributeDescription OPTIONAL } + + */ + + ber_printf( ber, "{i}", rs->sr_err ); + if ( ber_flatten2( ber, &ctrlval, 0 ) == -1 ) { + ber_free_buf( ber ); + if ( op->o_dupent == SLAP_CONTROL_CRITICAL ) { + return LDAP_CONSTRAINT_VIOLATION; + } + return SLAP_CB_CONTINUE; + } + + ctrl = op->o_tmpcalloc( 1, + sizeof( LDAPControl ) + ctrlval.bv_len + 1, + op->o_tmpmemctx ); + ctrl->ldctl_value.bv_val = (char *)&ctrl[ 1 ]; + ctrl->ldctl_oid = LDAP_CONTROL_DUPENT_RESPONSE; + ctrl->ldctl_iscritical = 0; + ctrl->ldctl_value.bv_len = ctrlval.bv_len; + AC_MEMCPY( ctrl->ldctl_value.bv_val, ctrlval.bv_val, ctrlval.bv_len ); + ctrl->ldctl_value.bv_val[ ctrl->ldctl_value.bv_len ] = '\0'; + + ber_free_buf( ber ); + + ctrlsp[0] = ctrl; + ctrlsp[1] = NULL; + slap_add_ctrls( op, rs, ctrlsp ); + + return SLAP_CB_CONTINUE; +} + +static int +dupent_response_entry_1level( + Operation *op, + SlapReply *rs, + Entry *e, + valnum_t *valnum, + int nattrs, + int level ) +{ + int i, rc = LDAP_SUCCESS; + + for ( i = 0; i < valnum[level].ap->a_numvals; i++ ) { + LDAPControl *ctrl = NULL, *ctrlsp[2]; + + valnum[level].a.a_vals[0] = valnum[level].ap->a_vals[i]; + if ( valnum[level].ap->a_nvals != valnum[level].ap->a_vals ) { + valnum[level].a.a_nvals[0] = valnum[level].ap->a_nvals[i]; + } + + if ( level < nattrs - 1 ) { + rc = dupent_response_entry_1level( op, rs, + e, valnum, nattrs, level + 1 ); + if ( rc != LDAP_SUCCESS ) { + break; + } + + continue; + } + + /* NOTE: add the control all times, under the assumption + * send_search_entry() honors the REP_CTRLS_MUSTBEFREED + * set by slap_add_ctrls(); this is not true (ITS#6629) + */ + ctrl = op->o_tmpcalloc( 1, sizeof( LDAPControl ), op->o_tmpmemctx ); + ctrl->ldctl_oid = LDAP_CONTROL_DUPENT_ENTRY; + ctrl->ldctl_iscritical = 0; + + ctrlsp[0] = ctrl; + ctrlsp[1] = NULL; + slap_add_ctrls( op, rs, ctrlsp ); + + /* do the real send */ + rs->sr_entry = e; + rc = send_search_entry( op, rs ); + if ( rc != LDAP_SUCCESS ) { + break; + } + } + + return rc; +} + +static void +dupent_attr_prepare( dupent_t *ds, Entry *e, valnum_t *valnum, int nattrs, int c, Attribute **app, Attribute **ap_listp ) +{ + valnum[c].ap = *app; + *app = (*app)->a_next; + + valnum[c].ap->a_next = *ap_listp; + *ap_listp = valnum[c].ap; + + valnum[c].a = *valnum[c].ap; + if ( c < nattrs - 1 ) { + valnum[c].a.a_next = &valnum[c + 1].a; + } else { + valnum[c].a.a_next = NULL; + } + valnum[c].a.a_numvals = 1; + valnum[c].a.a_vals = valnum[c].vals; + BER_BVZERO( &valnum[c].vals[1] ); + if ( valnum[c].ap->a_nvals != valnum[c].ap->a_vals ) { + valnum[c].a.a_nvals = valnum[c].nvals; + BER_BVZERO( &valnum[c].nvals[1] ); + } else { + valnum[c].a.a_nvals = valnum[c].a.a_vals; + } +} + +static int +dupent_response_entry( Operation *op, SlapReply *rs ) +{ + dupent_cb_t *dc = (dupent_cb_t *)op->o_callback->sc_private; + int nattrs = 0; + valnum_t *valnum = NULL; + Attribute **app, *ap_list = NULL; + int i, c; + Entry *e = NULL; + int rc; + + assert( rs->sr_type == REP_SEARCH ); + + for ( i = 0; i < dc->dc_ds->ds_nattrs; i++ ) { + Attribute *ap; + + ap = attr_find( rs->sr_entry->e_attrs, + dc->dc_ds->ds_an[ i ].an_desc ); + if ( ap && ap->a_numvals > 1 ) { + nattrs++; + } + } + + if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) { + Attribute *ap; + + for ( ap = rs->sr_entry->e_attrs; ap != NULL; ap = ap->a_next ) { + if ( !is_at_operational( ap->a_desc->ad_type ) && ap->a_numvals > 1 ) { + nattrs++; + } + } + } + + if ( !nattrs ) { + return SLAP_CB_CONTINUE; + } + + rs_entry2modifiable( op, rs, dc->dc_on ); + rs->sr_flags &= ~(REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED); + e = rs->sr_entry; + + valnum = op->o_tmpcalloc( sizeof(valnum_t), nattrs, op->o_tmpmemctx ); + + for ( c = 0, i = 0; i < dc->dc_ds->ds_nattrs; i++ ) { + for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) { + if ( (*app)->a_desc == dc->dc_ds->ds_an[ i ].an_desc ) { + break; + } + } + + if ( *app != NULL && (*app)->a_numvals > 1 ) { + assert( c < nattrs ); + dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list ); + c++; + } + } + + if ( dc->dc_ds->ds_flags & SLAP_USERATTRS_YES ) { + for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) { + if ( !is_at_operational( (*app)->a_desc->ad_type ) && (*app)->a_numvals > 1 ) { + assert( c < nattrs ); + dupent_attr_prepare( dc->dc_ds, e, valnum, nattrs, c, app, &ap_list ); + c++; + } + } + } + + for ( app = &e->e_attrs; *app != NULL; app = &(*app)->a_next ) + /* goto tail */ ; + + *app = &valnum[0].a; + + /* NOTE: since send_search_entry() does not honor the + * REP_CTRLS_MUSTBEFREED flag set by slap_add_ctrls(), + * the control could be added here once for all (ITS#6629) + */ + + dc->dc_skip = 1; + rc = dupent_response_entry_1level( op, rs, e, valnum, nattrs, 0 ); + dc->dc_skip = 0; + + *app = ap_list; + + entry_free( e ); + + op->o_tmpfree( valnum, op->o_tmpmemctx ); + + return rc; +} + +static int +dupent_response( Operation *op, SlapReply *rs ) +{ + dupent_cb_t *dc = (dupent_cb_t *)op->o_callback->sc_private; + + if ( dc->dc_skip ) { + return SLAP_CB_CONTINUE; + } + + switch ( rs->sr_type ) { + case REP_RESULT: + return dupent_response_done( op, rs ); + + case REP_SEARCH: + return dupent_response_entry( op, rs ); + + case REP_SEARCHREF: + break; + + default: + assert( 0 ); + } + + return SLAP_CB_CONTINUE; +} + +static int +dupent_cleanup( Operation *op, SlapReply *rs ) +{ + if ( rs->sr_type == REP_RESULT || rs->sr_err == SLAPD_ABANDON ) { + op->o_tmpfree( op->o_callback, op->o_tmpmemctx ); + op->o_callback = NULL; + + op->o_tmpfree( op->o_ctrldupent, op->o_tmpmemctx ); + op->o_ctrldupent = NULL; + } + + return SLAP_CB_CONTINUE; +} + +static int +dupent_op_search( Operation *op, SlapReply *rs ) +{ + if ( op->o_dupent != SLAP_CONTROL_NONE ) { + slap_callback *sc; + dupent_cb_t *dc; + + sc = op->o_tmpcalloc( 1, sizeof( slap_callback ) + sizeof( dupent_cb_t ), op->o_tmpmemctx ); + + dc = (dupent_cb_t *)&sc[ 1 ]; + dc->dc_on = (slap_overinst *)op->o_bd->bd_info; + dc->dc_ds = (dupent_t *)op->o_ctrldupent; + dc->dc_skip = 0; + + sc->sc_response = dupent_response; + sc->sc_cleanup = dupent_cleanup; + sc->sc_private = (void *)dc; + + sc->sc_next = op->o_callback->sc_next; + op->o_callback->sc_next = sc; + } + + return SLAP_CB_CONTINUE; +} + +#if SLAPD_OVER_DUPENT == SLAPD_MOD_DYNAMIC +static +#endif /* SLAPD_OVER_DUPENT == SLAPD_MOD_DYNAMIC */ +int +dupent_initialize( void ) +{ + int rc; + + rc = register_supported_control( LDAP_CONTROL_DUPENT, + SLAP_CTRL_SEARCH, NULL, + dupent_parseCtrl, &dupent_cid ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "dupent_initialize: Failed to register control (%d)\n", + rc, 0, 0 ); + return -1; + } + + dupent.on_bi.bi_type = "dupent"; + + dupent.on_bi.bi_op_search = dupent_op_search; + + return overlay_register( &dupent ); +} + +#if SLAPD_OVER_DUPENT == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return dupent_initialize(); +} +#endif /* SLAPD_OVER_DUPENT == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_DUPENT */ diff --git a/contrib/slapd-modules/kinit/Makefile b/contrib/slapd-modules/kinit/Makefile new file mode 100644 index 0000000..2a925ed --- /dev/null +++ b/contrib/slapd-modules/kinit/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) -lkrb5 + +PROGRAMS = kinit.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +kinit.la: kinit.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/kinit/README b/contrib/slapd-modules/kinit/README new file mode 100644 index 0000000..d6f73bb --- /dev/null +++ b/contrib/slapd-modules/kinit/README @@ -0,0 +1,36 @@ +This directory contains the "kinit" slapd module. It is a simple plugin to +have slapd request a Kerberos TGT and keep it renewed as long as slapd is +running. + +The current implementation has only been tested against the MIT variant of +the Kerberos libraries. (Heimdal support might come later) + +To use the overlay just load it into the slapd process: + + moduleload </path/to>/kinit.so <principal> </path/to/key.tab> + +The module accepts two arguments. The first one being the principal for which +to request the TGT (it defaults to "ldap/<your hostname>@<DEFAULTREALM>") +and the second one is the path to the keytab file to use for +authentication, defaulting to whatever your system wide kerberos settings +default to). + +Use Makefile or the following commands should work to +build it from inside the unpacked slapd sources, provided the required KRB5 +header files and libaries are installed on your system: + + gcc -fPIC -c -I ../../../include/ -I ../../../servers/slapd kinit.c + gcc -shared -o kinit.so kinit.o -lkrb5 + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2010-2021 The OpenLDAP Foundation. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. diff --git a/contrib/slapd-modules/kinit/kinit.c b/contrib/slapd-modules/kinit/kinit.c new file mode 100644 index 0000000..7a83d38 --- /dev/null +++ b/contrib/slapd-modules/kinit/kinit.c @@ -0,0 +1,295 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2010-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#ifndef SLAPD_MOD_KINIT +#define SLAPD_MOD_KINIT SLAPD_MOD_DYNAMIC +#endif + +#ifdef SLAPD_MOD_KINIT + +#include <slap.h> +#include "ldap_rq.h" +#include <ac/errno.h> +#include <ac/string.h> +#include <krb5/krb5.h> + +typedef struct kinit_data { + krb5_context ctx; + krb5_ccache ccache; + krb5_keytab keytab; + krb5_principal princ; + krb5_get_init_creds_opt *opts; +} kinit_data; + +static char* principal; +static char* kt_name; +static kinit_data *kid; + +static void +log_krb5_errmsg( krb5_context ctx, const char* func, krb5_error_code rc ) +{ + const char* errmsg = krb5_get_error_message(ctx, rc); + Log2(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, "slapd-kinit: %s: %s\n", func, errmsg); + krb5_free_error_message(ctx, errmsg); + return; +} + +static int +kinit_check_tgt(kinit_data *kid, int *remaining) +{ + int ret=3; + krb5_principal princ; + krb5_error_code rc; + krb5_cc_cursor cursor; + krb5_creds creds; + char *name; + time_t now=time(NULL); + + rc = krb5_cc_get_principal(kid->ctx, kid->ccache, &princ); + if (rc) { + log_krb5_errmsg(kid->ctx, "krb5_cc_get_principal", rc); + return 2; + } else { + if (!krb5_principal_compare(kid->ctx, kid->princ, princ)) { + Log0(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "Principal in ccache does not match requested principal\n"); + krb5_free_principal(kid->ctx, princ); + return 2; + } + } + + rc = krb5_cc_start_seq_get(kid->ctx, kid->ccache, &cursor); + if (rc) { + log_krb5_errmsg(kid->ctx, "krb5_cc_start_seq_get", rc); + krb5_free_principal(kid->ctx, princ); + return -1; + } + + while (!(rc = krb5_cc_next_cred(kid->ctx, kid->ccache, &cursor, &creds))) { + if (krb5_is_config_principal(kid->ctx, creds.server)) { + krb5_free_cred_contents(kid->ctx, &creds); + continue; + } + + if (creds.server->length==2 && + (!strcmp(creds.server->data[0].data, "krbtgt")) && + (!strcmp(creds.server->data[1].data, princ->realm.data))) { + + krb5_unparse_name(kid->ctx, creds.server, &name); + + *remaining = (time_t)creds.times.endtime-now; + if ( *remaining <= 0) { + Log1(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: TGT (%s) expired\n", name); + } else { + Log4(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: TGT (%s) expires in %dh:%02dm:%02ds\n", + name, *remaining/3600, (*remaining%3600)/60, *remaining%60); + } + free(name); + + if (*remaining <= 30) { + if (creds.times.renew_till-60 > now) { + int renewal=creds.times.renew_till-now; + Log3(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: Time remaining for renewal: %dh:%02dm:%02ds\n", + renewal/3600, (renewal%3600)/60, renewal%60); + ret = 1; + } else { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: Only short time left for renewal. " + "Trying to re-init.\n"); + ret = 2; + } + } else { + ret=0; + } + krb5_free_cred_contents(kid->ctx, &creds); + break; + } + krb5_free_cred_contents(kid->ctx, &creds); + + } + krb5_cc_end_seq_get(kid->ctx, kid->ccache, &cursor); + krb5_free_principal(kid->ctx, princ); + return ret; +} + +void* +kinit_qtask( void *ctx, void *arg ) +{ + struct re_s *rtask = arg; + kinit_data *kid = (kinit_data*)rtask->arg; + krb5_error_code rc; + krb5_creds creds; + int nextcheck, remaining, renew=0; + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: running TGT check\n"); + + memset(&creds, 0, sizeof(creds)); + + renew = kinit_check_tgt(kid, &remaining); + + if (renew > 0) { + if (renew==1) { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: Trying to renew TGT: "); + rc = krb5_get_renewed_creds(kid->ctx, &creds, kid->princ, kid->ccache, NULL); + if (rc!=0) { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Failed\n"); + log_krb5_errmsg( kid->ctx, + "kinit_qtask, Renewal failed: krb5_get_renewed_creds", rc ); + renew++; + } else { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Success\n"); + krb5_cc_initialize(kid->ctx, kid->ccache, creds.client); + krb5_cc_store_cred(kid->ctx, kid->ccache, &creds); + krb5_free_cred_contents(kid->ctx, &creds); + renew=kinit_check_tgt(kid, &remaining); + } + } + if (renew > 1) { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: Trying to get new TGT: "); + rc = krb5_get_init_creds_keytab( kid->ctx, &creds, kid->princ, + kid->keytab, 0, NULL, kid->opts); + if (rc) { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Failed\n"); + log_krb5_errmsg(kid->ctx, "krb5_get_init_creds_keytab", rc); + } else { + Log0(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Success\n"); + renew=kinit_check_tgt(kid, &remaining); + } + krb5_free_cred_contents(kid->ctx, &creds); + } + } + if (renew == 0) { + nextcheck = remaining-30; + } else { + nextcheck = 60; + } + + ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); + if ( ldap_pvt_runqueue_isrunning( &slapd_rq, rtask )) { + ldap_pvt_runqueue_stoptask( &slapd_rq, rtask ); + } + Log3(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, + "kinit_qtask: Next TGT check in %dh:%02dm:%02ds\n", + nextcheck/3600, (nextcheck%3600)/60, nextcheck%60); + rtask->interval.tv_sec = nextcheck; + ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 ); + slap_wake_listener(); + ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); + return NULL; +} + +int +kinit_initialize(void) +{ + Log0( LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_initialize\n" ); + krb5_error_code rc; + struct re_s *task = NULL; + + kid = ch_calloc(1, sizeof(kinit_data) ); + + rc = krb5_init_context( &kid->ctx ); + if ( !rc ) + rc = krb5_cc_default(kid->ctx, &kid->ccache ); + + if ( !rc ) { + if (!principal) { + int len=STRLENOF("ldap/")+global_host_bv.bv_len+1; + principal=ch_calloc(len, 1); + snprintf(principal, len, "ldap/%s", global_host_bv.bv_val); + Log1(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Principal <%s>\n", principal); + + } + rc = krb5_parse_name(kid->ctx, principal, &kid->princ); + } + + if ( !rc && kt_name) { + rc = krb5_kt_resolve(kid->ctx, kt_name, &kid->keytab); + } + + if ( !rc ) + rc = krb5_get_init_creds_opt_alloc(kid->ctx, &kid->opts); + + if ( !rc ) + rc = krb5_get_init_creds_opt_set_out_ccache( kid->ctx, kid->opts, kid->ccache); + + if ( !rc ) { + ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); + task = ldap_pvt_runqueue_insert( &slapd_rq, 10, kinit_qtask, (void*)kid, + "kinit_qtask", "ldap/bronsted.g17.lan@G17.LAN" ); + ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); + } + + if (rc) { + log_krb5_errmsg(kid->ctx, "kinit_initialize", rc); + rc = -1; + } + return rc; +} + +#if SLAPD_MOD_KINIT == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + if (argc > 0) { + principal = ch_strdup(argv[0]); + } + if (argc > 1) { + kt_name = ch_strdup(argv[1]); + } + if (argc > 2) { + return -1; + } + return kinit_initialize(); +} + +int +term_module() { + if (principal) + ch_free(principal); + if (kt_name) + ch_free(kt_name); + if (kid) { + struct re_s *task; + + task=ldap_pvt_runqueue_find( &slapd_rq, kinit_qtask, (void*)kid); + if (task) { + if ( ldap_pvt_runqueue_isrunning(&slapd_rq, task) ) { + ldap_pvt_runqueue_stoptask(&slapd_rq, task); + } + ldap_pvt_runqueue_remove(&slapd_rq, task); + } + if ( kid->ctx ) { + if ( kid->princ ) + krb5_free_principal(kid->ctx, kid->princ); + if ( kid->ccache ) + krb5_cc_close(kid->ctx, kid->ccache); + if ( kid->keytab ) + krb5_kt_close(kid->ctx, kid->keytab); + if ( kid->opts ) + krb5_get_init_creds_opt_free(kid->ctx, kid->opts); + krb5_free_context(kid->ctx); + } + ch_free(kid); + } + return 0; +} +#endif + +#endif /* SLAPD_MOD_KINIT */ + diff --git a/contrib/slapd-modules/lastbind/Makefile b/contrib/slapd-modules/lastbind/Makefile new file mode 100644 index 0000000..1745aa8 --- /dev/null +++ b/contrib/slapd-modules/lastbind/Makefile @@ -0,0 +1,56 @@ +# $OpenLDAP$ +# Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = lastbind.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +lastbind.la: lastbind.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/lastbind/lastbind.c b/contrib/slapd-modules/lastbind/lastbind.c new file mode 100644 index 0000000..311be04 --- /dev/null +++ b/contrib/slapd-modules/lastbind/lastbind.c @@ -0,0 +1,317 @@ +/* lastbind.c - Record timestamp of the last successful bind to entries */ +/* $OpenLDAP$ */ +/* + * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work is loosely derived from the ppolicy overlay. + */ + +#include "portable.h" + +/* + * This file implements an overlay that stores the timestamp of the + * last successful bind operation in a directory entry. + * + * Optimization: to avoid performing a write on each bind, + * a precision for this timestamp may be configured, causing it to + * only be updated if it is older than a given number of seconds. + */ + +#ifdef SLAPD_OVER_LASTBIND + +#include <ldap.h> +#include "lutil.h" +#include "slap.h" +#include <ac/errno.h> +#include <ac/time.h> +#include <ac/string.h> +#include <ac/ctype.h> +#include "config.h" + +/* Per-instance configuration information */ +typedef struct lastbind_info { + /* precision to update timestamp in authTimestamp attribute */ + int timestamp_precision; + int forward_updates; /* use frontend for authTimestamp updates */ +} lastbind_info; + +/* Operational attributes */ +static AttributeDescription *ad_authTimestamp; + +/* This is the definition used by ISODE, as supplied to us in + * ITS#6238 Followup #9 + */ +static struct schema_info { + char *def; + AttributeDescription **ad; +} lastBind_OpSchema[] = { + { "( 1.3.6.1.4.1.453.16.2.188 " + "NAME 'authTimestamp' " + "DESC 'last successful authentication using any method/mech' " + "EQUALITY generalizedTimeMatch " + "ORDERING generalizedTimeOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " + "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )", + &ad_authTimestamp}, + { NULL, NULL } +}; + +/* configuration attribute and objectclass */ +static ConfigTable lastbindcfg[] = { + { "lastbind-precision", "seconds", 2, 2, 0, + ARG_INT|ARG_OFFSET, + (void *)offsetof(lastbind_info, timestamp_precision), + "( OLcfgCtAt:5.1 " + "NAME 'olcLastBindPrecision' " + "DESC 'Precision of authTimestamp attribute' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "lastbind_forward_updates", "on|off", 1, 2, 0, + ARG_ON_OFF|ARG_OFFSET, + (void *)offsetof(lastbind_info,forward_updates), + "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' " + "DESC 'Allow authTimestamp updates to be forwarded via updateref' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigOCs lastbindocs[] = { + { "( OLcfgCtOc:5.1 " + "NAME 'olcLastBindConfig' " + "DESC 'Last Bind configuration' " + "SUP olcOverlayConfig " + "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )", + Cft_Overlay, lastbindcfg, NULL, NULL }, + { NULL, 0, NULL } +}; + +static time_t +parse_time( char *atm ) +{ + struct lutil_tm tm; + struct lutil_timet tt; + time_t ret = (time_t)-1; + + if ( lutil_parsetime( atm, &tm ) == 0) { + lutil_tm2time( &tm, &tt ); + ret = tt.tt_sec; + } + return ret; +} + +static int +lastbind_bind_response( Operation *op, SlapReply *rs ) +{ + Modifications *mod = NULL; + BackendInfo *bi = op->o_bd->bd_info; + Entry *e; + int rc; + + /* we're only interested if the bind was successful */ + if ( rs->sr_err != LDAP_SUCCESS ) + return SLAP_CB_CONTINUE; + + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); + op->o_bd->bd_info = bi; + + if ( rc != LDAP_SUCCESS ) { + return SLAP_CB_CONTINUE; + } + + { + lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; + + time_t now, bindtime = (time_t)-1; + Attribute *a; + Modifications *m; + char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ]; + struct berval timestamp; + + /* get the current time */ + now = slap_get_time(); + + /* get authTimestamp attribute, if it exists */ + if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) { + bindtime = parse_time( a->a_nvals[0].bv_val ); + + if (bindtime != (time_t)-1) { + /* if the recorded bind time is within our precision, we're done + * it doesn't need to be updated (save a write for nothing) */ + if ((now - bindtime) < lbi->timestamp_precision) { + goto done; + } + } + } + + /* update the authTimestamp in the user's entry with the current time */ + timestamp.bv_val = nowstr; + timestamp.bv_len = sizeof(nowstr); + slap_timestamp( &now, ×tamp ); + + m = ch_calloc( sizeof(Modifications), 1 ); + m->sml_op = LDAP_MOD_REPLACE; + m->sml_flags = 0; + m->sml_type = ad_authTimestamp->ad_cname; + m->sml_desc = ad_authTimestamp; + m->sml_numvals = 1; + m->sml_values = ch_calloc( sizeof(struct berval), 2 ); + m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 ); + + ber_dupbv( &m->sml_values[0], ×tamp ); + ber_dupbv( &m->sml_nvalues[0], ×tamp ); + m->sml_next = mod; + mod = m; + } + +done: + be_entry_release_r( op, e ); + + /* perform the update, if necessary */ + if ( mod ) { + Operation op2 = *op; + SlapReply r2 = { REP_RESULT }; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + LDAPControl c, *ca[2]; + lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private; + + /* This is a DSA-specific opattr, it never gets replicated. */ + op2.o_tag = LDAP_REQ_MODIFY; + op2.o_callback = &cb; + op2.orm_modlist = mod; + op2.orm_no_opattrs = 0; + op2.o_dn = op->o_bd->be_rootdn; + op2.o_ndn = op->o_bd->be_rootndn; + + /* + * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy + * + * If this server is a shadow and forward_updates is true, + * use the frontend to perform this modify. That will trigger + * the update referral, which can then be forwarded by the + * chain overlay. Obviously the updateref and chain overlay + * must be configured appropriately for this to be useful. + */ + if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) { + op2.o_bd = frontendDB; + + /* Must use Relax control since these are no-user-mod */ + op2.o_relax = SLAP_CONTROL_CRITICAL; + op2.o_ctrls = ca; + ca[0] = &c; + ca[1] = NULL; + BER_BVZERO( &c.ldctl_value ); + c.ldctl_iscritical = 1; + c.ldctl_oid = LDAP_CONTROL_RELAX; + } else { + /* If not forwarding, don't update opattrs and don't replicate */ + if ( SLAP_SINGLE_SHADOW( op->o_bd )) { + op2.orm_no_opattrs = 1; + op2.o_dont_replicate = 1; + } + /* TODO: not sure what this does in slapo-ppolicy */ + /* + op2.o_bd->bd_info = (BackendInfo *)on->on_info; + */ + } + + rc = op->o_bd->be_modify( &op2, &r2 ); + slap_mods_free( mod, 1 ); + } + + op->o_bd->bd_info = bi; + return SLAP_CB_CONTINUE; +} + +static int +lastbind_bind( Operation *op, SlapReply *rs ) +{ + slap_callback *cb; + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + + /* setup a callback to intercept result of this bind operation + * and pass along the lastbind_info struct */ + cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx ); + cb->sc_response = lastbind_bind_response; + cb->sc_next = op->o_callback->sc_next; + cb->sc_private = on->on_bi.bi_private; + op->o_callback->sc_next = cb; + + return SLAP_CB_CONTINUE; +} + +static int +lastbind_db_init( + BackendDB *be, + ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + + /* initialize private structure to store configuration */ + on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) ); + + return 0; +} + +static int +lastbind_db_close( + BackendDB *be, + ConfigReply *cr +) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private; + + /* free private structure to store configuration */ + free( lbi ); + + return 0; +} + +static slap_overinst lastbind; + +int lastbind_initialize() +{ + int i, code; + + /* register operational schema for this overlay (authTimestamp attribute) */ + for (i=0; lastBind_OpSchema[i].def; i++) { + code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "lastbind_initialize: register_at failed\n", 0, 0, 0 ); + return code; + } + } + + ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE; + + lastbind.on_bi.bi_type = "lastbind"; + lastbind.on_bi.bi_db_init = lastbind_db_init; + lastbind.on_bi.bi_db_close = lastbind_db_close; + lastbind.on_bi.bi_op_bind = lastbind_bind; + + /* register configuration directives */ + lastbind.on_bi.bi_cf_ocs = lastbindocs; + code = config_register_schema( lastbindcfg, lastbindocs ); + if ( code ) return code; + + return overlay_register( &lastbind ); +} + +#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + return lastbind_initialize(); +} +#endif + +#endif /* defined(SLAPD_OVER_LASTBIND) */ diff --git a/contrib/slapd-modules/lastbind/slapo-lastbind.5 b/contrib/slapd-modules/lastbind/slapo-lastbind.5 new file mode 100644 index 0000000..d0da8b8 --- /dev/null +++ b/contrib/slapd-modules/lastbind/slapo-lastbind.5 @@ -0,0 +1,108 @@ +.TH SLAPO-LASTBIND 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2009 Jonathan Clarke, All Rights Reserved. +.\" $OpenLDAP$ +.SH NAME +slapo-lastbind \- lastbind overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B lastbind +overlay to +.BR slapd (8) +allows recording the timestamp of the last successful bind to entries +in the directory, in the +.B authTimestamp +attribute. +The overlay can be configured to update this timestamp only if it is +older than a given value, thus avoiding large numbers of write +operations penalizing performance. +One sample use for this overlay would be to detect unused accounts. + +.SH CONFIGURATION +The config directives that are specific to the +.B lastbind +overlay must be prefixed by +.BR lastbind\- , +to avoid potential conflicts with directives specific to the underlying +database or to other stacked overlays. + +.TP +.B overlay lastbind +This directive adds the +.B lastbind +overlay to the current database, see +.BR slapd.conf (5) +for details. + +.LP +This +.B slapd.conf +configuration option is defined for the lastbind overlay. It must +appear after the +.B overlay +directive: +.TP +.B lastbind-precision <seconds> +The value +.B <seconds> +is the number of seconds after which to update the +.B authTimestamp +attribute in an entry. If the existing value of +.B authTimestamp +is less than +.B <seconds> +old, it will not be changed. +If this configuration option is omitted, the +.B authTimestamp +attribute is updated on each successful bind operation. +.TP +.B lastbind_forward_updates +Specify that updates of the authTimestamp attribute +on a consumer should be forwarded +to a provider instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. + +.SH EXAMPLE +This example configures the +.B lastbind +overlay to store +.B authTimestamp +in all entries in a database, with a 1 week precision. +Add the following to +.BR slapd.conf (5): + +.LP +.nf + database <database> + # ... + + overlay lastbind + lastbind-precision 604800 +.fi +.LP +.B slapd +must also load +.B lastbind.la, +if compiled as a run-time module; + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8). +The +.BR slapo-lastbind (5) +overlay supports dynamic configuration via +.BR back-config. +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2009 by Jonathan Clarke. It is loosely +derived from the password policy overlay. diff --git a/contrib/slapd-modules/lastmod/Makefile b/contrib/slapd-modules/lastmod/Makefile new file mode 100644 index 0000000..098984e --- /dev/null +++ b/contrib/slapd-modules/lastmod/Makefile @@ -0,0 +1,47 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_LASTMOD=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = lastmod.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +lastmod.la: lastmod.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + + diff --git a/contrib/slapd-modules/lastmod/lastmod.c b/contrib/slapd-modules/lastmod/lastmod.c new file mode 100644 index 0000000..2df3be5 --- /dev/null +++ b/contrib/slapd-modules/lastmod/lastmod.c @@ -0,0 +1,962 @@ +/* lastmod.c - returns last modification info */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion in + * OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_LASTMOD + +#include <stdio.h> + +#include <ac/string.h> +#include <ac/socket.h> + +#include "slap.h" +#include "lutil.h" + +typedef struct lastmod_info_t { + struct berval lmi_rdnvalue; + Entry *lmi_e; + ldap_pvt_thread_mutex_t lmi_entry_mutex; + int lmi_enabled; +} lastmod_info_t; + +struct lastmod_schema_t { + ObjectClass *lms_oc_lastmod; + AttributeDescription *lms_ad_lastmodDN; + AttributeDescription *lms_ad_lastmodType; + AttributeDescription *lms_ad_lastmodEnabled; +} lastmod_schema; + +enum lastmodType_e { + LASTMOD_ADD = 0, + LASTMOD_DELETE, + LASTMOD_EXOP, + LASTMOD_MODIFY, + LASTMOD_MODRDN, + LASTMOD_UNKNOWN +}; + +struct berval lastmodType[] = { + BER_BVC( "add" ), + BER_BVC( "delete" ), + BER_BVC( "exop" ), + BER_BVC( "modify" ), + BER_BVC( "modrdn" ), + BER_BVC( "unknown" ), + BER_BVNULL +}; + +static struct m_s { + char *schema; + slap_mask_t flags; + int offset; +} moc[] = { + { "( 1.3.6.1.4.1.4203.666.3.13" + "NAME 'lastmod' " + "DESC 'OpenLDAP per-database last modification monitoring' " + "STRUCTURAL " + "SUP top " + "MUST cn " + "MAY ( " + "lastmodDN " + "$ lastmodType " + "$ description " + "$ seeAlso " + ") )", SLAP_OC_OPERATIONAL|SLAP_OC_HIDE, + offsetof( struct lastmod_schema_t, lms_oc_lastmod ) }, + { NULL } +}, mat[] = { + { "( 1.3.6.1.4.1.4203.666.1.28" + "NAME 'lastmodDN' " + "DESC 'DN of last modification' " + "EQUALITY distinguishedNameMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 " + "NO-USER-MODIFICATION " + "USAGE directoryOperation )", SLAP_AT_HIDE, + offsetof( struct lastmod_schema_t, lms_ad_lastmodDN ) }, + { "( 1.3.6.1.4.1.4203.666.1.29" + "NAME 'lastmodType' " + "DESC 'Type of last modification' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 " + "EQUALITY caseIgnoreMatch " + "SINGLE-VALUE " + "NO-USER-MODIFICATION " + "USAGE directoryOperation )", SLAP_AT_HIDE, + offsetof( struct lastmod_schema_t, lms_ad_lastmodType ) }, + { "( 1.3.6.1.4.1.4203.666.1.30" + "NAME 'lastmodEnabled' " + "DESC 'Lastmod overlay state' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 " + "EQUALITY booleanMatch " + "SINGLE-VALUE )", 0, + offsetof( struct lastmod_schema_t, lms_ad_lastmodEnabled ) }, + { NULL } + + /* FIXME: what about UUID of last modified entry? */ +}; + +static int +lastmod_search( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + int rc; + + /* if we get here, it must be a success */ + rs->sr_err = LDAP_SUCCESS; + + ldap_pvt_thread_mutex_lock( &lmi->lmi_entry_mutex ); + + rc = test_filter( op, lmi->lmi_e, op->oq_search.rs_filter ); + if ( rc == LDAP_COMPARE_TRUE ) { + rs->sr_attrs = op->ors_attrs; + rs->sr_flags = 0; + rs->sr_entry = lmi->lmi_e; + rs->sr_err = send_search_entry( op, rs ); + rs->sr_entry = NULL; + rs->sr_flags = 0; + rs->sr_attrs = NULL; + } + + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + + send_ldap_result( op, rs ); + + return 0; +} + +static int +lastmod_compare( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + Attribute *a; + + ldap_pvt_thread_mutex_lock( &lmi->lmi_entry_mutex ); + + if ( get_assert( op ) && + ( test_filter( op, lmi->lmi_e, get_assertion( op ) ) != LDAP_COMPARE_TRUE ) ) + { + rs->sr_err = LDAP_ASSERTION_FAILED; + goto return_results; + } + + rs->sr_err = access_allowed( op, lmi->lmi_e, op->oq_compare.rs_ava->aa_desc, + &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ); + if ( ! rs->sr_err ) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + goto return_results; + } + + rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; + + for ( a = attr_find( lmi->lmi_e->e_attrs, op->oq_compare.rs_ava->aa_desc ); + a != NULL; + a = attr_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) ) + { + rs->sr_err = LDAP_COMPARE_FALSE; + + if ( value_find_ex( op->oq_compare.rs_ava->aa_desc, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + a->a_nvals, &op->oq_compare.rs_ava->aa_value, op->o_tmpmemctx ) == 0 ) + { + rs->sr_err = LDAP_COMPARE_TRUE; + break; + } + } + +return_results:; + + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + + send_ldap_result( op, rs ); + + if( rs->sr_err == LDAP_COMPARE_FALSE || rs->sr_err == LDAP_COMPARE_TRUE ) { + rs->sr_err = LDAP_SUCCESS; + } + + return rs->sr_err; +} + +static int +lastmod_exop( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + /* Temporary */ + + op->o_bd->bd_info = (BackendInfo *)on->on_info; + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "not allowed within namingContext"; + send_ldap_result( op, rs ); + rs->sr_text = NULL; + + return -1; +} + +static int +lastmod_modify( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + Modifications *ml; + + ldap_pvt_thread_mutex_lock( &lmi->lmi_entry_mutex ); + + if ( !acl_check_modlist( op, lmi->lmi_e, op->orm_modlist ) ) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + goto cleanup; + } + + for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { + Attribute *a; + + if ( ml->sml_desc != lastmod_schema.lms_ad_lastmodEnabled ) { + continue; + } + + if ( ml->sml_op != LDAP_MOD_REPLACE ) { + rs->sr_text = "unsupported mod type"; + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + goto cleanup; + } + + a = attr_find( lmi->lmi_e->e_attrs, ml->sml_desc ); + + if ( a == NULL ) { + rs->sr_text = "lastmod overlay internal error"; + rs->sr_err = LDAP_OTHER; + goto cleanup; + } + + ch_free( a->a_vals[ 0 ].bv_val ); + ber_dupbv( &a->a_vals[ 0 ], &ml->sml_values[ 0 ] ); + if ( a->a_nvals ) { + ch_free( a->a_nvals[ 0 ].bv_val ); + if ( ml->sml_nvalues && !BER_BVISNULL( &ml->sml_nvalues[ 0 ] ) ) { + ber_dupbv( &a->a_nvals[ 0 ], &ml->sml_nvalues[ 0 ] ); + } else { + ber_dupbv( &a->a_nvals[ 0 ], &ml->sml_values[ 0 ] ); + } + } + + if ( strcmp( ml->sml_values[ 0 ].bv_val, "TRUE" ) == 0 ) { + lmi->lmi_enabled = 1; + } else if ( strcmp( ml->sml_values[ 0 ].bv_val, "FALSE" ) == 0 ) { + lmi->lmi_enabled = 0; + } else { + assert( 0 ); + } + } + + rs->sr_err = LDAP_SUCCESS; + +cleanup:; + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + + send_ldap_result( op, rs ); + rs->sr_text = NULL; + + return rs->sr_err; +} + +static int +lastmod_op_func( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + Modifications *ml; + + if ( dn_match( &op->o_req_ndn, &lmi->lmi_e->e_nname ) ) { + switch ( op->o_tag ) { + case LDAP_REQ_SEARCH: + if ( op->ors_scope != LDAP_SCOPE_BASE ) { + goto return_referral; + } + /* process */ + return lastmod_search( op, rs ); + + case LDAP_REQ_COMPARE: + return lastmod_compare( op, rs ); + + case LDAP_REQ_EXTENDED: + /* if write, reject; otherwise process */ + if ( exop_is_write( op )) { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "not allowed within namingContext"; + goto return_error; + } + return lastmod_exop( op, rs ); + + case LDAP_REQ_MODIFY: + /* allow only changes to overlay status */ + for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { + if ( ad_cmp( ml->sml_desc, slap_schema.si_ad_modifiersName ) != 0 + && ad_cmp( ml->sml_desc, slap_schema.si_ad_modifyTimestamp ) != 0 + && ad_cmp( ml->sml_desc, slap_schema.si_ad_entryCSN ) != 0 + && ad_cmp( ml->sml_desc, lastmod_schema.lms_ad_lastmodEnabled ) != 0 ) + { + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "not allowed within namingContext"; + goto return_error; + } + } + return lastmod_modify( op, rs ); + + default: + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "not allowed within namingContext"; + goto return_error; + } + } + + if ( dnIsSuffix( &op->o_req_ndn, &lmi->lmi_e->e_nname ) ) { + goto return_referral; + } + + return SLAP_CB_CONTINUE; + +return_referral:; + op->o_bd->bd_info = (BackendInfo *)on->on_info; + rs->sr_ref = referral_rewrite( default_referral, + NULL, &op->o_req_dn, op->ors_scope ); + + if ( !rs->sr_ref ) { + rs->sr_ref = default_referral; + } + rs->sr_err = LDAP_REFERRAL; + send_ldap_result( op, rs ); + + if ( rs->sr_ref != default_referral ) { + ber_bvarray_free( rs->sr_ref ); + } + rs->sr_ref = NULL; + + return -1; + +return_error:; + op->o_bd->bd_info = (BackendInfo *)on->on_info; + send_ldap_result( op, rs ); + rs->sr_text = NULL; + + return -1; +} + +static int +best_guess( Operation *op, + struct berval *bv_entryCSN, struct berval *bv_nentryCSN, + struct berval *bv_modifyTimestamp, struct berval *bv_nmodifyTimestamp, + struct berval *bv_modifiersName, struct berval *bv_nmodifiersName ) +{ + if ( bv_entryCSN ) { + char csnbuf[ LDAP_PVT_CSNSTR_BUFSIZE ]; + struct berval entryCSN; + + entryCSN.bv_val = csnbuf; + entryCSN.bv_len = sizeof( csnbuf ); + slap_get_csn( NULL, &entryCSN, 0 ); + + ber_dupbv( bv_entryCSN, &entryCSN ); + ber_dupbv( bv_nentryCSN, &entryCSN ); + } + + if ( bv_modifyTimestamp ) { + char tmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ]; + struct berval timestamp; + time_t currtime; + + /* best guess */ +#if 0 + currtime = slap_get_time(); +#endif + /* maybe we better use the time the operation was initiated */ + currtime = op->o_time; + + timestamp.bv_val = tmbuf; + timestamp.bv_len = sizeof(tmbuf); + slap_timestamp( &currtime, ×tamp ); + + ber_dupbv( bv_modifyTimestamp, ×tamp ); + ber_dupbv( bv_nmodifyTimestamp, bv_modifyTimestamp ); + } + + if ( bv_modifiersName ) { + /* best guess */ + ber_dupbv( bv_modifiersName, &op->o_dn ); + ber_dupbv( bv_nmodifiersName, &op->o_ndn ); + } + + return 0; +} + +static int +lastmod_update( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + Attribute *a; + Modifications *ml = NULL; + struct berval bv_entryCSN = BER_BVNULL, + bv_nentryCSN = BER_BVNULL, + bv_modifyTimestamp = BER_BVNULL, + bv_nmodifyTimestamp = BER_BVNULL, + bv_modifiersName = BER_BVNULL, + bv_nmodifiersName = BER_BVNULL, + bv_name = BER_BVNULL, + bv_nname = BER_BVNULL; + enum lastmodType_e lmt = LASTMOD_UNKNOWN; + Entry *e = NULL; + int rc = -1; + + /* FIXME: timestamp? modifier? */ + switch ( op->o_tag ) { + case LDAP_REQ_ADD: + lmt = LASTMOD_ADD; + e = op->ora_e; + a = attr_find( e->e_attrs, slap_schema.si_ad_entryCSN ); + if ( a != NULL ) { + ber_dupbv( &bv_entryCSN, &a->a_vals[0] ); + if ( a->a_nvals && !BER_BVISNULL( &a->a_nvals[0] ) ) { + ber_dupbv( &bv_nentryCSN, &a->a_nvals[0] ); + } else { + ber_dupbv( &bv_nentryCSN, &a->a_vals[0] ); + } + } + a = attr_find( e->e_attrs, slap_schema.si_ad_modifyTimestamp ); + if ( a != NULL ) { + ber_dupbv( &bv_modifyTimestamp, &a->a_vals[0] ); + if ( a->a_nvals && !BER_BVISNULL( &a->a_nvals[0] ) ) { + ber_dupbv( &bv_nmodifyTimestamp, &a->a_nvals[0] ); + } else { + ber_dupbv( &bv_nmodifyTimestamp, &a->a_vals[0] ); + } + } + a = attr_find( e->e_attrs, slap_schema.si_ad_modifiersName ); + if ( a != NULL ) { + ber_dupbv( &bv_modifiersName, &a->a_vals[0] ); + ber_dupbv( &bv_nmodifiersName, &a->a_nvals[0] ); + } + ber_dupbv( &bv_name, &e->e_name ); + ber_dupbv( &bv_nname, &e->e_nname ); + break; + + case LDAP_REQ_DELETE: + lmt = LASTMOD_DELETE; + + best_guess( op, &bv_entryCSN, &bv_nentryCSN, + &bv_modifyTimestamp, &bv_nmodifyTimestamp, + &bv_modifiersName, &bv_nmodifiersName ); + + ber_dupbv( &bv_name, &op->o_req_dn ); + ber_dupbv( &bv_nname, &op->o_req_ndn ); + break; + + case LDAP_REQ_EXTENDED: + lmt = LASTMOD_EXOP; + + /* actually, password change is wrapped around a backend + * call to modify, so it never shows up as an exop... */ + best_guess( op, &bv_entryCSN, &bv_nentryCSN, + &bv_modifyTimestamp, &bv_nmodifyTimestamp, + &bv_modifiersName, &bv_nmodifiersName ); + + ber_dupbv( &bv_name, &op->o_req_dn ); + ber_dupbv( &bv_nname, &op->o_req_ndn ); + break; + + case LDAP_REQ_MODIFY: + lmt = LASTMOD_MODIFY; + rc = 3; + + for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { + if ( ad_cmp( ml->sml_desc , slap_schema.si_ad_modifiersName ) == 0 ) { + ber_dupbv( &bv_modifiersName, &ml->sml_values[0] ); + ber_dupbv( &bv_nmodifiersName, &ml->sml_nvalues[0] ); + + rc--; + if ( !rc ) { + break; + } + + } else if ( ad_cmp( ml->sml_desc, slap_schema.si_ad_entryCSN ) == 0 ) { + ber_dupbv( &bv_entryCSN, &ml->sml_values[0] ); + if ( ml->sml_nvalues && !BER_BVISNULL( &ml->sml_nvalues[0] ) ) { + ber_dupbv( &bv_nentryCSN, &ml->sml_nvalues[0] ); + } else { + ber_dupbv( &bv_nentryCSN, &ml->sml_values[0] ); + } + + rc --; + if ( !rc ) { + break; + } + + } else if ( ad_cmp( ml->sml_desc, slap_schema.si_ad_modifyTimestamp ) == 0 ) { + ber_dupbv( &bv_modifyTimestamp, &ml->sml_values[0] ); + if ( ml->sml_nvalues && !BER_BVISNULL( &ml->sml_nvalues[0] ) ) { + ber_dupbv( &bv_nmodifyTimestamp, &ml->sml_nvalues[0] ); + } else { + ber_dupbv( &bv_nmodifyTimestamp, &ml->sml_values[0] ); + } + + rc --; + if ( !rc ) { + break; + } + } + } + + /* if rooted at global overlay, opattrs are not yet in place */ + if ( BER_BVISNULL( &bv_modifiersName ) ) { + best_guess( op, NULL, NULL, NULL, NULL, &bv_modifiersName, &bv_nmodifiersName ); + } + + if ( BER_BVISNULL( &bv_entryCSN ) ) { + best_guess( op, &bv_entryCSN, &bv_nentryCSN, NULL, NULL, NULL, NULL ); + } + + if ( BER_BVISNULL( &bv_modifyTimestamp ) ) { + best_guess( op, NULL, NULL, &bv_modifyTimestamp, &bv_nmodifyTimestamp, NULL, NULL ); + } + + ber_dupbv( &bv_name, &op->o_req_dn ); + ber_dupbv( &bv_nname, &op->o_req_ndn ); + break; + + case LDAP_REQ_MODRDN: + lmt = LASTMOD_MODRDN; + e = NULL; + + if ( op->orr_newSup && !BER_BVISNULL( op->orr_newSup ) ) { + build_new_dn( &bv_name, op->orr_newSup, &op->orr_newrdn, NULL ); + build_new_dn( &bv_nname, op->orr_nnewSup, &op->orr_nnewrdn, NULL ); + + } else { + struct berval pdn; + + dnParent( &op->o_req_dn, &pdn ); + build_new_dn( &bv_name, &pdn, &op->orr_newrdn, NULL ); + + dnParent( &op->o_req_ndn, &pdn ); + build_new_dn( &bv_nname, &pdn, &op->orr_nnewrdn, NULL ); + } + + if ( on->on_info->oi_orig->bi_entry_get_rw ) { + BackendInfo *bi = op->o_bd->bd_info; + int rc; + + op->o_bd->bd_info = (BackendInfo *)on->on_info->oi_orig; + rc = op->o_bd->bd_info->bi_entry_get_rw( op, &bv_name, NULL, NULL, 0, &e ); + if ( rc == LDAP_SUCCESS ) { + a = attr_find( e->e_attrs, slap_schema.si_ad_modifiersName ); + if ( a != NULL ) { + ber_dupbv( &bv_modifiersName, &a->a_vals[0] ); + ber_dupbv( &bv_nmodifiersName, &a->a_nvals[0] ); + } + a = attr_find( e->e_attrs, slap_schema.si_ad_entryCSN ); + if ( a != NULL ) { + ber_dupbv( &bv_entryCSN, &a->a_vals[0] ); + if ( a->a_nvals && !BER_BVISNULL( &a->a_nvals[0] ) ) { + ber_dupbv( &bv_nentryCSN, &a->a_nvals[0] ); + } else { + ber_dupbv( &bv_nentryCSN, &a->a_vals[0] ); + } + } + a = attr_find( e->e_attrs, slap_schema.si_ad_modifyTimestamp ); + if ( a != NULL ) { + ber_dupbv( &bv_modifyTimestamp, &a->a_vals[0] ); + if ( a->a_nvals && !BER_BVISNULL( &a->a_nvals[0] ) ) { + ber_dupbv( &bv_nmodifyTimestamp, &a->a_nvals[0] ); + } else { + ber_dupbv( &bv_nmodifyTimestamp, &a->a_vals[0] ); + } + } + + assert( dn_match( &bv_name, &e->e_name ) ); + assert( dn_match( &bv_nname, &e->e_nname ) ); + + op->o_bd->bd_info->bi_entry_release_rw( op, e, 0 ); + } + + op->o_bd->bd_info = bi; + + } + + /* if !bi_entry_get_rw || bi_entry_get_rw failed for any reason... */ + if ( e == NULL ) { + best_guess( op, &bv_entryCSN, &bv_nentryCSN, + &bv_modifyTimestamp, &bv_nmodifyTimestamp, + &bv_modifiersName, &bv_nmodifiersName ); + } + + break; + + default: + return -1; + } + + ldap_pvt_thread_mutex_lock( &lmi->lmi_entry_mutex ); + +#if 0 + fprintf( stderr, "### lastmodDN: %s %s\n", bv_name.bv_val, bv_nname.bv_val ); +#endif + + a = attr_find( lmi->lmi_e->e_attrs, lastmod_schema.lms_ad_lastmodDN ); + if ( a == NULL ) { + goto error_return; + } + ch_free( a->a_vals[0].bv_val ); + a->a_vals[0] = bv_name; + ch_free( a->a_nvals[0].bv_val ); + a->a_nvals[0] = bv_nname; + +#if 0 + fprintf( stderr, "### lastmodType: %s %s\n", lastmodType[ lmt ].bv_val, lastmodType[ lmt ].bv_val ); +#endif + + a = attr_find( lmi->lmi_e->e_attrs, lastmod_schema.lms_ad_lastmodType ); + if ( a == NULL ) { + goto error_return; + } + ch_free( a->a_vals[0].bv_val ); + ber_dupbv( &a->a_vals[0], &lastmodType[ lmt ] ); + ch_free( a->a_nvals[0].bv_val ); + ber_dupbv( &a->a_nvals[0], &lastmodType[ lmt ] ); + +#if 0 + fprintf( stderr, "### modifiersName: %s %s\n", bv_modifiersName.bv_val, bv_nmodifiersName.bv_val ); +#endif + + a = attr_find( lmi->lmi_e->e_attrs, slap_schema.si_ad_modifiersName ); + if ( a == NULL ) { + goto error_return; + } + ch_free( a->a_vals[0].bv_val ); + a->a_vals[0] = bv_modifiersName; + ch_free( a->a_nvals[0].bv_val ); + a->a_nvals[0] = bv_nmodifiersName; + +#if 0 + fprintf( stderr, "### modifyTimestamp: %s %s\n", bv_nmodifyTimestamp.bv_val, bv_modifyTimestamp.bv_val ); +#endif + + a = attr_find( lmi->lmi_e->e_attrs, slap_schema.si_ad_modifyTimestamp ); + if ( a == NULL ) { + goto error_return; + } + ch_free( a->a_vals[0].bv_val ); + a->a_vals[0] = bv_modifyTimestamp; + ch_free( a->a_nvals[0].bv_val ); + a->a_nvals[0] = bv_nmodifyTimestamp; + +#if 0 + fprintf( stderr, "### entryCSN: %s %s\n", bv_nentryCSN.bv_val, bv_entryCSN.bv_val ); +#endif + + a = attr_find( lmi->lmi_e->e_attrs, slap_schema.si_ad_entryCSN ); + if ( a == NULL ) { + goto error_return; + } + ch_free( a->a_vals[0].bv_val ); + a->a_vals[0] = bv_entryCSN; + ch_free( a->a_nvals[0].bv_val ); + a->a_nvals[0] = bv_nentryCSN; + + rc = 0; + +error_return:; + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + + return rc; +} + +static int +lastmod_response( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + + /* don't record failed operations */ + switch ( rs->sr_err ) { + case LDAP_SUCCESS: + /* FIXME: other cases? */ + break; + + default: + return SLAP_CB_CONTINUE; + } + + /* record only write operations */ + switch ( op->o_tag ) { + case LDAP_REQ_ADD: + case LDAP_REQ_MODIFY: + case LDAP_REQ_MODRDN: + case LDAP_REQ_DELETE: + break; + + case LDAP_REQ_EXTENDED: + /* if write, process */ + if ( exop_is_write( op )) + break; + + /* fall thru */ + default: + return SLAP_CB_CONTINUE; + } + + /* skip if disabled */ + ldap_pvt_thread_mutex_lock( &lmi->lmi_entry_mutex ); + if ( !lmi->lmi_enabled ) { + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + return SLAP_CB_CONTINUE; + } + ldap_pvt_thread_mutex_unlock( &lmi->lmi_entry_mutex ); + + (void)lastmod_update( op, rs ); + + return SLAP_CB_CONTINUE; +} + +static int +lastmod_db_init( BackendDB *be, ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + lastmod_info_t *lmi; + + if ( lastmod_schema.lms_oc_lastmod == NULL ) { + int i; + const char *text; + + /* schema integration */ + for ( i = 0; mat[i].schema; i++ ) { + int code; + AttributeDescription **ad = + ((AttributeDescription **)&(((char *)&lastmod_schema)[mat[i].offset])); + ad[0] = NULL; + + code = register_at( mat[i].schema, ad, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "lastmod_init: register_at failed\n", 0, 0, 0 ); + return -1; + } + (*ad)->ad_type->sat_flags |= mat[i].flags; + } + + for ( i = 0; moc[i].schema; i++ ) { + int code; + ObjectClass **Oc = + ((ObjectClass **)&(((char *)&lastmod_schema)[moc[i].offset])); + + code = register_oc( moc[i].schema, Oc, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "lastmod_init: register_oc failed\n", 0, 0, 0 ); + return -1; + } + (*Oc)->soc_flags |= moc[i].flags; + } + } + + lmi = (lastmod_info_t *)ch_malloc( sizeof( lastmod_info_t ) ); + + memset( lmi, 0, sizeof( lastmod_info_t ) ); + lmi->lmi_enabled = 1; + + on->on_bi.bi_private = lmi; + + return 0; +} + +static int +lastmod_db_config( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv +) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + + if ( strcasecmp( argv[ 0 ], "lastmod-rdnvalue" ) == 0 ) { + if ( lmi->lmi_rdnvalue.bv_val ) { + /* already defined! */ + ch_free( lmi->lmi_rdnvalue.bv_val ); + } + + ber_str2bv( argv[ 1 ], 0, 1, &lmi->lmi_rdnvalue ); + + } else if ( strcasecmp( argv[ 0 ], "lastmod-enabled" ) == 0 ) { + if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) { + lmi->lmi_enabled = 1; + + } else if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) { + lmi->lmi_enabled = 0; + + } else { + return -1; + } + + } else { + return SLAP_CONF_UNKNOWN; + } + + return 0; +} + +static int +lastmod_db_open( BackendDB *be, ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + char buf[ 8192 ]; + static char tmbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ]; + + char csnbuf[ LDAP_PVT_CSNSTR_BUFSIZE ]; + struct berval entryCSN; + struct berval timestamp; + + if ( !SLAP_LASTMOD( be ) ) { + fprintf( stderr, "set \"lastmod on\" to make this overlay effective\n" ); + return -1; + } + + /* + * Start + */ + timestamp.bv_val = tmbuf; + timestamp.bv_len = sizeof(tmbuf); + slap_timestamp( &starttime, ×tamp ); + + entryCSN.bv_val = csnbuf; + entryCSN.bv_len = sizeof( csnbuf ); + slap_get_csn( NULL, &entryCSN, 0 ); + + if ( BER_BVISNULL( &lmi->lmi_rdnvalue ) ) { + ber_str2bv( "Lastmod", 0, 1, &lmi->lmi_rdnvalue ); + } + + snprintf( buf, sizeof( buf ), + "dn: cn=%s%s%s\n" + "objectClass: %s\n" + "structuralObjectClass: %s\n" + "cn: %s\n" + "description: This object contains the last modification to this database\n" + "%s: cn=%s%s%s\n" + "%s: %s\n" + "%s: %s\n" + "createTimestamp: %s\n" + "creatorsName: %s\n" + "entryCSN: %s\n" + "modifyTimestamp: %s\n" + "modifiersName: %s\n" + "hasSubordinates: FALSE\n", + lmi->lmi_rdnvalue.bv_val, BER_BVISEMPTY( &be->be_suffix[ 0 ] ) ? "" : ",", be->be_suffix[ 0 ].bv_val, + lastmod_schema.lms_oc_lastmod->soc_cname.bv_val, + lastmod_schema.lms_oc_lastmod->soc_cname.bv_val, + lmi->lmi_rdnvalue.bv_val, + lastmod_schema.lms_ad_lastmodDN->ad_cname.bv_val, + lmi->lmi_rdnvalue.bv_val, BER_BVISEMPTY( &be->be_suffix[ 0 ] ) ? "" : ",", be->be_suffix[ 0 ].bv_val, + lastmod_schema.lms_ad_lastmodType->ad_cname.bv_val, lastmodType[ LASTMOD_ADD ].bv_val, + lastmod_schema.lms_ad_lastmodEnabled->ad_cname.bv_val, lmi->lmi_enabled ? "TRUE" : "FALSE", + tmbuf, + BER_BVISNULL( &be->be_rootdn ) ? SLAPD_ANONYMOUS : be->be_rootdn.bv_val, + entryCSN.bv_val, + tmbuf, + BER_BVISNULL( &be->be_rootdn ) ? SLAPD_ANONYMOUS : be->be_rootdn.bv_val ); + +#if 0 + fprintf( stderr, "# entry:\n%s\n", buf ); +#endif + + lmi->lmi_e = str2entry( buf ); + if ( lmi->lmi_e == NULL ) { + return -1; + } + + ldap_pvt_thread_mutex_init( &lmi->lmi_entry_mutex ); + + return 0; +} + +static int +lastmod_db_destroy( BackendDB *be, ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + lastmod_info_t *lmi = (lastmod_info_t *)on->on_bi.bi_private; + + if ( lmi ) { + if ( !BER_BVISNULL( &lmi->lmi_rdnvalue ) ) { + ch_free( lmi->lmi_rdnvalue.bv_val ); + } + + if ( lmi->lmi_e ) { + entry_free( lmi->lmi_e ); + + ldap_pvt_thread_mutex_destroy( &lmi->lmi_entry_mutex ); + } + + ch_free( lmi ); + } + + return 0; +} + +/* This overlay is set up for dynamic loading via moduleload. For static + * configuration, you'll need to arrange for the slap_overinst to be + * initialized and registered by some other function inside slapd. + */ + +static slap_overinst lastmod; + +int +lastmod_initialize() +{ + lastmod.on_bi.bi_type = "lastmod"; + lastmod.on_bi.bi_db_init = lastmod_db_init; + lastmod.on_bi.bi_db_config = lastmod_db_config; + lastmod.on_bi.bi_db_destroy = lastmod_db_destroy; + lastmod.on_bi.bi_db_open = lastmod_db_open; + + lastmod.on_bi.bi_op_add = lastmod_op_func; + lastmod.on_bi.bi_op_compare = lastmod_op_func; + lastmod.on_bi.bi_op_delete = lastmod_op_func; + lastmod.on_bi.bi_op_modify = lastmod_op_func; + lastmod.on_bi.bi_op_modrdn = lastmod_op_func; + lastmod.on_bi.bi_op_search = lastmod_op_func; + lastmod.on_bi.bi_extended = lastmod_op_func; + + lastmod.on_response = lastmod_response; + + return overlay_register( &lastmod ); +} + +#if SLAPD_OVER_LASTMOD == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return lastmod_initialize(); +} +#endif /* SLAPD_OVER_LASTMOD == SLAPD_MOD_DYNAMIC */ + +#endif /* defined(SLAPD_OVER_LASTMOD) */ diff --git a/contrib/slapd-modules/lastmod/slapo-lastmod.5 b/contrib/slapd-modules/lastmod/slapo-lastmod.5 new file mode 100644 index 0000000..88a19cf --- /dev/null +++ b/contrib/slapd-modules/lastmod/slapo-lastmod.5 @@ -0,0 +1,185 @@ +.\" Copyright 2004-2021 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.TH SLAPO_LASTMOD 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.SH NAME +slapo-lastmod \- Last Modification overlay +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +.LP +The +.B lastmod +overlay creates a service entry rooted at the suffix of the database +it's stacked onto, which holds the DN, the modification type, +the modifiersName and the modifyTimestamp of the last write operation +performed on that database. +The lastmod overlay cannot be used when the "lastmod" feature +is disabled, i.e. "lastmod off" is used. +.P +All operations targeted at the DN of the lastmod entry are rejected, +except reads, i.e. searches with +.B base +scope. +Regular operations are ignored, unless they result in writing; then, +in case of success, the lastmod entry is updated accordingly, +if possible. + +.SH CONFIGURATION +These +.B slapd.conf +configuration options apply to the lastmod overlay. They must appear +after the +.B overlay +directive. +.TP +.B lastmod-rdnvalue <RDN value> +Specify the value of the RDN used for the service entry. By default +.I Lastmod +is used. +.TP +.B lastmod-enabled {yes|no} +Specify whether the overlay must be enabled or not at startup. +By default, the overlay is enabled; however, by changing the boolean +value of the attribute +.IR lastmodEnabled , +one can affect the status of the overlay. +This is useful, for instance, to inhibit the overlay from keeping track +of large bulk loads or deletions. + +.SH OBJECT CLASS +The +.B lastmod +overlay depends on the +.B lastmod +objectClass. The definition of that class is as follows: +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.3.13 " + NAME 'lastmod' + DESC 'OpenLDAP per-database last modification monitoring' + STRUCTURAL + SUP top + MUST ( cn $ lastmodDN $ lastmodType ) + MAY ( description $ seeAlso ) ) +.RE + +.SH ATTRIBUTES +.P +Each one of the sections below details the meaning and use of a particular +attribute of this +.B lastmod +objectClass. +Most of the attributes that are specific to the lastmod objectClass are +operational, since they can logically be altered only by the DSA. +The most notable exception is the +.I lastmodEnabled +attributeType, which can be altered via protocol to change the status +of the overlay. +.P + +.B lastmodEnabled +.P +This attribute contains a boolean flag that determines the status +of the overlay. It can be altered via protocol by issuing a modify +operation that replaces the value of the attribute. +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.1.30 + NAME 'lastmodEnabled' + DESC 'Lastmod overlay state' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + EQUALITY booleanMatch + SINGLE-VALUE ) +.RE + +.SH OPERATIONAL ATTRIBUTES +.P +Each one of the sections below details the meaning and use of a particular +attribute of this +.B lastmod +objectClass. +Most of the attributes that are specific to the lastmod objectClass are +operational, since they can logically be altered only by the DSA. +.P + +.B lastmodDN +.P +This attribute contains the distinguished name of the entry +that was last modified within the naming context of a database. +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.1.28 + NAME 'lastmodDN' + DESC 'DN of last modification' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + NO-USER-MODIFICATION + USAGE directoryOperation ) +.RE + +.B lastmodType +.P +This attribute contains the type of the modification that occurred +to the last modified entry. Legal values are +.BR add , +.BR delete , +.BR exop , +.BR modify , +.B modrdn +and +.BR unknown . +The latter should only be used as a fall-thru in case of unhandled +request types that are considered equivalent to a write operation. +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.1.29 + NAME 'lastmodType' + DESC 'Type of last modification' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + EQUALITY caseIgnoreMatch + SINGLE-VALUE + NO-USER-MODIFICATION + USAGE directoryOperation ) +.RE + + +.SH EXAMPLES +.LP +.RS +.nf +database bdb +suffix dc=example,dc=com +\... +overlay lastmod +lastmod-rdnvalue "Last Modification" +.fi +.RE + +.SH SEE ALSO +.BR ldap (3), +.BR slapd.conf (5), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH BUGS +It is unclear whether this overlay can safely interoperate +with other overlays. +If the underlying backend does not implement entry_get/entry_release +handlers, modrdn update can become tricky. +The code needs some cleanup and more consistent error handling. +So far, the OIDs for the schema haven't been assigned yet. + +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2004 by Pierangelo Masarati in fulfillment +of requirements from SysNet s.n.c.; this man page has been copied +from +.BR slapo-ppolicy (5), +and most of the overlays ever written are copied from Howard Chu's +first overlays. +.P +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/contrib/slapd-modules/noopsrch/Makefile b/contrib/slapd-modules/noopsrch/Makefile new file mode 100644 index 0000000..ab1babe --- /dev/null +++ b/contrib/slapd-modules/noopsrch/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_NOOPSRCH=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = noopsrch.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +noopsrch.la: noopsrch.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/noopsrch/noopsrch.c b/contrib/slapd-modules/noopsrch/noopsrch.c new file mode 100644 index 0000000..57522ac --- /dev/null +++ b/contrib/slapd-modules/noopsrch/noopsrch.c @@ -0,0 +1,254 @@ +/* noopsrch.c - LDAP Control that counts entries a search would return */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2010-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion + * in OpenLDAP Software. + */ + +#include "portable.h" + +/* define SLAPD_OVER_NOOPSRCH=2 to build as run-time loadable module */ +#ifdef SLAPD_OVER_NOOPSRCH + +/* + * Control OID + */ +#define LDAP_CONTROL_X_NOOPSRCH "1.3.6.1.4.1.4203.666.5.18" + +#include "slap.h" +#include "ac/string.h" + +#define o_noopsrch o_ctrlflag[noopsrch_cid] +#define o_ctrlnoopsrch o_controls[noopsrch_cid] + +static int noopsrch_cid; +static slap_overinst noopsrch; + +static int +noopsrch_parseCtrl ( + Operation *op, + SlapReply *rs, + LDAPControl *ctrl ) +{ + if ( op->o_noopsrch != SLAP_CONTROL_NONE ) { + rs->sr_text = "No-op Search control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) { + rs->sr_text = "No-op Search control value is present"; + return LDAP_PROTOCOL_ERROR; + } + + op->o_ctrlnoopsrch = (void *)NULL; + + op->o_noopsrch = ctrl->ldctl_iscritical + ? SLAP_CONTROL_CRITICAL + : SLAP_CONTROL_NONCRITICAL; + + rs->sr_err = LDAP_SUCCESS; + + return rs->sr_err; +} + +int dummy; + +typedef struct noopsrch_cb_t { + slap_overinst *nc_on; + ber_int_t nc_nentries; + ber_int_t nc_nsearchref; + AttributeName *nc_save_attrs; + int *nc_pdummy; + int nc_save_slimit; +} noopsrch_cb_t; + +static int +noopsrch_response( Operation *op, SlapReply *rs ) +{ + noopsrch_cb_t *nc = (noopsrch_cb_t *)op->o_callback->sc_private; + + /* if the control is global, limits are not computed yet */ + if ( nc->nc_pdummy == &dummy ) { + nc->nc_save_slimit = op->ors_slimit; + op->ors_slimit = SLAP_NO_LIMIT; + nc->nc_pdummy = NULL; + } + + if ( rs->sr_type == REP_SEARCH ) { + nc->nc_nentries++; +#ifdef NOOPSRCH_DEBUG + Debug( LDAP_DEBUG_TRACE, "noopsrch_response(REP_SEARCH): nentries=%d\n", nc->nc_nentries, 0, 0 ); +#endif + return 0; + + } else if ( rs->sr_type == REP_SEARCHREF ) { + nc->nc_nsearchref++; + return 0; + + } else if ( rs->sr_type == REP_RESULT ) { + BerElementBuffer berbuf; + BerElement *ber = (BerElement *) &berbuf; + struct berval ctrlval; + LDAPControl *ctrl, *ctrlsp[2]; + int rc = rs->sr_err; + + if ( nc->nc_save_slimit >= 0 && nc->nc_nentries >= nc->nc_save_slimit ) { + rc = LDAP_SIZELIMIT_EXCEEDED; + } + +#ifdef NOOPSRCH_DEBUG + Debug( LDAP_DEBUG_TRACE, "noopsrch_response(REP_RESULT): err=%d nentries=%d nref=%d\n", rc, nc->nc_nentries, nc->nc_nsearchref ); +#endif + + ber_init2( ber, NULL, LBER_USE_DER ); + + ber_printf( ber, "{iii}", rc, nc->nc_nentries, nc->nc_nsearchref ); + if ( ber_flatten2( ber, &ctrlval, 0 ) == -1 ) { + ber_free_buf( ber ); + if ( op->o_noopsrch == SLAP_CONTROL_CRITICAL ) { + return LDAP_CONSTRAINT_VIOLATION; + } + return SLAP_CB_CONTINUE; + } + + ctrl = op->o_tmpcalloc( 1, + sizeof( LDAPControl ) + ctrlval.bv_len + 1, + op->o_tmpmemctx ); + ctrl->ldctl_value.bv_val = (char *)&ctrl[ 1 ]; + ctrl->ldctl_oid = LDAP_CONTROL_X_NOOPSRCH; + ctrl->ldctl_iscritical = 0; + ctrl->ldctl_value.bv_len = ctrlval.bv_len; + AC_MEMCPY( ctrl->ldctl_value.bv_val, ctrlval.bv_val, ctrlval.bv_len ); + ctrl->ldctl_value.bv_val[ ctrl->ldctl_value.bv_len ] = '\0'; + + ber_free_buf( ber ); + + ctrlsp[0] = ctrl; + ctrlsp[1] = NULL; + slap_add_ctrls( op, rs, ctrlsp ); + } + return SLAP_CB_CONTINUE; +} + +static int +noopsrch_cleanup( Operation *op, SlapReply *rs ) +{ + if ( rs->sr_type == REP_RESULT || rs->sr_err == SLAPD_ABANDON ) { + noopsrch_cb_t *nc = (noopsrch_cb_t *)op->o_callback->sc_private; + op->ors_attrs = nc->nc_save_attrs; + if ( nc->nc_pdummy == NULL ) { + op->ors_slimit = nc->nc_save_slimit; + } + + op->o_tmpfree( op->o_callback, op->o_tmpmemctx ); + op->o_callback = NULL; + } + + return SLAP_CB_CONTINUE; +} + +static int +noopsrch_op_search( Operation *op, SlapReply *rs ) +{ + if ( op->o_noopsrch != SLAP_CONTROL_NONE ) { + slap_callback *sc; + noopsrch_cb_t *nc; + + sc = op->o_tmpcalloc( 1, sizeof( slap_callback ) + sizeof( noopsrch_cb_t ), op->o_tmpmemctx ); + + nc = (noopsrch_cb_t *)&sc[ 1 ]; + nc->nc_on = (slap_overinst *)op->o_bd->bd_info; + nc->nc_nentries = 0; + nc->nc_nsearchref = 0; + nc->nc_save_attrs = op->ors_attrs; + nc->nc_pdummy = &dummy; + + sc->sc_response = noopsrch_response; + sc->sc_cleanup = noopsrch_cleanup; + sc->sc_private = (void *)nc; + + op->ors_attrs = slap_anlist_no_attrs; + + sc->sc_next = op->o_callback->sc_next; + op->o_callback->sc_next = sc; + } + + return SLAP_CB_CONTINUE; +} + +static int noopsrch_cnt; + +static int +noopsrch_db_init( BackendDB *be, ConfigReply *cr) +{ + if ( noopsrch_cnt++ == 0 ) { + int rc; + + rc = register_supported_control( LDAP_CONTROL_X_NOOPSRCH, + SLAP_CTRL_SEARCH | SLAP_CTRL_GLOBAL_SEARCH, NULL, + noopsrch_parseCtrl, &noopsrch_cid ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "noopsrch_initialize: Failed to register control '%s' (%d)\n", + LDAP_CONTROL_X_NOOPSRCH, rc, 0 ); + return rc; + } + } + + return LDAP_SUCCESS; +} + +static int +noopsrch_db_destroy( BackendDB *be, ConfigReply *cr ) +{ + assert( noopsrch_cnt > 0 ); + +#ifdef SLAP_CONFIG_DELETE + overlay_unregister_control( be, LDAP_CONTROL_X_NOOPSRCH ); + if ( --noopsrch_cnt == 0 ) { + unregister_supported_control( LDAP_CONTROL_X_NOOPSRCH ); + } + +#endif /* SLAP_CONFIG_DELETE */ + + return 0; +} + +#if SLAPD_OVER_NOOPSRCH == SLAPD_MOD_DYNAMIC +static +#endif /* SLAPD_OVER_NOOPSRCH == SLAPD_MOD_DYNAMIC */ +int +noopsrch_initialize( void ) +{ + + noopsrch.on_bi.bi_type = "noopsrch"; + + noopsrch.on_bi.bi_db_init = noopsrch_db_init; + noopsrch.on_bi.bi_db_destroy = noopsrch_db_destroy; + noopsrch.on_bi.bi_op_search = noopsrch_op_search; + + return overlay_register( &noopsrch ); +} + +#if SLAPD_OVER_NOOPSRCH == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return noopsrch_initialize(); +} +#endif /* SLAPD_OVER_NOOPSRCH == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_NOOPSRCH */ diff --git a/contrib/slapd-modules/nops/Makefile b/contrib/slapd-modules/nops/Makefile new file mode 100644 index 0000000..eda7b47 --- /dev/null +++ b/contrib/slapd-modules/nops/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_NOPS=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = nops.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +nops.la: nops.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/nops/nops.c b/contrib/slapd-modules/nops/nops.c new file mode 100644 index 0000000..c0d5088 --- /dev/null +++ b/contrib/slapd-modules/nops/nops.c @@ -0,0 +1,177 @@ +/* nops.c - Overlay to filter idempotent operations */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Copyright 2008 Emmanuel Dreyfus. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was originally developed by the Emmanuel Dreyfus for + * inclusion in OpenLDAP Software. + */ +#include "portable.h" + +#ifdef SLAPD_OVER_NOPS + +#include <stdio.h> + +#include <ac/string.h> +#include <ac/socket.h> + +#include "lutil.h" +#include "slap.h" +#include "config.h" + +static ConfigDriver nops_cf_gen; + +static int nops_cf_gen( ConfigArgs *c ) { return 0; } + +static void +nops_rm_mod( Modifications **mods, Modifications *mod ) { + Modifications *next, *m; + + next = mod->sml_next; + if (*mods == mod) { + *mods = next; + } else { + Modifications *m; + + for (m = *mods; m; m = m->sml_next) { + if (m->sml_next == mod) { + m->sml_next = next; + break; + } + } + } + + mod->sml_next = NULL; + slap_mods_free(mod, 1); + + return; +} + +static int +nops_modify( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + Backend *be = op->o_bd; + Entry *target_entry = NULL; + Modifications *m; + int rc; + + if ((m = op->orm_modlist) == NULL) { + op->o_bd->bd_info = (BackendInfo *)(on->on_info); + send_ldap_error(op, rs, LDAP_INVALID_SYNTAX, + "nops() got null orm_modlist"); + return(rs->sr_err); + } + + op->o_bd = on->on_info->oi_origdb; + rc = be_entry_get_rw(op, &op->o_req_ndn, NULL, NULL, 0, &target_entry); + op->o_bd = be; + + if (rc != 0 || target_entry == NULL) + return 0; + + /* + * For each attribute modification, check if the + * modification and the old entry are the same. + */ + while (m) { + int i, j; + int found; + Attribute *a; + BerVarray bm; + BerVarray bt; + Modifications *mc; + + mc = m; + m = m->sml_next; + + /* Check only replace sub-operations */ + if ((mc->sml_op & LDAP_MOD_OP) != LDAP_MOD_REPLACE) + continue; + + /* If there is no values, skip */ + if (((bm = mc->sml_values ) == NULL ) || (bm[0].bv_val == NULL)) + continue; + + /* If the attribute does not exist in old entry, skip */ + if ((a = attr_find(target_entry->e_attrs, mc->sml_desc)) == NULL) + continue; + if ((bt = a->a_vals) == NULL) + continue; + + /* For each value replaced, do we find it in old entry? */ + found = 0; + for (i = 0; bm[i].bv_val; i++) { + for (j = 0; bt[j].bv_val; j++) { + if (bm[i].bv_len != bt[j].bv_len) + continue; + if (memcmp(bm[i].bv_val, bt[j].bv_val, bt[j].bv_len) != 0) + continue; + + found++; + break; + } + } + + /* Did we find as many values as we had in old entry? */ + if (i != a->a_numvals || found != a->a_numvals) + continue; + + /* This is a nop, remove it */ + Debug(LDAP_DEBUG_TRACE, "removing nop on %s%s%s", + a->a_desc->ad_cname.bv_val, "", ""); + + nops_rm_mod(&op->orm_modlist, mc); + } + if (target_entry) { + op->o_bd = on->on_info->oi_origdb; + be_entry_release_r(op, target_entry); + op->o_bd = be; + } + + if ((m = op->orm_modlist) == NULL) { + slap_callback *cb = op->o_callback; + + op->o_bd->bd_info = (BackendInfo *)(on->on_info); + op->o_callback = NULL; + send_ldap_error(op, rs, LDAP_SUCCESS, ""); + op->o_callback = cb; + + return (rs->sr_err); + } + + return SLAP_CB_CONTINUE; +} + +static slap_overinst nops_ovl; + +#if SLAPD_OVER_NOPS == SLAPD_MOD_DYNAMIC +static +#endif +int +nops_initialize( void ) { + nops_ovl.on_bi.bi_type = "nops"; + nops_ovl.on_bi.bi_op_modify = nops_modify; + return overlay_register( &nops_ovl ); +} + +#if SLAPD_OVER_NOPS == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + return nops_initialize(); +} +#endif + +#endif /* defined(SLAPD_OVER_NOPS) */ + diff --git a/contrib/slapd-modules/nops/slapo-nops.5 b/contrib/slapd-modules/nops/slapo-nops.5 new file mode 100644 index 0000000..ac8f19d --- /dev/null +++ b/contrib/slapd-modules/nops/slapo-nops.5 @@ -0,0 +1,32 @@ +.TH SLAPO-NOPS 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2008 Emmanuel Dreyfus +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-nops \- Remove Null Operations Overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +Some broken client tend to implement modifications as replace operations +where all attributes are replaced, most of the time by the same values +they had before. This can cause undesirable load on logs, ACL evaluation, +or replication trafic. + +This overlay detects idempotent replace operations and filter them out. +.SH CONFIGURATION +This overlay had no specific configuration. +.SH EXAMPLES +.LP +.RS +.nf +overlay nops +.RE +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5). +.SH ACKNOWLEDGEMENTS +This module was written in 2008 by Emmanuel Dreyfus. +.so ../Project diff --git a/contrib/slapd-modules/nssov/Makefile b/contrib/slapd-modules/nssov/Makefile new file mode 100644 index 0000000..a69ec4d --- /dev/null +++ b/contrib/slapd-modules/nssov/Makefile @@ -0,0 +1,73 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 2008-2021 The OpenLDAP Foundation. +# Portions Copyright 2008 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +# Path to the OpenLDAP source tree +LDAP_SRC=../../.. + +# Path to the OpenLDAP object tree - same as above unless +# you're doing out-of-tree builds. +LDAP_BUILD=$(LDAP_SRC) + +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +NLDAPD_INC=-Inss-pam-ldapd + +LIBTOOL = $(LDAP_BUILD)/libtool +OPT = -g -O2 -Wall +CC = gcc +DEFS = +INCS = $(LDAP_INC) $(NLDAPD_INC) +LIBS = $(LDAP_LIB) + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) +sysconfdir = $(prefix)/etc$(ldap_subdir) +schemadir = $(sysconfdir)/schema + +all: nssov.la + +XOBJS = tio.lo + +OBJS = alias.lo ether.lo group.lo host.lo netgroup.lo network.lo \ + nssov.lo passwd.lo protocol.lo rpc.lo service.lo shadow.lo pam.lo + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +tio.lo: nss-pam-ldapd/tio.c + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $? + +$(OBJS): nssov.h + +nssov.la: $(OBJS) $(XOBJS) + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ + -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) + +install: nssov.la + mkdir -p $(DESTDIR)$(moduledir) + $(LIBTOOL) --mode=install cp nssov.la $(DESTDIR)$(moduledir) + cp ldapns.schema $(DESTDIR)$(schemadir) + +clean: + rm -f *.*o *.la .libs/* + rm -rf .libs diff --git a/contrib/slapd-modules/nssov/README b/contrib/slapd-modules/nssov/README new file mode 100644 index 0000000..28d6286 --- /dev/null +++ b/contrib/slapd-modules/nssov/README @@ -0,0 +1,134 @@ +This directory contains a slapd overlay, nssov, that handles +NSS lookup requests through a local Unix Domain socket. It uses the +same IPC protocol as Arthur de Jong's nss-ldapd, and a complete +copy of the nss-ldapd source is included here. It also handles +PAM requests. + +To use this code, you will need the client-side stuf library from +nss-pam-ldapd. You can get it from: +http://arthurdejong.org/nss-pam-ldapd +You will not need the nslcd daemon; this overlay replaces that part. +To disable building of the nslcd daemon in nss-pam-ldapd, add the +--disable-nslcd option to the nss-pam-ldapd configure script. You +should already be familiar with the RFC2307 and RFC2307bis schema +to use this overlay. See the nss-pam-ldapd README for more information +on the schema and which features are supported. + +To use the overlay, add: + + include <path to>nis.schema + + moduleload <path to>nssov.so + ... + + database hdb + ... + overlay nssov + +to your slapd configuration file. (The nis.schema file contains +the original RFC2307 schema. Some modifications will be needed to +use RFC2307bis.) + +The overlay may be configured with Service Search Descriptors (SSDs) +for each NSS service that will be used. SSDs are configured using + + nssov-ssd <service> <url> + +where the <service> may be one of + aliases + ethers + group + hosts + netgroup + networks + passwd + protocols + rpc + services + shadow + +and the <url> must be of the form + ldap:///[<basedn>][??[<scope>][?<filter>]] + +The <basedn> will default to the first suffix of the current database. +The <scope> defaults to "subtree". The default <filter> depends on which +service is being used. + +If the local database is actually a proxy to a foreign LDAP server, some +mapping of schema may be needed. Some simple attribute substitutions may +be performed using + + nssov-map <service> <orig> <new> + +See the nss-ldapd/README for the original attribute names used in this code. + +The overlay also supports dynamic configuration in cn=config. The layout +of the config entry is + + dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcNssOvConfig + olcOverlay: {0}nssov + olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one + olcNssMap: passwd uid accountName + +which enables the passwd service, and uses the accountName attribute to +fetch what is usually retrieved from the uid attribute. + +PAM authentication, account management, session management, and password +management are supported. + +Authentication is performed using Simple Binds. Since all operations occur +inside the slapd overlay, "fake" connections are used and they are +inherently secure. Two methods of mapping the PAM username to an LDAP DN +are provided: + the mapping can be accomplished using slapd's authz-regexp facility. In +this case, a DN of the form + cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth +is fed into the regexp matcher. If a match is produced, the resulting DN +is used. + otherwise, the NSS passwd map is invoked (which means it must already +be configured). + +If no DN is found, the overlay returns PAM_USER_UNKNOWN. If the DN is +found, and Password Policy is supported, then the Bind will use the +Password Policy control and return expiration information to PAM. + +Account management also uses two methods. These methods depend on the +ldapns.schema included with the nssov source. + The first is identical to the method used in PADL's pam_ldap module: +host and authorizedService attributes may be looked up in the user's entry, +and checked to determine access. Also a check may be performed to see if +the user is a member of a particular group. This method is pretty +inflexible and doesn't scale well to large networks of users, hosts, +and services. + The second uses slapd's ACL engine to check if the user has "compare" +privilege on an ipHost object whose name matches the current hostname, and +whose authorizedService attribute matches the current service name. This +method is preferred, since it allows authorization to be centralized in +the ipHost entries instead of scattered across the entire user population. +The ipHost entries must have an authorizedService attribute (e.g. by way +of the authorizedServiceObject auxiliary class) to use this method. + +Session management: the overlay may optionally add a "logged in" attribute +to a user's entry for successful logins, and delete the corresponding +value upon logout. The attribute value is of the form + <generalizedTime> <host> <service> <tty> (<ruser@rhost>) + +Password management: the overlay will perform a PasswordModify exop +in the server for the given user. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 1998-2021 The OpenLDAP Foundation. +Portions Copyright 2008-2009 Howard Chu, Symas Corp. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/nssov/alias.c b/contrib/slapd-modules/nssov/alias.c new file mode 100644 index 0000000..92d6f13 --- /dev/null +++ b/contrib/slapd-modules/nssov/alias.c @@ -0,0 +1,116 @@ +/* alias.c - mail alias lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* Vendor-specific attributes and object classes. + * (Mainly from Sun.) + * ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top STRUCTURAL + * DESC 'NIS mail alias' + * MUST cn + * MAY rfc822MailMember ) + */ + +/* the basic search filter for searches */ +static struct berval alias_filter = BER_BVC("(objectClass=nisMailAlias)"); + +/* the attributes to request with searches */ +static struct berval alias_keys[] = { + BER_BVC("cn"), + BER_BVC("rfc822MailMember"), + BER_BVNULL +}; + +NSSOV_INIT(alias) + +NSSOV_CBPRIV(alias, + struct berval name; + char buf[256];); + +static int write_alias(nssov_alias_cbp *cbp,Entry *entry) +{ + int32_t tmpint32,tmp2int32,tmp3int32; + struct berval tmparr[2], empty; + struct berval *names, *members; + Attribute *a; + int i; + + /* get the name of the alias */ + if (BER_BVISNULL(&cbp->name)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[0].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"alias entry %s does not contain %s value\n", + entry->e_name.bv_val,cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val,0 ); + return 0; + } + names = a->a_vals; + } + else + { + names=tmparr; + names[0]=cbp->name; + BER_BVZERO(&names[1]); + } + /* get the members of the alias */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[1].an_desc); + if ( !a ) { + BER_BVZERO( &empty ); + members = ∅ + } else { + members = a->a_vals; + } + /* for each name, write an entry */ + for (i=0;!BER_BVISNULL(&names[i]);i++) + { + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&names[i]); + WRITE_BVARRAY(cbp->fp,members); + } + return 0; +} + +NSSOV_CB(alias) + +NSSOV_HANDLE( + alias,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_alias_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_ALIAS_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + alias,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name);, + Debug(LDAP_DEBUG,"nssov_alias_all()\n",0,0,0);, + NSLCD_ACTION_ALIAS_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/ether.c b/contrib/slapd-modules/nssov/ether.c new file mode 100644 index 0000000..e96a815 --- /dev/null +++ b/contrib/slapd-modules/nssov/ether.c @@ -0,0 +1,167 @@ +/* ether.c - ethernet address lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +struct ether_addr { + uint8_t ether_addr_octet[6]; +}; + +/* ( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY + * DESC 'A device with a MAC address; device SHOULD be + * used as a structural class' + * MAY macAddress ) + */ + +/* the basic search filter for searches */ +static struct berval ether_filter = BER_BVC("(objectClass=ieee802Device)"); + +/* the attributes to request with searches */ +static struct berval ether_keys[] = { + BER_BVC("cn"), + BER_BVC("macAddress"), + BER_BVNULL +}; + +NSSOV_INIT(ether) + +NSSOV_CBPRIV(ether, + char buf[256]; + struct berval name; + struct berval addr;); + +#define WRITE_ETHER(fp,addr) \ + {int ao[6]; \ + sscanf(addr.bv_val,"%02x:%02x:%02x:%02x:%02x:%02x", \ + &ao[0], &ao[1], &ao[2], &ao[3], &ao[4], &ao[5] );\ + tmpaddr.ether_addr_octet[0] = ao[0]; \ + tmpaddr.ether_addr_octet[1] = ao[1]; \ + tmpaddr.ether_addr_octet[2] = ao[2]; \ + tmpaddr.ether_addr_octet[3] = ao[3]; \ + tmpaddr.ether_addr_octet[4] = ao[4]; \ + tmpaddr.ether_addr_octet[5] = ao[5]; } \ + WRITE(fp,&tmpaddr,sizeof(uint8_t[6])); + +static int write_ether(nssov_ether_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + struct ether_addr tmpaddr; + struct berval tmparr[2]; + struct berval *names,*ethers; + Attribute *a; + int i,j; + + /* get the name of the ether entry */ + if (BER_BVISNULL(&cbp->name)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[0].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"ether entry %s does not contain %s value\n", + entry->e_name.bv_val,cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val,0 ); + return 0; + } + names = a->a_vals; + } + else + { + names=tmparr; + names[0]=cbp->name; + BER_BVZERO(&names[1]); + } + /* get the addresses */ + if (BER_BVISNULL(&cbp->addr)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[1].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"ether entry %s does not contain %s value\n", + entry->e_name.bv_val,cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val,0 ); + return 0; + } + ethers = a->a_vals; + /* TODO: move parsing of addresses up here */ + } + else + { + ethers=tmparr; + ethers[0]=cbp->addr; + BER_BVZERO(ðers[1]); + } + /* write entries for all names and addresses */ + for (i=0;!BER_BVISNULL(&names[i]);i++) + for (j=0;!BER_BVISNULL(ðers[j]);j++) + { + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&names[i]); + WRITE_ETHER(cbp->fp,ethers[j]); + } + return 0; +} + +NSSOV_CB(ether) + +NSSOV_HANDLE( + ether,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.addr); + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_ether_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_ETHER_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + ether,byether, + struct ether_addr addr; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.name); + READ(fp,&addr,sizeof(uint8_t[6])); + cbp.addr.bv_len = snprintf(cbp.buf,sizeof(cbp.buf), "%x:%x:%x:%x:%x:%x", + addr.ether_addr_octet[0], + addr.ether_addr_octet[1], + addr.ether_addr_octet[2], + addr.ether_addr_octet[3], + addr.ether_addr_octet[4], + addr.ether_addr_octet[5]); + cbp.addr.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_ether_byether(%s)\n",cbp.addr.bv_val,0,0);, + NSLCD_ACTION_ETHER_BYETHER, + nssov_filter_byid(cbp.mi,1,&cbp.addr,&filter) +) + +NSSOV_HANDLE( + ether,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.addr);, + Debug(LDAP_DEBUG_TRACE,"nssov_ether_all()\n",0,0,0);, + NSLCD_ACTION_ETHER_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/group.c b/contrib/slapd-modules/nssov/group.c new file mode 100644 index 0000000..f6d2dd2 --- /dev/null +++ b/contrib/slapd-modules/nssov/group.c @@ -0,0 +1,346 @@ +/* group.c - group lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008-2009 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* for gid_t */ +#include <grp.h> + +/* ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL + * DESC 'Abstraction of a group of accounts' + * MUST ( cn $ gidNumber ) + * MAY ( userPassword $ memberUid $ description ) ) + * + * apart from that the above the uniqueMember attributes may be + * supported in a coming release (they map to DNs, which is an extra + * lookup step) + * + * using nested groups (groups that are member of a group) is currently + * not supported, this may be added in a later release + */ + +/* the basic search filter for searches */ +static struct berval group_filter = BER_BVC("(objectClass=posixGroup)"); + +/* the attributes to request with searches */ +static struct berval group_keys[] = { + BER_BVC("cn"), + BER_BVC("userPassword"), + BER_BVC("gidNumber"), + BER_BVC("memberUid"), + BER_BVC("uniqueMember"), + BER_BVNULL +}; + +#define CN_KEY 0 +#define PWD_KEY 1 +#define GID_KEY 2 +#define UID_KEY 3 +#define MEM_KEY 4 + +/* default values for attributes */ +static struct berval default_group_userPassword = BER_BVC("*"); /* unmatchable */ + +NSSOV_CBPRIV(group, + nssov_info *ni; + char buf[256]; + struct berval name; + struct berval gidnum; + struct berval user; + int wantmembers;); + +/* create a search filter for searching a group entry + by member uid, return -1 on errors */ +static int mkfilter_group_bymember(nssov_group_cbp *cbp,struct berval *buf) +{ + struct berval dn; + /* try to translate uid to DN */ + nssov_uid2dn(cbp->op,cbp->ni,&cbp->user,&dn); + if (BER_BVISNULL(&dn)) { + if (cbp->user.bv_len + cbp->mi->mi_filter.bv_len + cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_len + 6 > + buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s))", + cbp->mi->mi_filter.bv_val, cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_val, + cbp->user.bv_val ); + } else { /* also lookup using user DN */ + if (cbp->user.bv_len + cbp->mi->mi_filter.bv_len + cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_len + + dn.bv_len + cbp->mi->mi_attrs[MEM_KEY].an_desc->ad_cname.bv_len + 12 > buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(|(%s=%s)(%s=%s)))", + cbp->mi->mi_filter.bv_val, + cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_val, cbp->user.bv_val, + cbp->mi->mi_attrs[MEM_KEY].an_desc->ad_cname.bv_val, dn.bv_val ); + } + return 0; +} + +NSSOV_INIT(group) + +/* + Checks to see if the specified name is a valid group name. + + This test is based on the definition from POSIX (IEEE Std 1003.1, 2004, + 3.189 Group Name and 3.276 Portable Filename Character Set): + http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_189 + http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276 + + The standard defines group names valid if they only contain characters from + the set [A-Za-z0-9._-] where the hyphen should not be used as first + character. +*/ +static int isvalidgroupname(struct berval *name) +{ + int i; + + if ( !name->bv_val || !name->bv_len ) + return 0; + /* check first character */ + if ( ! ( (name->bv_val[0]>='A' && name->bv_val[0] <= 'Z') || + (name->bv_val[0]>='a' && name->bv_val[0] <= 'z') || + (name->bv_val[0]>='0' && name->bv_val[0] <= '9') || + name->bv_val[0]=='.' || name->bv_val[0]=='_' ) ) + return 0; + /* check other characters */ + for (i=1;i<name->bv_len;i++) + { +#ifndef STRICT_GROUPS + /* allow spaces too */ + if (name->bv_val[i] == ' ') continue; +#endif + if ( ! ( (name->bv_val[i]>='A' && name->bv_val[i] <= 'Z') || + (name->bv_val[i]>='a' && name->bv_val[i] <= 'z') || + (name->bv_val[i]>='0' && name->bv_val[i] <= '9') || + name->bv_val[i]=='.' || name->bv_val[i]=='_' || name->bv_val[i]=='-') ) + return 0; + } + /* no test failed so it must be good */ + return -1; +} + +static int write_group(nssov_group_cbp *cbp,Entry *entry) +{ + struct berval tmparr[2], tmpgid[2]; + struct berval *names,*gids,*members; + struct berval passwd = {0}; + Attribute *a; + int i,j,nummembers,rc = 0; + + /* get group name (cn) */ + if (BER_BVISNULL(&cbp->name)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[CN_KEY].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"group entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[CN_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + names = a->a_vals; + } + else + { + names=tmparr; + names[0]=cbp->name; + BER_BVZERO(&names[1]); + } + /* get the group id(s) */ + if (BER_BVISNULL(&cbp->gidnum)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[GID_KEY].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"group entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[GID_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + gids = a->a_vals; + } + else + { + gids=tmpgid; + gids[0]=cbp->gidnum; + BER_BVZERO(&gids[1]); + } + /* get group passwd (userPassword) (use only first entry) */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[PWD_KEY].an_desc); + if (a) + get_userpassword(&a->a_vals[0], &passwd); + if (BER_BVISNULL(&passwd)) + passwd=default_group_userPassword; + /* get group members (memberUid&uniqueMember) */ + if (cbp->wantmembers) { + Attribute *b; + i = 0; j = 0; + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[UID_KEY].an_desc); + b = attr_find(entry->e_attrs, cbp->mi->mi_attrs[MEM_KEY].an_desc); + if ( a ) + i += a->a_numvals; + if ( b ) + i += b->a_numvals; + if ( i ) { + members = cbp->op->o_tmpalloc( (i+1) * sizeof(struct berval), cbp->op->o_tmpmemctx ); + + if ( a ) { + for (i=0; i<a->a_numvals; i++) { + if (isvalidusername(&a->a_vals[i])) { + ber_dupbv_x(&members[j],&a->a_vals[i],cbp->op->o_tmpmemctx); + j++; + } + } + } + a = b; + if ( a ) { + for (i=0; i<a->a_numvals; i++) { + if (nssov_dn2uid(cbp->op,cbp->ni,&a->a_nvals[i],&members[j])) + j++; + } + } + nummembers = j; + BER_BVZERO(&members[j]); + } else { + members=NULL; + nummembers = 0; + } + + } else { + members=NULL; + nummembers = 0; + } + /* write entries for all names and gids */ + for (i=0;!BER_BVISNULL(&names[i]);i++) + { + if (!isvalidgroupname(&names[i])) + { + Debug(LDAP_DEBUG_ANY,"nssov: group entry %s contains invalid group name: \"%s\"\n", + entry->e_name.bv_val,names[i].bv_val,0); + } + else + { + for (j=0;!BER_BVISNULL(&gids[j]);j++) + { + char *tmp; + int tmpint32; + gid_t gid; + gid = strtol(gids[j].bv_val, &tmp, 0); + if ( *tmp ) { + Debug(LDAP_DEBUG_ANY,"nssov: group entry %s contains non-numeric %s value: \"%s\"\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[GID_KEY].an_desc->ad_cname.bv_val, + names[i].bv_val); + continue; + } + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&names[i]); + WRITE_BERVAL(cbp->fp,&passwd); + WRITE_INT32(cbp->fp,gid); + /* write a list of values */ + WRITE_INT32(cbp->fp,nummembers); + if (nummembers) + { + int k; + for (k=0;k<nummembers;k++) { + WRITE_BERVAL(cbp->fp,&members[k]); + } + } + } + } + } + /* free and return */ + if (members!=NULL) + ber_bvarray_free_x( members, cbp->op->o_tmpmemctx ); + return rc; +} + +NSSOV_CB(group) + +NSSOV_HANDLE( + group,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf; + if (!isvalidgroupname(&cbp.name)) { + Debug(LDAP_DEBUG_ANY,"nssov_group_byname(%s): invalid group name\n",cbp.name.bv_val,0,0); + return -1; + } + cbp.wantmembers = 1; + cbp.ni = ni; + BER_BVZERO(&cbp.gidnum); + BER_BVZERO(&cbp.user);, + Debug(LDAP_DEBUG_TRACE,"nslcd_group_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_GROUP_BYNAME, + nssov_filter_byname(cbp.mi,CN_KEY,&cbp.name,&filter) +) + +NSSOV_HANDLE( + group,bygid, + gid_t gid; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_INT32(fp,gid); + cbp.gidnum.bv_val = cbp.buf; + cbp.gidnum.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",gid); + cbp.wantmembers = 1; + cbp.ni = ni; + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.user);, + Debug(LDAP_DEBUG_TRACE,"nssov_group_bygid(%s)\n",cbp.gidnum.bv_val,0,0);, + NSLCD_ACTION_GROUP_BYGID, + nssov_filter_byid(cbp.mi,GID_KEY,&cbp.gidnum,&filter) +) + +NSSOV_HANDLE( + group,bymember, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf); + cbp.user.bv_len = tmpint32; + cbp.user.bv_val = cbp.buf; + if (!isvalidusername(&cbp.user)) { + Debug(LDAP_DEBUG_ANY,"nssov_group_bymember(%s): invalid user name\n",cbp.user.bv_val,0,0); + return -1; + } + cbp.wantmembers = 0; + cbp.ni = ni; + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.gidnum);, + Debug(LDAP_DEBUG_TRACE,"nssov_group_bymember(%s)\n",cbp.user.bv_val,0,0);, + NSLCD_ACTION_GROUP_BYMEMBER, + mkfilter_group_bymember(&cbp,&filter) +) + +NSSOV_HANDLE( + group,all, + struct berval filter; + /* no parameters to read */ + cbp.wantmembers = 1; + cbp.ni = ni; + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.gidnum);, + Debug(LDAP_DEBUG_TRACE,"nssov_group_all()\n",0,0,0);, + NSLCD_ACTION_GROUP_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/host.c b/contrib/slapd-modules/nssov/host.c new file mode 100644 index 0000000..0fea935 --- /dev/null +++ b/contrib/slapd-modules/nssov/host.c @@ -0,0 +1,161 @@ +/* host.c - host lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY + * DESC 'Abstraction of a host, an IP device. The distinguished + * value of the cn attribute denotes the host's canonical + * name. Device SHOULD be used as a structural class' + * MUST ( cn $ ipHostNumber ) + * MAY ( l $ description $ manager ) ) + */ + +/* the basic search filter for searches */ +static struct berval host_filter = BER_BVC("(objectClass=ipHost)"); + +/* the attributes to request with searches */ +static struct berval host_keys[] = { + BER_BVC("cn"), + BER_BVC("ipHostNumber"), + BER_BVNULL +}; + +NSSOV_INIT(host) + +NSSOV_CBPRIV(host, + char buf[1024]; + struct berval name; + struct berval addr;); + +/* write a single host entry to the stream */ +static int write_host(nssov_host_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + int numaddr,i,numname,dupname; + struct berval name,*names,*addrs; + Attribute *a; + + /* get the most canonical name */ + nssov_find_rdnval( &entry->e_nname, cbp->mi->mi_attrs[0].an_desc, &name ); + /* get the other names for the host */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[0].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"host entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + names = a->a_vals; + numname = a->a_numvals; + /* if the name is not yet found, get the first entry from names */ + if (BER_BVISNULL(&name)) { + name=names[0]; + dupname = 0; + } else { + dupname = -1; + for (i=0; i<numname; i++) { + if ( bvmatch(&name, &a->a_nvals[i])) { + dupname = i; + break; + } + } + } + /* get the addresses */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[1].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"host entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + addrs = a->a_vals; + numaddr = a->a_numvals; + /* write the entry */ + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&name); + if ( dupname >= 0 ) { + WRITE_INT32(cbp->fp,numname-1); + } else { + WRITE_INT32(cbp->fp,numname); + } + for (i=0;i<numname;i++) { + if (i == dupname) continue; + WRITE_BERVAL(cbp->fp,&names[i]); + } + WRITE_INT32(cbp->fp,numaddr); + for (i=0;i<numaddr;i++) + { + WRITE_ADDRESS(cbp->fp,&addrs[i]); + } + return 0; +} + +NSSOV_CB(host) + +NSSOV_HANDLE( + host,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.addr); + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_host_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_HOST_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + host,byaddr, + int af; + char addr[64]; + int len=sizeof(addr); + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.name); + READ_ADDRESS(fp,addr,len,af); + /* translate the address to a string */ + if (inet_ntop(af,addr,cbp.buf,sizeof(cbp.buf))==NULL) + { + Debug(LDAP_DEBUG_ANY,"nssov: unable to convert address to string\n",0,0,0); + return -1; + } + cbp.addr.bv_val = cbp.buf; + cbp.addr.bv_len = strlen(cbp.buf);, + Debug(LDAP_DEBUG_TRACE,"nssov_host_byaddr(%s)\n",cbp.addr.bv_val,0,0);, + NSLCD_ACTION_HOST_BYADDR, + nssov_filter_byid(cbp.mi,1,&cbp.addr,&filter) +) + +NSSOV_HANDLE( + host,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.addr);, + Debug(LDAP_DEBUG_TRACE,"nssov_host_all()\n",0,0,0);, + NSLCD_ACTION_HOST_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/ldapns.schema b/contrib/slapd-modules/nssov/ldapns.schema new file mode 100644 index 0000000..f6f7c9f --- /dev/null +++ b/contrib/slapd-modules/nssov/ldapns.schema @@ -0,0 +1,38 @@ +# $OpenLDAP$ +# $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $ +# LDAP Name Service Additional Schema +# http://www.iana.org/assignments/gssapi-service-names + +# +# Not part of the distribution: this is a workaround! +# + +attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' + DESC 'IANA GSS-API authorized service name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' + DESC 'Currently logged in sessions for a user' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + ORDERING caseIgnoreOrderingMatch + SYNTAX OMsDirectoryString ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' + DESC 'Auxiliary object class for adding authorizedService attribute' + SUP top + AUXILIARY + MAY authorizedService ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' + DESC 'Auxiliary object class for adding host attribute' + SUP top + AUXILIARY + MAY host ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' + DESC 'Auxiliary object class for login status attribute' + SUP top + AUXILIARY + MAY loginStatus ) diff --git a/contrib/slapd-modules/nssov/netgroup.c b/contrib/slapd-modules/nssov/netgroup.c new file mode 100644 index 0000000..18694b6 --- /dev/null +++ b/contrib/slapd-modules/nssov/netgroup.c @@ -0,0 +1,199 @@ +/* netgroup.c - netgroup lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" +#include <ac/ctype.h> + +/* ( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + * DESC 'Abstraction of a netgroup. May refer to other netgroups' + * MUST cn + * MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) + */ + +/* the basic search filter for searches */ +static struct berval netgroup_filter = BER_BVC("(objectClass=nisNetgroup)"); + +/* the attributes to request with searches */ +static struct berval netgroup_keys[] = { + BER_BVC("cn"), + BER_BVC("nisNetgroupTriple"), + BER_BVC("memberNisNetgroup"), + BER_BVNULL +}; + +NSSOV_INIT(netgroup) + +NSSOV_CBPRIV(netgroup, + char buf[256]; + struct berval name;); + +static int write_string_stripspace_len(TFILE *fp,const char *str,int len) +{ + int32_t tmpint32; + int i,j; + DEBUG_PRINT("WRITE_STRING: var="__STRING(str)" string=\"%s\"",str); + if (str==NULL) + { + WRITE_INT32(fp,0); + } + else + { + /* skip leading spaces */ + for (i=0;(str[i]!='\0')&&(isspace(str[i]));i++) + /* nothing else to do */ ; + /* skip trailing spaces */ + for (j=len;(j>i)&&(isspace(str[j-1]));j--) + /* nothing else to do */ ; + /* write length of string */ + WRITE_INT32(fp,j-i); + /* write string itself */ + if (j>i) + { + WRITE(fp,str+i,j-i); + } + } + /* we're done */ + return 0; +} + +#define WRITE_STRING_STRIPSPACE_LEN(fp,str,len) \ + if (write_string_stripspace_len(fp,str,len)) \ + return -1; + +#define WRITE_STRING_STRIPSPACE(fp,str) \ + WRITE_STRING_STRIPSPACE_LEN(fp,str,strlen(str)) + +static int write_netgroup_triple(TFILE *fp,const char *triple) +{ + int32_t tmpint32; + int i; + int hostb,hoste,userb,usere,domainb,domaine; + /* skip leading spaces */ + for (i=0;(triple[i]!='\0')&&(isspace(triple[i]));i++) + /* nothing else to do */ ; + /* we should have a bracket now */ + if (triple[i]!='(') + { + Debug(LDAP_DEBUG_ANY,"write_netgroup_triple(): entry does not begin with '(' (entry skipped)\n",0,0,0); + return 0; + } + i++; + hostb=i; + /* find comma (end of host string) */ + for (;(triple[i]!='\0')&&(triple[i]!=',');i++) + /* nothing else to do */ ; + if (triple[i]!=',') + { + Debug(LDAP_DEBUG_ANY,"write_netgroup_triple(): missing ',' (entry skipped)\n",0,0,0); + return 0; + } + hoste=i; + i++; + userb=i; + /* find comma (end of user string) */ + for (;(triple[i]!='\0')&&(triple[i]!=',');i++) + /* nothing else to do */ ; + if (triple[i]!=',') + { + Debug(LDAP_DEBUG_ANY,"write_netgroup_triple(): missing ',' (entry skipped)\n",0,0,0); + return 0; + } + usere=i; + i++; + domainb=i; + /* find closing bracket (end of domain string) */ + for (;(triple[i]!='\0')&&(triple[i]!=')');i++) + /* nothing else to do */ ; + if (triple[i]!=')') + { + Debug(LDAP_DEBUG_ANY,"write_netgroup_triple(): missing ')' (entry skipped)\n",0,0,0); + return 0; + } + domaine=i; + i++; + /* skip trailing spaces */ + for (;(triple[i]!='\0')&&(isspace(triple[i]));i++) + /* nothing else to do */ ; + /* if anything is left in the string we have a problem */ + if (triple[i]!='\0') + { + Debug(LDAP_DEBUG_ANY,"write_netgroup_triple(): string contains trailing data (entry skipped)\n",0,0,0); + return 0; + } + /* write strings */ + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + WRITE_INT32(fp,NSLCD_NETGROUP_TYPE_TRIPLE); + WRITE_STRING_STRIPSPACE_LEN(fp,triple+hostb,hoste-hostb) + WRITE_STRING_STRIPSPACE_LEN(fp,triple+userb,usere-userb) + WRITE_STRING_STRIPSPACE_LEN(fp,triple+domainb,domaine-domainb) + /* we're done */ + return 0; +} + +static int write_netgroup(nssov_netgroup_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + int i; + Attribute *a; + + /* get the netgroup triples and member */ + a = attr_find(entry->e_attrs,cbp->mi->mi_attrs[1].an_desc); + if ( a ) { + /* write the netgroup triples */ + for (i=0;i<a->a_numvals;i++) + { + if (write_netgroup_triple(cbp->fp, a->a_vals[i].bv_val)) + return -1; + } + } + a = attr_find(entry->e_attrs,cbp->mi->mi_attrs[2].an_desc); + if ( a ) { + /* write netgroup members */ + for (i=0;i<a->a_numvals;i++) + { + /* write the result code */ + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + /* write triple indicator */ + WRITE_INT32(cbp->fp,NSLCD_NETGROUP_TYPE_NETGROUP); + /* write netgroup name */ + if (write_string_stripspace_len(cbp->fp,a->a_vals[i].bv_val,a->a_vals[i].bv_len)) + return -1; + } + } + /* we're done */ + return 0; +} + +NSSOV_CB(netgroup) + +NSSOV_HANDLE( + netgroup,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf);, + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf; + Debug(LDAP_DEBUG_TRACE,"nssov_netgroup_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_NETGROUP_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) diff --git a/contrib/slapd-modules/nssov/network.c b/contrib/slapd-modules/nssov/network.c new file mode 100644 index 0000000..3098f36 --- /dev/null +++ b/contrib/slapd-modules/nssov/network.c @@ -0,0 +1,161 @@ +/* network.c - network address lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +#include <ac/socket.h> + +/* ( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + * DESC 'Abstraction of a network. The distinguished value of + * MUST ( cn $ ipNetworkNumber ) + * MAY ( ipNetmaskNumber $ l $ description $ manager ) ) + */ + +/* the basic search filter for searches */ +static struct berval network_filter = BER_BVC("(objectClass=ipNetwork)"); + +/* the attributes used in searches */ +static struct berval network_keys[] = { + BER_BVC("cn"), + BER_BVC("ipNetworkNumber"), + BER_BVNULL +}; + +NSSOV_INIT(network) + +NSSOV_CBPRIV(network, + char buf[1024]; + struct berval name; + struct berval addr;); + +/* write a single network entry to the stream */ +static int write_network(nssov_network_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + int numaddr,i,numname,dupname; + struct berval name, *names, *addrs; + Attribute *a; + + /* get the most canonical name */ + nssov_find_rdnval( &entry->e_nname, cbp->mi->mi_attrs[0].an_desc, &name); + /* get the other names for the network */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[0].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"network entry %s does not contain %s value\n", + entry->e_name.bv_val,cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val,0); + return 0; + } + names = a->a_vals; + numname = a->a_numvals; + /* if the name is not yet found, get the first entry from names */ + if (BER_BVISNULL(&name)) { + name=names[0]; + dupname = 0; + } else { + dupname = -1; + for (i=0; i<numname; i++) { + if ( bvmatch(&name, &a->a_nvals[i])) { + dupname = i; + break; + } + } + } + /* get the addresses */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[1].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"network entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + addrs = a->a_vals; + numaddr = a->a_numvals; + /* write the entry */ + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&name); + if ( dupname >= 0 ) { + WRITE_INT32(cbp->fp,numname-1); + } else { + WRITE_INT32(cbp->fp,numname); + } + for (i=0;i<numname;i++) { + if (i == dupname) continue; + WRITE_BERVAL(cbp->fp,&names[i]); + } + WRITE_INT32(cbp->fp,numaddr); + for (i=0;i<numaddr;i++) + { + WRITE_ADDRESS(cbp->fp,&addrs[i]); + } + return 0; +} + +NSSOV_CB(network) + +NSSOV_HANDLE( + network,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.addr); + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_network_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_NETWORK_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + network,byaddr, + int af; + char addr[64]; + int len=sizeof(addr); + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.name); + READ_ADDRESS(fp,addr,len,af); + /* translate the address to a string */ + if (inet_ntop(af,addr,cbp.buf,sizeof(cbp.buf))==NULL) + { + Debug(LDAP_DEBUG_ANY,"nssov: unable to convert address to string\n",0,0,0); + return -1; + } + cbp.addr.bv_val = cbp.buf; + cbp.addr.bv_len = strlen(cbp.buf);, + Debug(LDAP_DEBUG_TRACE,"nslcd_network_byaddr(%s)\n",cbp.addr.bv_val,0,0);, + NSLCD_ACTION_NETWORK_BYADDR, + nssov_filter_byid(cbp.mi,1,&cbp.addr,&filter) +) + +NSSOV_HANDLE( + network,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.addr);, + Debug(LDAP_DEBUG_TRACE,"nssov_network_all()\n",0,0,0);, + NSLCD_ACTION_NETWORK_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/README b/contrib/slapd-modules/nssov/nss-pam-ldapd/README new file mode 100644 index 0000000..4176ad7 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/README @@ -0,0 +1,15 @@ +These files were pulled from the nss-pam-ldapd project version 0.9.4. +Copyright notices are in the individual files. + +This is not the full distribution of nss-pam-ldapd, and does not +include the client-side stub libraries. Get the latest release of +nss-pam-ldapd from http://arthurdejong.org/nss-pam-ldapd/ to use +this overlay. + +If your system already has the nss-pam-ldapd stub libraries +installed, make sure the versions match the version number +shown above. Otherwise, there may be incompatible differences in +the protocols being used. Currently nssov requires at least +version 0.9.0. If your system's version is older, you will need +to install the client-side stubs from source. + diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/attrs.h b/contrib/slapd-modules/nssov/nss-pam-ldapd/attrs.h new file mode 100644 index 0000000..83f1777 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/attrs.h @@ -0,0 +1,91 @@ +/* + attrs.h - wrapper macros for the gcc __attribute__(()) directive + + Copyright (C) 2007, 2008, 2012 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#ifndef COMPAT__ATTRS_H +#define COMPAT__ATTRS_H 1 + +/* macro for testing the version of GCC */ +#define GCC_VERSION(major, minor) \ + ((__GNUC__ > (major)) || (__GNUC__ == (major) && __GNUC_MINOR__ >= (minor))) + +/* These are macros to use some gcc-specific flags in case the're available + and otherwise define them to empty strings. This allows us to give + the compiler some extra information. + See http://gcc.gnu.org/onlinedocs/gcc/Attribute-Syntax.html + for a list of attributes supported by gcc */ + +/* this is used to flag function parameters that are not used in the function + body. */ +#if GCC_VERSION(3, 0) +#define UNUSED(x) x __attribute__((__unused__)) +#else +#define UNUSED(x) x +#endif + +/* this is used to add extra format checking to the function calls as if this + was a printf()-like function */ +#if GCC_VERSION(3, 0) +#define LIKE_PRINTF(format_idx, arg_idx) \ + __attribute__((__format__(__printf__, format_idx, arg_idx))) +#else +#define LIKE_PRINTF(format_idx, arg_idx) /* no attribute */ +#endif + +/* indicates that the function is "pure": its result is purely based on + the parameters and has no side effects or used static data */ +#if GCC_VERSION(3, 0) +#define PURE __attribute__((__pure__)) +#else +#define PURE /* no attribute */ +#endif + +/* the function returns a new data structure that has been freshly + allocated */ +#if GCC_VERSION(3, 0) +#define LIKE_MALLOC __attribute__((__malloc__)) +#else +#define LIKE_MALLOC /* no attribute */ +#endif + +/* the function's return value should be used by the caller */ +#if GCC_VERSION(3, 4) +#define MUST_USE __attribute__((__warn_unused_result__)) +#else +#define MUST_USE /* no attribute */ +#endif + +/* the function's return value should be used by the caller */ +#if GCC_VERSION(2, 5) +#define NORETURN __attribute__((__noreturn__)) +#else +#define NORETURN /* no attribute */ +#endif + +/* define __STRING if it's not yet defined */ +#ifndef __STRING +#ifdef __STDC__ +#define __STRING(x) #x +#else /* __STDC__ */ +#define __STRING(x) "x" +#endif /* not __STDC__ */ +#endif /* not __STRING */ + +#endif /* not COMPAT__ATTRS_H */ diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd-prot.h b/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd-prot.h new file mode 100644 index 0000000..649be89 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd-prot.h @@ -0,0 +1,381 @@ +/* + nslcd-prot.h - helper macros for reading and writing in protocol streams + + Copyright (C) 2006 West Consulting + Copyright (C) 2006-2014 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#ifndef COMMON__NSLCD_PROT_H +#define COMMON__NSLCD_PROT_H 1 + +#include <arpa/inet.h> +#include <netinet/in.h> + +#include "tio.h" + +/* If you use these macros you should define the following macros to + handle error conditions (these marcos should clean up and return from the + function): + ERROR_OUT_WRITEERROR(fp) + ERROR_OUT_READERROR(fp) + ERROR_OUT_BUFERROR(fp) + ERROR_OUT_NOSUCCESS(fp) */ + + +/* Debugging marcos that can be used to enable detailed protocol logging, + pass -DDEBUG_PROT to do overall protocol debugging, and -DDEBUG_PROT_DUMP + to dump the actual bytestream. */ + +#ifdef DEBUG_PROT +/* define a debugging macro to output logging */ +#include <string.h> +#include <errno.h> +#define DEBUG_PRINT(fmt, arg) \ + fprintf(stderr, "%s:%d:%s: " fmt "\n", __FILE__, __LINE__, \ + __PRETTY_FUNCTION__, arg); +#else /* DEBUG_PROT */ +/* define an empty debug macro to disable logging */ +#define DEBUG_PRINT(fmt, arg) +#endif /* not DEBUG_PROT */ + +#ifdef DEBUG_PROT_DUMP +/* define a debugging macro to output detailed logging */ +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +static void debug_dump(const void *ptr, size_t size) +{ + int i; + for (i = 0; i < size; i++) + fprintf(stderr, " %02x", ((const uint8_t *)ptr)[i]); + fprintf(stderr, "\n"); +} +#define DEBUG_DUMP(ptr, size) \ + fprintf(stderr, "%s:%d:%s:", __FILE__, __LINE__, __PRETTY_FUNCTION__); \ + debug_dump(ptr, size); +#else /* DEBUG_PROT_DUMP */ +/* define an empty debug macro to disable logging */ +#define DEBUG_DUMP(ptr, size) +#endif /* not DEBUG_PROT_DUMP */ + + +/* WRITE marcos, used for writing data, on write error they will + call the ERROR_OUT_WRITEERROR macro + these macros may require the availability of the following + variables: + int32_t tmpint32; - temporary variable + */ + +#define WRITE(fp, ptr, size) \ + DEBUG_PRINT("WRITE : var="__STRING(ptr)" size=%d", (int)size); \ + DEBUG_DUMP(ptr, size); \ + if (tio_write(fp, ptr, (size_t)size)) \ + { \ + DEBUG_PRINT("WRITE : var="__STRING(ptr)" error: %s", \ + strerror(errno)); \ + ERROR_OUT_WRITEERROR(fp); \ + } + +#define WRITE_INT32(fp, i) \ + DEBUG_PRINT("WRITE_INT32 : var="__STRING(i)" int32=%08x", (int)i); \ + tmpint32 = htonl((int32_t)(i)); \ + WRITE(fp, &tmpint32, sizeof(int32_t)) + +#define WRITE_STRING(fp, str) \ + DEBUG_PRINT("WRITE_STRING: var="__STRING(str)" string=\"%s\"", (str)); \ + if ((str) == NULL) \ + { \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + WRITE_INT32(fp, strlen(str)); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 > 0) \ + { \ + WRITE(fp, (str), tmpint32); \ + } \ + } + +#define WRITE_STRINGLIST(fp, arr) \ + if ((arr) == NULL) \ + { \ + DEBUG_PRINT("WRITE_STRLST: var="__STRING(arr)" num=%d", 0); \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + /* first determine length of array */ \ + for (tmp3int32 = 0; (arr)[tmp3int32] != NULL; tmp3int32++) \ + /* noting */ ; \ + /* write number of strings */ \ + DEBUG_PRINT("WRITE_STRLST: var="__STRING(arr)" num=%d", (int)tmp3int32); \ + WRITE_INT32(fp, tmp3int32); \ + /* write strings */ \ + for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \ + { \ + WRITE_STRING(fp, (arr)[tmp2int32]); \ + } \ + } + +#define WRITE_STRINGLIST_EXCEPT(fp, arr, not) \ + /* first determine length of array */ \ + tmp3int32 = 0; \ + for (tmp2int32 = 0; (arr)[tmp2int32] != NULL; tmp2int32++) \ + if (strcmp((arr)[tmp2int32], (not)) != 0) \ + tmp3int32++; \ + /* write number of strings (mius one because we intend to skip one) */ \ + DEBUG_PRINT("WRITE_STRLST: var="__STRING(arr)" num=%d", (int)tmp3int32); \ + WRITE_INT32(fp, tmp3int32); \ + /* write strings */ \ + for (tmp2int32 = 0; (arr)[tmp2int32] != NULL; tmp2int32++) \ + { \ + if (strcmp((arr)[tmp2int32], (not)) != 0) \ + { \ + WRITE_STRING(fp, (arr)[tmp2int32]); \ + } \ + } + +/* READ macros, used for reading data, on read error they will + call the ERROR_OUT_READERROR or ERROR_OUT_BUFERROR macro + these macros may require the availability of the following + variables: + int32_t tmpint32; - temporary variable + */ + +#define READ(fp, ptr, size) \ + if (tio_read(fp, ptr, (size_t)size)) \ + { \ + DEBUG_PRINT("READ : var="__STRING(ptr)" error: %s", \ + strerror(errno)); \ + ERROR_OUT_READERROR(fp); \ + } \ + DEBUG_PRINT("READ : var="__STRING(ptr)" size=%d", (int)(size)); \ + DEBUG_DUMP(ptr, size); + +#define READ_INT32(fp, i) \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + (i) = (int32_t)ntohl(tmpint32); \ + DEBUG_PRINT("READ_INT32 : var="__STRING(i)" int32==%08x", (int)(i)); + +/* read a string in a fixed-size "normal" buffer */ +#define READ_STRING(fp, buffer) \ + /* read the size of the string */ \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + DEBUG_PRINT("READ_STRING: var="__STRING(buffer)" strlen=%d", tmpint32); \ + /* check if read would fit */ \ + if (((size_t)tmpint32) >= sizeof(buffer)) \ + { \ + /* will not fit */ \ + tmpint32 = (tmpint32 - sizeof(buffer)) + 1; \ + DEBUG_PRINT("READ : buffer %d bytes too small", tmpint32); \ + ERROR_OUT_BUFERROR(fp); \ + } \ + /* read string from the stream */ \ + if (tmpint32 > 0) \ + { \ + READ(fp, buffer, (size_t)tmpint32); \ + } \ + /* null-terminate string in buffer */ \ + buffer[tmpint32] = '\0'; \ + DEBUG_PRINT("READ_STRING: var="__STRING(buffer)" string=\"%s\"", buffer); + + +/* READ BUF macros that read data into a pre-allocated buffer. + these macros may require the availability of the following + variables: + int32_t tmpint32; - temporary variable + char *buffer; - pointer to a buffer for reading strings + size_t buflen; - the size of the buffer + size_t bufptr; - the current position in the buffer + */ + +/* current position in the buffer */ +#define BUF_CUR \ + (buffer + bufptr) + +/* check that the buffer has sz bytes left in it */ +#define BUF_CHECK(fp, sz) \ + if ((bufptr + (size_t)(sz)) > buflen) \ + { \ + /* will not fit */ \ + tmpint32 = bufptr + (sz) - (buflen); \ + DEBUG_PRINT("READ : buffer %d bytes too small", tmpint32); \ + ERROR_OUT_BUFERROR(fp); \ + } + +/* move the buffer pointer */ +#define BUF_SKIP(sz) \ + bufptr += (size_t)(sz); + +/* move BUF_CUR foreward so that it is aligned to the specified + type width */ +#define BUF_ALIGN(fp, type) \ + /* figure out number of bytes to skip foreward */ \ + tmp2int32 = (sizeof(type) - ((BUF_CUR - (char *)NULL) % sizeof(type))) \ + % sizeof(type); \ + /* check and skip */ \ + BUF_CHECK(fp, tmp2int32); \ + BUF_SKIP(tmp2int32); + +/* allocate a piece of the buffer to store an array in */ +#define BUF_ALLOC(fp, ptr, type, num) \ + /* align to the specified type width */ \ + BUF_ALIGN(fp, type); \ + /* check that we have enough room */ \ + BUF_CHECK(fp, (size_t)(num) * sizeof(type)); \ + /* store the pointer */ \ + (ptr) = (type *)BUF_CUR; \ + /* reserve the space */ \ + BUF_SKIP((size_t)(num) * sizeof(type)); + +/* read a binary blob into the buffer */ +#define READ_BUF(fp, ptr, sz) \ + /* check that there is enough room and read */ \ + BUF_CHECK(fp, sz); \ + READ(fp, BUF_CUR, (size_t)sz); \ + /* store pointer and skip */ \ + (ptr) = BUF_CUR; \ + BUF_SKIP(sz); + +/* read string in the buffer (using buffer, buflen and bufptr) + and store the actual location of the string in field */ +#define READ_BUF_STRING(fp, field) \ + /* read the size of the string */ \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + DEBUG_PRINT("READ_BUF_STRING: var="__STRING(field)" strlen=%d", tmpint32); \ + /* check if read would fit */ \ + BUF_CHECK(fp, tmpint32 + 1); \ + /* read string from the stream */ \ + if (tmpint32 > 0) \ + { \ + READ(fp, BUF_CUR, (size_t)tmpint32); \ + } \ + /* null-terminate string in buffer */ \ + BUF_CUR[tmpint32] = '\0'; \ + DEBUG_PRINT("READ_BUF_STRING: var="__STRING(field)" string=\"%s\"", BUF_CUR); \ + /* prepare result */ \ + (field) = BUF_CUR; \ + BUF_SKIP(tmpint32 + 1); + +/* read an array from a stram and store it as a null-terminated + array list (size for the array is allocated) */ +#define READ_BUF_STRINGLIST(fp, arr) \ + /* read the number of entries */ \ + READ(fp, &tmp3int32, sizeof(int32_t)); \ + tmp3int32 = ntohl(tmp3int32); \ + DEBUG_PRINT("READ_STRLST: var="__STRING(arr)" num=%d", (int)tmp3int32); \ + /* allocate room for *char[num + 1] */ \ + BUF_ALLOC(fp, arr, char *, tmp3int32 + 1); \ + /* read all entries */ \ + for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \ + { \ + READ_BUF_STRING(fp, (arr)[tmp2int32]); \ + } \ + /* set last entry to NULL */ \ + (arr)[tmp2int32] = NULL; + + +/* SKIP macros for skipping over certain parts of the protocol stream. */ + +/* skip a number of bytes foreward */ +#define SKIP(fp, sz) \ + DEBUG_PRINT("READ : skip %d bytes", (int)(sz)); \ + /* read (skip) the specified number of bytes */ \ + if (tio_skip(fp, sz)) \ + { \ + DEBUG_PRINT("READ : skip error: %s", strerror(errno)); \ + ERROR_OUT_READERROR(fp); \ + } + +/* read a string from the stream but don't do anything with the result */ +#define SKIP_STRING(fp) \ + /* read the size of the string */ \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + DEBUG_PRINT("READ_STRING: skip %d bytes", (int)tmpint32); \ + /* read (skip) the specified number of bytes */ \ + SKIP(fp, tmpint32); + +/* skip a list of strings */ +#define SKIP_STRINGLIST(fp) \ + /* read the number of entries */ \ + READ(fp, &tmp3int32, sizeof(int32_t)); \ + tmp3int32 = ntohl(tmp3int32); \ + DEBUG_PRINT("READ_STRLST: skip %d strings", (int)tmp3int32); \ + /* read all entries */ \ + for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \ + { \ + SKIP_STRING(fp); \ + } + + +/* These are functions and macors for performing common operations in + the nslcd request/response protocol. */ + +/* returns a socket to the server or NULL on error (see errno), + socket should be closed with tio_close() */ +TFILE *nslcd_client_open(void) + MUST_USE; + +/* generic request code */ +#define NSLCD_REQUEST(fp, action, writefn) \ + /* open a client socket */ \ + if ((fp = nslcd_client_open()) == NULL) \ + { \ + ERROR_OUT_OPENERROR; \ + } \ + /* write a request header with a request code */ \ + WRITE_INT32(fp, (int32_t)NSLCD_VERSION) \ + WRITE_INT32(fp, (int32_t)action) \ + /* write the request parameters (if any) */ \ + writefn; \ + /* flush the stream */ \ + if (tio_flush(fp) < 0) \ + { \ + DEBUG_PRINT("WRITE_FLUSH : error: %s", strerror(errno)); \ + ERROR_OUT_WRITEERROR(fp); \ + } \ + /* read and check response version number */ \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 != (int32_t)NSLCD_VERSION) \ + { \ + ERROR_OUT_READERROR(fp); \ + } \ + /* read and check response request number */ \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 != (int32_t)(action)) \ + { \ + ERROR_OUT_READERROR(fp); \ + } + +/* Read the response code (the result code of the query) from + the stream. */ +#define READ_RESPONSE_CODE(fp) \ + READ(fp, &tmpint32, sizeof(int32_t)); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 != (int32_t)NSLCD_RESULT_BEGIN) \ + { \ + ERROR_OUT_NOSUCCESS(fp); \ + } + +#endif /* not COMMON__NSLCD_PROT_H */ diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd.h b/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd.h new file mode 100644 index 0000000..9884733 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd.h @@ -0,0 +1,305 @@ +/* + nslcd.h - file describing client/server protocol + + Copyright (C) 2006 West Consulting + Copyright (C) 2006, 2007, 2009, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#ifndef _NSLCD_H +#define _NSLCD_H 1 + +/* + The protocol used between the nslcd client and server is a simple binary + protocol. It is request/response based where the client initiates a + connection, does a single request and closes the connection again. Any + mangled or not understood messages will be silently ignored by the server. + + A request looks like: + INT32 NSLCD_VERSION + INT32 NSLCD_ACTION_* + [request parameters if any] + A response looks like: + INT32 NSLCD_VERSION + INT32 NSLCD_ACTION_* (the original request type) + [result(s)] + INT32 NSLCD_RESULT_END + A single result entry looks like: + INT32 NSLCD_RESULT_BEGIN + [result value(s)] + If a response would return multiple values (e.g. for NSLCD_ACTION_*_ALL + functions) each return value will be preceded by a NSLCD_RESULT_BEGIN + value. After the last returned result the server sends + NSLCD_RESULT_END. If some error occurs (e.g. LDAP server unavailable, + error in the request, etc) the server terminates the connection to signal + an error condition (breaking the protocol). + + These are the available basic data types: + INT32 - 32-bit integer value + TYPE - a typed field that is transferred using sizeof() + STRING - a string length (32bit) followed by the string value (not + null-terminted) the string itself is assumed to be UTF-8 + STRINGLIST - a 32-bit number noting the number of strings followed by + the strings one at a time + + Furthermore the ADDRESS compound data type is defined as: + INT32 type of address: e.g. AF_INET or AF_INET6 + INT32 lenght of address + RAW the address itself + With the ADDRESSLIST using the same construct as with STRINGLIST. + + The protocol uses network byte order for all types. +*/ + +/* The current version of the protocol. This protocol should only be + updated with major backwards-incompatible changes. */ +#define NSLCD_VERSION 0x00000002 + +/* Get a NSLCD configuration option. There is one request parameter: + INT32 NSLCD_CONFIG_* + the result value is: + STRING value, interpretation depending on request */ +#define NSLCD_ACTION_CONFIG_GET 0x00010001 + +/* return the message, if any, that is presented to the user when password + modification through PAM is prohibited */ +#define NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE 1 + +/* Email alias (/etc/aliases) NSS requests. The result values for a + single entry are: + STRING alias name + STRINGLIST alias rcpts */ +#define NSLCD_ACTION_ALIAS_BYNAME 0x00020001 +#define NSLCD_ACTION_ALIAS_ALL 0x00020008 + +/* Ethernet address/name mapping NSS requests. The result values for a + single entry are: + STRING ether name + TYPE(uint8_t[6]) ether address */ +#define NSLCD_ACTION_ETHER_BYNAME 0x00030001 +#define NSLCD_ACTION_ETHER_BYETHER 0x00030002 +#define NSLCD_ACTION_ETHER_ALL 0x00030008 + +/* Group and group membership related NSS requests. The result values + for a single entry are: + STRING group name + STRING group password + INT32 group id + STRINGLIST members (usernames) of the group + (not that the BYMEMER call returns an empty members list) */ +#define NSLCD_ACTION_GROUP_BYNAME 0x00040001 +#define NSLCD_ACTION_GROUP_BYGID 0x00040002 +#define NSLCD_ACTION_GROUP_BYMEMBER 0x00040006 +#define NSLCD_ACTION_GROUP_ALL 0x00040008 + +/* Hostname (/etc/hosts) lookup NSS requests. The result values + for an entry are: + STRING host name + STRINGLIST host aliases + ADDRESSLIST host addresses */ +#define NSLCD_ACTION_HOST_BYNAME 0x00050001 +#define NSLCD_ACTION_HOST_BYADDR 0x00050002 +#define NSLCD_ACTION_HOST_ALL 0x00050008 + +/* Netgroup NSS result entries contain a number of parts. A result entry + starts with: + STRING netgroup name + followed by zero or more references to other netgroups or netgroup + triples. A reference to another netgroup looks like: + INT32 NSLCD_NETGROUP_TYPE_NETGROUP + STRING other netgroup name + A a netgroup triple looks like: + INT32 NSLCD_NETGROUP_TYPE_TRIPLE + STRING host + STRING user + STRING domain + A netgroup result entry is terminated by: + INT32 NSLCD_NETGROUP_TYPE_END + */ +#define NSLCD_ACTION_NETGROUP_BYNAME 0x00060001 +#define NSLCD_ACTION_NETGROUP_ALL 0x00060008 +#define NSLCD_NETGROUP_TYPE_NETGROUP 1 +#define NSLCD_NETGROUP_TYPE_TRIPLE 2 +#define NSLCD_NETGROUP_TYPE_END 3 + +/* Network name (/etc/networks) NSS requests. Result values for a single + entry are: + STRING network name + STRINGLIST network aliases + ADDRESSLIST network addresses */ +#define NSLCD_ACTION_NETWORK_BYNAME 0x00070001 +#define NSLCD_ACTION_NETWORK_BYADDR 0x00070002 +#define NSLCD_ACTION_NETWORK_ALL 0x00070008 + +/* User account (/etc/passwd) NSS requests. Result values are: + STRING user name + STRING user password + INT32 user id + INT32 group id + STRING gecos information + STRING home directory + STRING login shell */ +#define NSLCD_ACTION_PASSWD_BYNAME 0x00080001 +#define NSLCD_ACTION_PASSWD_BYUID 0x00080002 +#define NSLCD_ACTION_PASSWD_ALL 0x00080008 + +/* Protocol information requests. Result values are: + STRING protocol name + STRINGLIST protocol aliases + INT32 protocol number */ +#define NSLCD_ACTION_PROTOCOL_BYNAME 0x00090001 +#define NSLCD_ACTION_PROTOCOL_BYNUMBER 0x00090002 +#define NSLCD_ACTION_PROTOCOL_ALL 0x00090008 + +/* RPC information requests. Result values are: + STRING rpc name + STRINGLIST rpc aliases + INT32 rpc number */ +#define NSLCD_ACTION_RPC_BYNAME 0x000a0001 +#define NSLCD_ACTION_RPC_BYNUMBER 0x000a0002 +#define NSLCD_ACTION_RPC_ALL 0x000a0008 + +/* Service (/etc/services) information requests. The BYNAME and BYNUMBER + requests contain an extra protocol string in the request which, if not + blank, will filter the services by this protocol. Result values are: + STRING service name + STRINGLIST service aliases + INT32 service (port) number + STRING service protocol */ +#define NSLCD_ACTION_SERVICE_BYNAME 0x000b0001 +#define NSLCD_ACTION_SERVICE_BYNUMBER 0x000b0002 +#define NSLCD_ACTION_SERVICE_ALL 0x000b0008 + +/* Extended user account (/etc/shadow) information requests. Result + values for a single entry are: + STRING user name + STRING user password + INT32 last password change + INT32 mindays + INT32 maxdays + INT32 warn + INT32 inact + INT32 expire + INT32 flag */ +#define NSLCD_ACTION_SHADOW_BYNAME 0x000c0001 +#define NSLCD_ACTION_SHADOW_ALL 0x000c0008 + +/* PAM-related requests. The request parameters for all these requests + begin with: + STRING user name + STRING service name + STRING ruser + STRING rhost + STRING tty + If the user is not known in LDAP no result may be returned (immediately + return NSLCD_RESULT_END instead of a PAM error code). */ + +/* PAM authentication check request. The extra request values are: + STRING password + and the result value consists of: + INT32 authc NSLCD_PAM_* result code + STRING user name (the cannonical user name) + INT32 authz NSLCD_PAM_* result code + STRING authorisation error message + If the username is empty in this request an attempt is made to + authenticate as the administrator (set using rootpwmoddn). + Some authorisation checks are already done during authentication so the + response also includes authorisation information. */ +#define NSLCD_ACTION_PAM_AUTHC 0x000d0001 + +/* PAM authorisation check request. The result value consists of: + INT32 authz NSLCD_PAM_* result code + STRING authorisation error message + The authentication check may have already returned some authorisation + information. The authorisation error message, if supplied, will be used + by the PAM module instead of a message that is generated by the PAM + module itself. */ +#define NSLCD_ACTION_PAM_AUTHZ 0x000d0002 + +/* PAM session open request. The result value consists of: + STRING session id + This session id may be used to close this session with. */ +#define NSLCD_ACTION_PAM_SESS_O 0x000d0003 + +/* PAM session close request. This request has the following + extra request value: + STRING session id + and this calls only returns an empty response value. */ +#define NSLCD_ACTION_PAM_SESS_C 0x000d0004 + +/* PAM password modification request. This requests has the following extra + request values: + INT32 asroot: 0=oldpasswd is user passwd, 1=oldpasswd is root passwd + STRING old password + STRING new password + and returns there extra result values: + INT32 NSLCD_PAM_* result code + STRING error message */ +#define NSLCD_ACTION_PAM_PWMOD 0x000d0005 + +/* User information change request. This request allows one to change + their full name and other information. The request parameters for this + request are: + STRING user name + INT32 asroot: 0=passwd is user passwd, 1=passwd is root passwd + STRING password + followed by one or more of the below, terminated by NSLCD_USERMOD_END + INT32 NSLCD_USERMOD_* + STRING new value + the response consists of one or more of the entries below, terminated + by NSLCD_USERMOD_END: + INT32 NSLCD_USERMOD_* + STRING response + (if the response is blank, the change went OK, otherwise the string + contains an error message) + */ +#define NSLCD_ACTION_USERMOD 0x000e0001 + +/* These are the possible values for the NSLCD_ACTION_USERMOD operation + above. */ +#define NSLCD_USERMOD_END 0 /* end of change values */ +#define NSLCD_USERMOD_RESULT 1 /* global result value */ +#define NSLCD_USERMOD_FULLNAME 2 /* full name */ +#define NSLCD_USERMOD_ROOMNUMBER 3 /* room number */ +#define NSLCD_USERMOD_WORKPHONE 4 /* office phone number */ +#define NSLCD_USERMOD_HOMEPHONE 5 /* home phone number */ +#define NSLCD_USERMOD_OTHER 6 /* other info */ +#define NSLCD_USERMOD_HOMEDIR 7 /* home directory */ +#define NSLCD_USERMOD_SHELL 8 /* login shell */ + +/* Request result codes. */ +#define NSLCD_RESULT_BEGIN 1 +#define NSLCD_RESULT_END 2 + +/* Partial list of PAM result codes. */ +#define NSLCD_PAM_SUCCESS 0 /* everything ok */ +#define NSLCD_PAM_PERM_DENIED 6 /* Permission denied */ +#define NSLCD_PAM_AUTH_ERR 7 /* Authc failure */ +#define NSLCD_PAM_CRED_INSUFFICIENT 8 /* Cannot access authc data */ +#define NSLCD_PAM_AUTHINFO_UNAVAIL 9 /* Cannot retrieve authc info */ +#define NSLCD_PAM_USER_UNKNOWN 10 /* User not known */ +#define NSLCD_PAM_MAXTRIES 11 /* Retry limit reached */ +#define NSLCD_PAM_NEW_AUTHTOK_REQD 12 /* Password expired */ +#define NSLCD_PAM_ACCT_EXPIRED 13 /* Account expired */ +#define NSLCD_PAM_SESSION_ERR 14 /* Cannot make/remove session record */ +#define NSLCD_PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ +#define NSLCD_PAM_AUTHTOK_DISABLE_AGING 23 /* Password aging disabled */ +#define NSLCD_PAM_IGNORE 25 /* Ignore module */ +#define NSLCD_PAM_ABORT 26 /* Fatal error */ +#define NSLCD_PAM_AUTHTOK_EXPIRED 27 /* authentication token has expired */ + +#endif /* not _NSLCD_H */ diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.c b/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.c new file mode 100644 index 0000000..11ad4f7 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.c @@ -0,0 +1,520 @@ +/* + tio.c - timed io functions + This file is part of the nss-pam-ldapd library. + + Copyright (C) 2007-2014 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#include "portable.h" + +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +#include <stdlib.h> +#include <unistd.h> +#include <sys/time.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> +#include <string.h> +#include <signal.h> +#include <stdio.h> +#include <limits.h> +#include <poll.h> +#include <time.h> + +#include "tio.h" + +/* for platforms that don't have ETIME use ETIMEDOUT */ +#ifndef ETIME +#define ETIME ETIMEDOUT +#endif /* ETIME */ + +/* structure that holds a buffer + the buffer contains the data that is between the application and the + file descriptor that is used for efficient transfer + the buffer is built up as follows: + |.....********......| + ^start ^size + ^--len--^ */ +struct tio_buffer { + uint8_t *buffer; + size_t size; /* the size of the buffer */ + size_t maxsize; /* the maximum size of the buffer */ + size_t start; /* the start of the data (before start is unused) */ + size_t len; /* size of the data (from the start) */ +}; + +/* structure that holds all the state for files */ +struct tio_fileinfo { + int fd; + struct tio_buffer readbuffer; + struct tio_buffer writebuffer; + int readtimeout; + int writetimeout; + int read_resettable; /* whether the tio_reset() function can be called */ +#ifdef DEBUG_TIO_STATS + /* this is used to collect statistics on the use of the streams + and can be used to tune the buffer sizes */ + size_t byteswritten; + size_t bytesread; +#endif /* DEBUG_TIO_STATS */ +}; + +/* some older versions of Solaris don't provide CLOCK_MONOTONIC but do have + a CLOCK_HIGHRES that has the same properties we need */ +#ifndef CLOCK_MONOTONIC +#ifdef CLOCK_HIGHRES +#define CLOCK_MONOTONIC CLOCK_HIGHRES +#endif /* CLOCK_HIGHRES */ +#endif /* not CLOCK_MONOTONIC */ + +/* update the timeout to the value that is remaining before the deadline + returns the number of milliseconds before the deadline (or a negative + value of the deadline has expired) */ +static inline int tio_time_remaining(struct timespec *deadline, int timeout) +{ + struct timespec tv; + /* if this is the first call, set the deadline and return the full time */ + if ((deadline->tv_sec == 0) && (deadline->tv_nsec == 0)) + { + if (clock_gettime(CLOCK_MONOTONIC, deadline) == 0) + { + deadline->tv_sec += timeout / 1000; + deadline->tv_nsec += (timeout % 1000) * 1000000; + } + return timeout; + } + /* get the current time (fall back to full time on error) */ + if (clock_gettime(CLOCK_MONOTONIC, &tv)) + return timeout; + /* calculate time remaining in milliseconds */ + return (deadline->tv_sec - tv.tv_sec) * 1000 + + (deadline->tv_nsec - tv.tv_nsec) / 1000000; +} + +/* open a new TFILE based on the file descriptor */ +TFILE *tio_fdopen(int fd, int readtimeout, int writetimeout, + size_t initreadsize, size_t maxreadsize, + size_t initwritesize, size_t maxwritesize) +{ + struct tio_fileinfo *fp; + fp = (struct tio_fileinfo *)malloc(sizeof(struct tio_fileinfo)); + if (fp == NULL) + return NULL; + fp->fd = fd; + /* initialize read buffer */ + fp->readbuffer.buffer = (uint8_t *)malloc(initreadsize); + if (fp->readbuffer.buffer == NULL) + { + free(fp); + return NULL; + } + fp->readbuffer.size = initreadsize; + fp->readbuffer.maxsize = maxreadsize; + fp->readbuffer.start = 0; + fp->readbuffer.len = 0; + /* initialize write buffer */ + fp->writebuffer.buffer = (uint8_t *)malloc(initwritesize); + if (fp->writebuffer.buffer == NULL) + { + free(fp->readbuffer.buffer); + free(fp); + return NULL; + } + fp->writebuffer.size = initwritesize; + fp->writebuffer.maxsize = maxwritesize; + fp->writebuffer.start = 0; + fp->writebuffer.len = 0; + /* initialize other attributes */ + fp->readtimeout = readtimeout; + fp->writetimeout = writetimeout; + fp->read_resettable = 0; +#ifdef DEBUG_TIO_STATS + fp->byteswritten = 0; + fp->bytesread = 0; +#endif /* DEBUG_TIO_STATS */ + return fp; +} + +/* wait for any activity on the specified file descriptor using + the specified deadline */ +static int tio_wait(int fd, short events, int timeout, + struct timespec *deadline) +{ + int t; + struct pollfd fds[1]; + int rv; + while (1) + { + fds[0].fd = fd; + fds[0].events = events; + /* figure out the time we need to wait */ + if ((t = tio_time_remaining(deadline, timeout)) < 0) + { + errno = ETIME; + return -1; + } + /* sanitiy check for moving clock */ + if (t > timeout) + t = timeout; + /* wait for activity */ + rv = poll(fds, 1, t); + if (rv > 0) + return 0; /* we have activity */ + else if (rv == 0) + { + /* no file descriptors were available within the specified time */ + errno = ETIME; + return -1; + } + else if ((errno != EINTR) && (errno != EAGAIN)) + /* some error ocurred */ + return -1; + /* we just try again on EINTR or EAGAIN */ + } +} + +/* do a read on the file descriptor, returning the data in the buffer + if no data was read in the specified time an error is returned */ +int tio_read(TFILE *fp, void *buf, size_t count) +{ + struct timespec deadline = {0, 0}; + int rv; + uint8_t *tmp; + size_t newsz; + size_t len; + /* have a more convenient storage type for the buffer */ + uint8_t *ptr = (uint8_t *)buf; + /* loop until we have returned all the needed data */ + while (1) + { + /* check if we have enough data in the buffer */ + if (fp->readbuffer.len >= count) + { + if (count > 0) + { + if (ptr != NULL) + memcpy(ptr, fp->readbuffer.buffer + fp->readbuffer.start, count); + /* adjust buffer position */ + fp->readbuffer.start += count; + fp->readbuffer.len -= count; + } + return 0; + } + /* empty what we have and continue from there */ + if (fp->readbuffer.len > 0) + { + if (ptr != NULL) + { + memcpy(ptr, fp->readbuffer.buffer + fp->readbuffer.start, + fp->readbuffer.len); + ptr += fp->readbuffer.len; + } + count -= fp->readbuffer.len; + fp->readbuffer.start += fp->readbuffer.len; + fp->readbuffer.len = 0; + } + /* after this point until the read fp->readbuffer.len is 0 */ + if (!fp->read_resettable) + { + /* the stream is not resettable, re-use the buffer */ + fp->readbuffer.start = 0; + } + else if (fp->readbuffer.start >= (fp->readbuffer.size - 4)) + { + /* buffer is running empty, try to grow buffer */ + if (fp->readbuffer.size < fp->readbuffer.maxsize) + { + newsz = fp->readbuffer.size * 2; + if (newsz > fp->readbuffer.maxsize) + newsz = fp->readbuffer.maxsize; + tmp = realloc(fp->readbuffer.buffer, newsz); + if (tmp != NULL) + { + fp->readbuffer.buffer = tmp; + fp->readbuffer.size = newsz; + } + } + /* if buffer still does not contain enough room, clear resettable */ + if (fp->readbuffer.start >= (fp->readbuffer.size - 4)) + { + fp->readbuffer.start = 0; + fp->read_resettable = 0; + } + } + /* wait until we have input */ + if (tio_wait(fp->fd, POLLIN, fp->readtimeout, &deadline)) + return -1; + /* read the input in the buffer */ + len = fp->readbuffer.size - fp->readbuffer.start; +#ifdef SSIZE_MAX + if (len > SSIZE_MAX) + len = SSIZE_MAX; +#endif /* SSIZE_MAX */ + rv = read(fp->fd, fp->readbuffer.buffer + fp->readbuffer.start, len); + /* check for errors */ + if (rv == 0) + { + errno = ECONNRESET; + return -1; + } + else if ((rv < 0) && (errno != EINTR) && (errno != EAGAIN)) + return -1; /* something went wrong with the read */ + else if (rv > 0) + fp->readbuffer.len = rv; /* skip the read part in the buffer */ +#ifdef DEBUG_TIO_STATS + fp->bytesread += rv; +#endif /* DEBUG_TIO_STATS */ + } +} + +/* Read and discard the specified number of bytes from the stream. */ +int tio_skip(TFILE *fp, size_t count) +{ + return tio_read(fp, NULL, count); +} + +/* Read all available data from the stream and empty the read buffer. */ +int tio_skipall(TFILE *fp, int timeout) +{ + struct timespec deadline = {0, 0}; + int rv; + size_t len; + /* clear the read buffer */ + fp->readbuffer.start = 0; + fp->readbuffer.len = 0; + fp->read_resettable = 0; + /* read until we can't read no more */ + len = fp->readbuffer.size; +#ifdef SSIZE_MAX + if (len > SSIZE_MAX) + len = SSIZE_MAX; +#endif /* SSIZE_MAX */ + while (1) + { + /* wait until we have input */ + if (tio_wait(fp->fd, POLLIN, timeout, &deadline)) + return -1; + /* read data from the stream */ + rv = read(fp->fd, fp->readbuffer.buffer, len); + if (rv == 0) + return 0; /* end-of-file */ + if ((rv < 0) && (errno == EWOULDBLOCK)) + return 0; /* we've ready everything we can without blocking */ + if ((rv < 0) && (errno != EINTR) && (errno != EAGAIN)) + return -1; /* something went wrong with the read */ + } +} + +/* the caller has assured us that we can write to the file descriptor + and we give it a shot */ +static int tio_writebuf(TFILE *fp) +{ + int rv; + /* write the buffer */ +#ifdef MSG_NOSIGNAL + rv = send(fp->fd, fp->writebuffer.buffer + fp->writebuffer.start, + fp->writebuffer.len, MSG_NOSIGNAL); +#else /* not MSG_NOSIGNAL */ + /* on platforms that cannot use send() with masked signals, we change the + signal mask and change it back after the write (note that there is a + race condition here) */ + struct sigaction act, oldact; + /* set up sigaction */ + memset(&act, 0, sizeof(struct sigaction)); + act.sa_sigaction = NULL; + act.sa_handler = SIG_IGN; + sigemptyset(&act.sa_mask); + act.sa_flags = SA_RESTART; + /* ignore SIGPIPE */ + if (sigaction(SIGPIPE, &act, &oldact) != 0) + return -1; /* error setting signal handler */ + /* write the buffer */ + rv = write(fp->fd, fp->writebuffer.buffer + fp->writebuffer.start, + fp->writebuffer.len); + /* restore the old handler for SIGPIPE */ + if (sigaction(SIGPIPE, &oldact, NULL) != 0) + return -1; /* error restoring signal handler */ +#endif + /* check for errors */ + if ((rv == 0) || ((rv < 0) && (errno != EINTR) && (errno != EAGAIN))) + return -1; /* something went wrong with the write */ + /* skip the written part in the buffer */ + if (rv > 0) + { + fp->writebuffer.start += rv; + fp->writebuffer.len -= rv; +#ifdef DEBUG_TIO_STATS + fp->byteswritten += rv; +#endif /* DEBUG_TIO_STATS */ + /* reset start if len is 0 */ + if (fp->writebuffer.len == 0) + fp->writebuffer.start = 0; + /* move contents of the buffer to the front if it will save enough room */ + if (fp->writebuffer.start >= (fp->writebuffer.size / 4)) + { + memmove(fp->writebuffer.buffer, + fp->writebuffer.buffer + fp->writebuffer.start, + fp->writebuffer.len); + fp->writebuffer.start = 0; + } + } + return 0; +} + +/* write all the data in the buffer to the stream */ +int tio_flush(TFILE *fp) +{ + struct timespec deadline = {0, 0}; + /* loop until we have written our buffer */ + while (fp->writebuffer.len > 0) + { + /* wait until we can write */ + if (tio_wait(fp->fd, POLLOUT, fp->writetimeout, &deadline)) + return -1; + /* write one block */ + if (tio_writebuf(fp)) + return -1; + } + return 0; +} + +/* try a single write of data in the buffer if the file descriptor + will accept data */ +static int tio_flush_nonblock(TFILE *fp) +{ + struct pollfd fds[1]; + int rv; + /* see if we can write without blocking */ + fds[0].fd = fp->fd; + fds[0].events = POLLOUT; + rv = poll(fds, 1, 0); + /* check if any file descriptors were ready (timeout) or we were + interrupted */ + if ((rv == 0) || ((rv < 0) && ((errno == EINTR) || (errno == EAGAIN)))) + return 0; + /* any other errors? */ + if (rv < 0) + return -1; + /* so file descriptor will accept writes */ + return tio_writebuf(fp); +} + +int tio_write(TFILE *fp, const void *buf, size_t count) +{ + size_t fr; + uint8_t *tmp; + size_t newsz; + const uint8_t *ptr = (const uint8_t *)buf; + /* keep filling the buffer until we have bufferred everything */ + while (count > 0) + { + /* figure out free size in buffer */ + fr = fp->writebuffer.size - (fp->writebuffer.start + fp->writebuffer.len); + if (count <= fr) + { + /* the data fits in the buffer */ + memcpy(fp->writebuffer.buffer + fp->writebuffer.start + + fp->writebuffer.len, ptr, count); + fp->writebuffer.len += count; + return 0; + } + else if (fr > 0) + { + /* fill the buffer with data that will fit */ + memcpy(fp->writebuffer.buffer + fp->writebuffer.start + + fp->writebuffer.len, ptr, fr); + fp->writebuffer.len += fr; + ptr += fr; + count -= fr; + } + /* try to flush some of the data that is in the buffer */ + if (tio_flush_nonblock(fp)) + return -1; + /* if we have room now, try again */ + if (fp->writebuffer.size > (fp->writebuffer.start + fp->writebuffer.len)) + continue; + /* try to grow the buffer */ + if (fp->writebuffer.size < fp->writebuffer.maxsize) + { + newsz = fp->writebuffer.size * 2; + if (newsz > fp->writebuffer.maxsize) + newsz = fp->writebuffer.maxsize; + tmp = realloc(fp->writebuffer.buffer, newsz); + if (tmp != NULL) + { + fp->writebuffer.buffer = tmp; + fp->writebuffer.size = newsz; + continue; /* try again */ + } + } + /* write the buffer to the stream */ + if (tio_flush(fp)) + return -1; + } + return 0; +} + +int tio_close(TFILE *fp) +{ + int retv; + /* write any buffered data */ + retv = tio_flush(fp); +#ifdef DEBUG_TIO_STATS + /* dump statistics to stderr */ + fprintf(stderr, "DEBUG_TIO_STATS READ=%d WRITTEN=%d\n", fp->bytesread, + fp->byteswritten); +#endif /* DEBUG_TIO_STATS */ + /* close file descriptor */ + if (close(fp->fd)) + retv = -1; + /* free any allocated buffers */ + memset(fp->readbuffer.buffer, 0, fp->readbuffer.size); + memset(fp->writebuffer.buffer, 0, fp->writebuffer.size); + free(fp->readbuffer.buffer); + free(fp->writebuffer.buffer); + /* free the tio struct itself */ + free(fp); + /* return the result of the earlier operations */ + return retv; +} + +void tio_mark(TFILE *fp) +{ + /* move any data in the buffer to the start of the buffer */ + if ((fp->readbuffer.start > 0) && (fp->readbuffer.len > 0)) + { + memmove(fp->readbuffer.buffer, + fp->readbuffer.buffer + fp->readbuffer.start, fp->readbuffer.len); + fp->readbuffer.start = 0; + } + /* mark the stream as resettable */ + fp->read_resettable = 1; +} + +int tio_reset(TFILE *fp) +{ + /* check if the stream is (still) resettable */ + if (!fp->read_resettable) + return -1; + /* reset the buffer */ + fp->readbuffer.len += fp->readbuffer.start; + fp->readbuffer.start = 0; + return 0; +} diff --git a/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.h b/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.h new file mode 100644 index 0000000..95f9812 --- /dev/null +++ b/contrib/slapd-modules/nssov/nss-pam-ldapd/tio.h @@ -0,0 +1,83 @@ +/* + tio.h - timed io functions + This file is part of the nss-pam-ldapd library. + + Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +/* + + TODO: Add some documentation here. + + the SIGPIPE signal should be ignored (is ignored in this code) + + This library is not thread safe. You cannot share TFILE objects between + threads and expect to be able to read and write from them in different + threads. All the state is in the TFILE object so calls to this library on + different objects can be done in parallel. + +*/ + +#ifndef COMMON__TIO_H +#define COMMON__TIO_H + +#include <sys/time.h> +#include <sys/types.h> + +#include "attrs.h" + +/* This is a generic file handle used for reading and writing + (something like FILE from stdio.h). */ +typedef struct tio_fileinfo TFILE; + +/* Open a new TFILE based on the file descriptor. The timeout is set for any + operation (value in milliseconds). */ +TFILE *tio_fdopen(int fd, int readtimeout, int writetimeout, + size_t initreadsize, size_t maxreadsize, + size_t initwritesize, size_t maxwritesize) + LIKE_MALLOC MUST_USE; + +/* Read the specified number of bytes from the stream. */ +int tio_read(TFILE *fp, void *buf, size_t count); + +/* Read and discard the specified number of bytes from the stream. */ +int tio_skip(TFILE *fp, size_t count); + +/* Read all available data from the stream and empty the read buffer. */ +int tio_skipall(TFILE *fp, int timeout); + +/* Write the specified buffer to the stream. */ +int tio_write(TFILE *fp, const void *buf, size_t count); + +/* Write out all buffered data to the stream. */ +int tio_flush(TFILE *fp); + +/* Flush the streams and closes the underlying file descriptor. */ +int tio_close(TFILE *fp); + +/* Store the current position in the stream so that we can jump back to it + with the tio_reset() function. */ +void tio_mark(TFILE *fp); + +/* Rewinds the stream to the point set by tio_mark(). Note that this only + resets the read stream and not the write stream. This function returns + whether the reset was successful (this function may fail if the buffers + were full). */ +int tio_reset(TFILE *fp); + +#endif /* COMMON__TIO_H */ diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c new file mode 100644 index 0000000..7a542e5 --- /dev/null +++ b/contrib/slapd-modules/nssov/nssov.c @@ -0,0 +1,993 @@ +/* nssov.c - nss-ldap overlay for slapd */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * Portions Copyright 2013 by Ted C. Cheng, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +#ifndef SLAPD_OVER_NSSOV +#define SLAPD_OVER_NSSOV SLAPD_MOD_DYNAMIC +#endif + +#include "../slapd/config.h" /* not nss-ldapd config.h */ + +#include "lutil.h" + +#include <ac/errno.h> +#include <ac/unistd.h> +#include <fcntl.h> +#include <sys/stat.h> + +AttributeDescription *nssov_pam_host_ad; +AttributeDescription *nssov_pam_svc_ad; + +/* buffer sizes for I/O */ +#define READBUFFER_MINSIZE 32 +#define READBUFFER_MAXSIZE 64 +#define WRITEBUFFER_MINSIZE 64 +#define WRITEBUFFER_MAXSIZE 64*1024 + +/* Find the given attribute's value in the RDN of the DN */ +void nssov_find_rdnval(struct berval *dn, AttributeDescription *ad, struct berval *value) +{ + struct berval rdn; + char *next; + + BER_BVZERO(value); + dnRdn( dn, &rdn ); + do { + next = ber_bvchr( &rdn, '+' ); + if ( rdn.bv_val[ad->ad_cname.bv_len] == '=' && + !ber_bvcmp( &rdn, &ad->ad_cname )) { + if ( next ) + rdn.bv_len = next - rdn.bv_val; + value->bv_val = rdn.bv_val + ad->ad_cname.bv_len + 1; + value->bv_len = rdn.bv_len - ad->ad_cname.bv_len - 1; + break; + } + if ( !next ) + break; + next++; + rdn.bv_len -= next - rdn.bv_val; + rdn.bv_val = next; + } while (1); +} + +/* create a search filter using a name that requires escaping */ +int nssov_filter_byname(nssov_mapinfo *mi,int key,struct berval *name,struct berval *buf) +{ + char buf2[1024]; + struct berval bv2 = {sizeof(buf2),buf2}; + + /* escape attribute */ + if (nssov_escape(name,&bv2)) + return -1; + /* build filter */ + if (bv2.bv_len + mi->mi_filter.bv_len + mi->mi_attrs[key].an_desc->ad_cname.bv_len + 6 > + buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s))", + mi->mi_filter.bv_val, mi->mi_attrs[key].an_desc->ad_cname.bv_val, + bv2.bv_val ); + return 0; +} + +/* create a search filter using a string converted from an int */ +int nssov_filter_byid(nssov_mapinfo *mi,int key,struct berval *id,struct berval *buf) +{ + /* build filter */ + if (id->bv_len + mi->mi_filter.bv_len + mi->mi_attrs[key].an_desc->ad_cname.bv_len + 6 > + buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s))", + mi->mi_filter.bv_val, mi->mi_attrs[key].an_desc->ad_cname.bv_val, + id->bv_val ); + return 0; +} + +void get_userpassword(struct berval *attr,struct berval *pw) +{ + int i; + /* go over the entries and return the remainder of the value if it + starts with {crypt} or crypt$ */ + for (i=0;!BER_BVISNULL(&attr[i]);i++) + { + if (strncasecmp(attr[i].bv_val,"{crypt}",7)==0) { + pw->bv_val = attr[i].bv_val + 7; + pw->bv_len = attr[i].bv_len - 7; + return; + } + if (strncasecmp(attr[i].bv_val,"crypt$",6)==0) { + pw->bv_val = attr[i].bv_val + 6; + pw->bv_len = attr[i].bv_len - 6; + return; + } + } + /* just return the first value completely */ + *pw = *attr; + /* TODO: support more password formats e.g. SMD5 + (which is $1$ but in a different format) + (any code for this is more than welcome) */ +} + +/* this writes a single address to the stream */ +int write_address(TFILE *fp,struct berval *addr) +{ + int32_t tmpint32; + struct in_addr ipv4addr; + struct in6_addr ipv6addr; + /* try to parse the address as IPv4 first, fall back to IPv6 */ + if (inet_pton(AF_INET,addr->bv_val,&ipv4addr)>0) + { + /* write address type */ + WRITE_INT32(fp,AF_INET); + /* write the address length */ + WRITE_INT32(fp,sizeof(struct in_addr)); + /* write the address itself (in network byte order) */ + WRITE(fp,&ipv4addr,sizeof(struct in_addr)); + } + else if (inet_pton(AF_INET6,addr->bv_val,&ipv6addr)>0) + { + /* write address type */ + WRITE_INT32(fp,AF_INET6); + /* write the address length */ + WRITE_INT32(fp,sizeof(struct in6_addr)); + /* write the address itself (in network byte order) */ + WRITE(fp,&ipv6addr,sizeof(struct in6_addr)); + } + else + { + /* failure, log but write simple invalid address + (otherwise the address list is messed up) */ + /* TODO: have error message in correct format */ + Debug(LDAP_DEBUG_ANY,"nssov: unparseable address: %s\n",addr->bv_val,0,0); + /* write an illegal address type */ + WRITE_INT32(fp,-1); + /* write an empty address */ + WRITE_INT32(fp,0); + } + /* we're done */ + return 0; +} + +int read_address(TFILE *fp,char *addr,int *addrlen,int *af) +{ + int32_t tmpint32; + int len; + /* read address family */ + READ_INT32(fp,*af); + if ((*af!=AF_INET)&&(*af!=AF_INET6)) + { + Debug(LDAP_DEBUG_ANY,"nssov: incorrect address family specified: %d\n",*af,0,0); + return -1; + } + /* read address length */ + READ_INT32(fp,len); + if ((len>*addrlen)||(len<=0)) + { + Debug(LDAP_DEBUG_ANY,"nssov: address length incorrect: %d\n",len,0,0); + return -1; + } + *addrlen=len; + /* read address */ + READ(fp,addr,len); + /* we're done */ + return 0; +} + +int nssov_escape(struct berval *src,struct berval *dst) +{ + size_t pos=0; + int i; + /* go over all characters in source string */ + for (i=0;i<src->bv_len;i++) + { + /* check if char will fit */ + if (pos>=(dst->bv_len-4)) + return -1; + /* do escaping for some characters */ + switch (src->bv_val[i]) + { + case '*': + strcpy(dst->bv_val+pos,"\\2a"); + pos+=3; + break; + case '(': + strcpy(dst->bv_val+pos,"\\28"); + pos+=3; + break; + case ')': + strcpy(dst->bv_val+pos,"\\29"); + pos+=3; + break; + case '\\': + strcpy(dst->bv_val+pos,"\\5c"); + pos+=3; + break; + default: + /* just copy character */ + dst->bv_val[pos++]=src->bv_val[i]; + break; + } + } + /* terminate destination string */ + dst->bv_val[pos]='\0'; + dst->bv_len = pos; + return 0; +} + +/* read the version information and action from the stream + this function returns the read action in location pointer to by action */ +static int read_header(TFILE *fp,int32_t *action) +{ + int32_t tmpint32; + /* read the protocol version */ + READ_INT32(fp,tmpint32); + if (tmpint32 != (int32_t)NSLCD_VERSION) + { + Debug( LDAP_DEBUG_TRACE,"nssov: wrong nslcd version id (%d)\n",(int)tmpint32,0,0); + return -1; + } + /* read the request type */ + READ_INT32(fp,*action); + return 0; +} + +int nssov_config(nssov_info *ni,TFILE *fp,Operation *op) +{ + int opt; + int32_t tmpint32; + + READ_INT32(fp,opt); + + Debug(LDAP_DEBUG_TRACE, "nssov_config (%d)\n",opt,0,0); + + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + + switch (opt) { + case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE: + /* request for pam password_prohibit_message */ + /* nssov_pam prohibits password */ + if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { + Debug(LDAP_DEBUG_TRACE,"nssov_config(): %s (%s)\n", + "password_prohibit_message", + ni->ni_pam_password_prohibit_message.bv_val,0); + WRITE_STRING(fp,ni->ni_pam_password_prohibit_message.bv_val); + } + default: + /* all other config options are ignored */ + break; + } + + WRITE_INT32(fp,NSLCD_RESULT_END); + return 0; +} + + +/* read a request message, returns <0 in case of errors, + this function closes the socket */ +static void handleconnection(nssov_info *ni,int sock,Operation *op) +{ + TFILE *fp; + int32_t action; + int readtimeout,writetimeout; + uid_t uid; + gid_t gid; + char authid[sizeof("gidNumber=4294967295+uidNumber=424967295,cn=peercred,cn=external,cn=auth")]; + char peerbuf[8]; + struct berval peerbv = { sizeof(peerbuf), peerbuf }; + + /* log connection */ + if (LUTIL_GETPEEREID(sock,&uid,&gid,&peerbv)) + Debug( LDAP_DEBUG_TRACE,"nssov: connection from unknown client: %s\n",strerror(errno),0,0); + else + Debug( LDAP_DEBUG_TRACE,"nssov: connection from uid=%d gid=%d\n", + (int)uid,(int)gid,0); + + /* Should do authid mapping too */ + op->o_dn.bv_len = sprintf(authid,"gidNumber=%d+uidNumber=%d,cn=peercred,cn=external,cn=auth", + (int)gid, (int)uid ); + op->o_dn.bv_val = authid; + op->o_ndn = op->o_dn; + + /* set the timeouts: + * read timeout is half a second because clients should send their request + * quickly, write timeout is 60 seconds because clients could be taking some + * time to process the results + */ + readtimeout = 500; + writetimeout = 60000; + /* create a stream object */ + if ((fp=tio_fdopen(sock,readtimeout,writetimeout, + READBUFFER_MINSIZE,READBUFFER_MAXSIZE, + WRITEBUFFER_MINSIZE,WRITEBUFFER_MAXSIZE))==NULL) + { + Debug( LDAP_DEBUG_ANY,"nssov: cannot create stream for writing: %s",strerror(errno),0,0); + (void)close(sock); + return; + } + /* read request */ + if (read_header(fp,&action)) + { + (void)tio_close(fp); + return; + } + /* handle request */ + switch (action) + { + case NSLCD_ACTION_ALIAS_BYNAME: (void)nssov_alias_byname(ni,fp,op); break; + case NSLCD_ACTION_ALIAS_ALL: (void)nssov_alias_all(ni,fp,op); break; + case NSLCD_ACTION_ETHER_BYNAME: (void)nssov_ether_byname(ni,fp,op); break; + case NSLCD_ACTION_ETHER_BYETHER: (void)nssov_ether_byether(ni,fp,op); break; + case NSLCD_ACTION_ETHER_ALL: (void)nssov_ether_all(ni,fp,op); break; + case NSLCD_ACTION_GROUP_BYNAME: (void)nssov_group_byname(ni,fp,op); break; + case NSLCD_ACTION_GROUP_BYGID: (void)nssov_group_bygid(ni,fp,op); break; + case NSLCD_ACTION_GROUP_BYMEMBER: (void)nssov_group_bymember(ni,fp,op); break; + case NSLCD_ACTION_GROUP_ALL: (void)nssov_group_all(ni,fp,op); break; + case NSLCD_ACTION_HOST_BYNAME: (void)nssov_host_byname(ni,fp,op); break; + case NSLCD_ACTION_HOST_BYADDR: (void)nssov_host_byaddr(ni,fp,op); break; + case NSLCD_ACTION_HOST_ALL: (void)nssov_host_all(ni,fp,op); break; + case NSLCD_ACTION_NETGROUP_BYNAME: (void)nssov_netgroup_byname(ni,fp,op); break; + case NSLCD_ACTION_NETWORK_BYNAME: (void)nssov_network_byname(ni,fp,op); break; + case NSLCD_ACTION_NETWORK_BYADDR: (void)nssov_network_byaddr(ni,fp,op); break; + case NSLCD_ACTION_NETWORK_ALL: (void)nssov_network_all(ni,fp,op); break; + case NSLCD_ACTION_PASSWD_BYNAME: (void)nssov_passwd_byname(ni,fp,op); break; + case NSLCD_ACTION_PASSWD_BYUID: (void)nssov_passwd_byuid(ni,fp,op); break; + case NSLCD_ACTION_PASSWD_ALL: (void)nssov_passwd_all(ni,fp,op); break; + case NSLCD_ACTION_PROTOCOL_BYNAME: (void)nssov_protocol_byname(ni,fp,op); break; + case NSLCD_ACTION_PROTOCOL_BYNUMBER:(void)nssov_protocol_bynumber(ni,fp,op); break; + case NSLCD_ACTION_PROTOCOL_ALL: (void)nssov_protocol_all(ni,fp,op); break; + case NSLCD_ACTION_RPC_BYNAME: (void)nssov_rpc_byname(ni,fp,op); break; + case NSLCD_ACTION_RPC_BYNUMBER: (void)nssov_rpc_bynumber(ni,fp,op); break; + case NSLCD_ACTION_RPC_ALL: (void)nssov_rpc_all(ni,fp,op); break; + case NSLCD_ACTION_SERVICE_BYNAME: (void)nssov_service_byname(ni,fp,op); break; + case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nssov_service_bynumber(ni,fp,op); break; + case NSLCD_ACTION_SERVICE_ALL: (void)nssov_service_all(ni,fp,op); break; + case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break; + case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break; + case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op,uid); break; + case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break; + case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break; + case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break; + case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op,uid); break; + case NSLCD_ACTION_CONFIG_GET: (void)nssov_config(ni,fp,op); break; + default: + Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0); + break; + } + /* we're done with the request */ + (void)tio_close(fp); + return; +} + +/* accept a connection on the socket */ +static void *acceptconn(void *ctx, void *arg) +{ + nssov_info *ni = arg; + Connection conn = {0}; + OperationBuffer opbuf; + Operation *op; + int csock; + + if ( slapd_shutdown ) + return NULL; + + { + struct sockaddr_storage addr; + socklen_t alen; + int j; + + /* accept a new connection */ + alen=(socklen_t)sizeof(struct sockaddr_storage); + csock=accept(ni->ni_socket,(struct sockaddr *)&addr,&alen); + connection_client_enable(ni->ni_conn); + if (csock<0) + { + if ((errno==EINTR)||(errno==EAGAIN)||(errno==EWOULDBLOCK)) + { + Debug( LDAP_DEBUG_TRACE,"nssov: accept() failed (ignored): %s",strerror(errno),0,0); + return NULL; + } + Debug( LDAP_DEBUG_ANY,"nssov: accept() failed: %s",strerror(errno),0,0); + return NULL; + } + /* make sure O_NONBLOCK is not inherited */ + if ((j=fcntl(csock,F_GETFL,0))<0) + { + Debug( LDAP_DEBUG_ANY,"nssov: fcntl(F_GETFL) failed: %s",strerror(errno),0,0); + if (close(csock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return NULL; + } + if (fcntl(csock,F_SETFL,j&~O_NONBLOCK)<0) + { + Debug( LDAP_DEBUG_ANY,"nssov: fcntl(F_SETFL,~O_NONBLOCK) failed: %s",strerror(errno),0,0); + if (close(csock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return NULL; + } + } + connection_fake_init( &conn, &opbuf, ctx ); + op=&opbuf.ob_op; + conn.c_ssf = conn.c_transport_ssf = local_ssf; + op->o_bd = ni->ni_db; + op->o_tag = LDAP_REQ_SEARCH; + + /* handle the connection */ + handleconnection(ni,csock,op); + + return NULL; +} + +static slap_verbmasks nss_svcs[] = { + { BER_BVC("aliases"), NM_alias }, + { BER_BVC("ethers"), NM_ether }, + { BER_BVC("group"), NM_group }, + { BER_BVC("hosts"), NM_host }, + { BER_BVC("netgroup"), NM_netgroup }, + { BER_BVC("networks"), NM_network }, + { BER_BVC("passwd"), NM_passwd }, + { BER_BVC("protocols"), NM_protocol }, + { BER_BVC("rpc"), NM_rpc }, + { BER_BVC("services"), NM_service }, + { BER_BVC("shadow"), NM_shadow }, + { BER_BVNULL, 0 } +}; + +static slap_verbmasks pam_opts[] = { + { BER_BVC("userhost"), NI_PAM_USERHOST }, + { BER_BVC("userservice"), NI_PAM_USERSVC }, + { BER_BVC("usergroup"), NI_PAM_USERGRP }, + { BER_BVC("hostservice"), NI_PAM_HOSTSVC }, + { BER_BVC("authz2dn"), NI_PAM_SASL2DN }, + { BER_BVC("uid2dn"), NI_PAM_UID2DN }, + { BER_BVNULL, 0 } +}; + +enum { + NSS_SSD=1, + NSS_MAP, + NSS_PAM, + NSS_PAMGROUP, + NSS_PAMSESS +}; + +static ConfigDriver nss_cf_gen; + +static ConfigTable nsscfg[] = { + { "nssov-ssd", "service> <url", 3, 3, 0, ARG_MAGIC|NSS_SSD, + nss_cf_gen, "(OLcfgCtAt:3.1 NAME 'olcNssSsd' " + "DESC 'URL for searches in a given service' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "nssov-map", "service> <orig> <new", 4, 4, 0, ARG_MAGIC|NSS_MAP, + nss_cf_gen, "(OLcfgCtAt:3.2 NAME 'olcNssMap' " + "DESC 'Map <service> lookups of <orig> attr to <new> attr' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "nssov-pam", "options", 2, 0, 0, ARG_MAGIC|NSS_PAM, + nss_cf_gen, "(OLcfgCtAt:3.3 NAME 'olcNssPam' " + "DESC 'PAM authentication and authorization options' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "nssov-pam-defhost", "hostname", 2, 2, 0, ARG_OFFSET|ARG_BERVAL, + (void *)offsetof(struct nssov_info, ni_pam_defhost), + "(OLcfgCtAt:3.4 NAME 'olcNssPamDefHost' " + "DESC 'Default hostname for service checks' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-group-dn", "DN", 2, 2, 0, ARG_MAGIC|ARG_DN|NSS_PAMGROUP, + nss_cf_gen, "(OLcfgCtAt:3.5 NAME 'olcNssPamGroupDN' " + "DESC 'DN of group in which membership is required' " + "EQUALITY distinguishedNameMatch " + "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-group-ad", "attr", 2, 2, 0, ARG_OFFSET|ARG_ATDESC, + (void *)offsetof(struct nssov_info, ni_pam_group_ad), + "(OLcfgCtAt:3.6 NAME 'olcNssPamGroupAD' " + "DESC 'Member attribute to use for group check' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-min-uid", "uid", 2, 2, 0, ARG_OFFSET|ARG_INT, + (void *)offsetof(struct nssov_info, ni_pam_min_uid), + "(OLcfgCtAt:3.7 NAME 'olcNssPamMinUid' " + "DESC 'Minimum UID allowed to login' " + "EQUALITY integerMatch " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-max-uid", "uid", 2, 2, 0, ARG_OFFSET|ARG_INT, + (void *)offsetof(struct nssov_info, ni_pam_max_uid), + "(OLcfgCtAt:3.8 NAME 'olcNssPamMaxUid' " + "DESC 'Maximum UID allowed to login' " + "EQUALITY integerMatch " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-template-ad", "attr", 2, 2, 0, ARG_OFFSET|ARG_ATDESC, + (void *)offsetof(struct nssov_info, ni_pam_template_ad), + "(OLcfgCtAt:3.9 NAME 'olcNssPamTemplateAD' " + "DESC 'Attribute to use for template login name' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-template", "name", 2, 2, 0, ARG_OFFSET|ARG_BERVAL, + (void *)offsetof(struct nssov_info, ni_pam_template), + "(OLcfgCtAt:3.10 NAME 'olcNssPamTemplate' " + "DESC 'Default template login name' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-session", "service", 2, 2, 0, ARG_MAGIC|NSS_PAMSESS, + nss_cf_gen, "(OLcfgCtAt:3.11 NAME 'olcNssPamSession' " + "DESC 'Services for which sessions will be recorded' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "nssov-pam-password-prohibit-message", + "password_prohibit_message", 2, 2, 0, + ARG_OFFSET|ARG_BERVAL, + (void *)offsetof(struct nssov_info, ni_pam_password_prohibit_message), + "(OLcfgCtAt:3.12 NAME 'olcNssPamPwdProhibitMsg' " + "DESC 'Prohibit password modification message' " + "EQUALITY caseIgnoreMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-pwdmgr-dn", + "pwdmgr_dn", 2, 2, 0, + ARG_OFFSET|ARG_BERVAL, + (void *)offsetof(struct nssov_info, ni_pam_pwdmgr_dn), + "(OLcfgCtAt:3.13 NAME 'olcPamPwdmgrDn' " + "DESC 'Password Manager DN' " + "EQUALITY distinguishedNameMatch " + "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL }, + { "nssov-pam-pwdmgr-pwd", + "pwdmgr_pwd", 2, 2, 0, + ARG_OFFSET|ARG_BERVAL, + (void *)offsetof(struct nssov_info, ni_pam_pwdmgr_pwd), + "(OLcfgCtAt:3.14 NAME 'olcPamPwdmgrPwd' " + "DESC 'Password Manager Pwd' " + "EQUALITY octetStringMatch " + "SYNTAX OMsOctetString SINGLE-VALUE )", NULL, NULL }, + { NULL, NULL, 0,0,0, ARG_IGNORED } +}; + +static ConfigOCs nssocs[] = { + { "( OLcfgCtOc:3.1 " + "NAME 'olcNssOvConfig' " + "DESC 'NSS lookup configuration' " + "SUP olcOverlayConfig " + "MAY ( olcNssSsd $ olcNssMap $ olcNssPam $ olcNssPamDefHost $ " + "olcNssPamGroupDN $ olcNssPamGroupAD $ " + "olcNssPamMinUid $ olcNssPamMaxUid $ olcNssPamSession $ " + "olcNssPamTemplateAD $ olcNssPamTemplate ) )", + Cft_Overlay, nsscfg }, + { NULL, 0, NULL } +}; + +static int +nss_cf_gen(ConfigArgs *c) +{ + slap_overinst *on = (slap_overinst *)c->bi; + nssov_info *ni = on->on_bi.bi_private; + nssov_mapinfo *mi; + int i, j, rc = 0; + slap_mask_t m; + + if ( c->op == SLAP_CONFIG_EMIT ) { + switch(c->type) { + case NSS_SSD: + rc = 1; + for (i=NM_alias;i<NM_NONE;i++) { + struct berval scope; + struct berval ssd; + struct berval base; + + mi = &ni->ni_maps[i]; + + /* ignore all-default services */ + if ( mi->mi_scope == LDAP_SCOPE_DEFAULT && + bvmatch( &mi->mi_filter, &mi->mi_filter0 ) && + BER_BVISNULL( &mi->mi_base )) + continue; + + if ( BER_BVISNULL( &mi->mi_base )) + base = ni->ni_db->be_nsuffix[0]; + else + base = mi->mi_base; + ldap_pvt_scope2bv(mi->mi_scope == LDAP_SCOPE_DEFAULT ? + LDAP_SCOPE_SUBTREE : mi->mi_scope, &scope); + ssd.bv_len = STRLENOF(" ldap:///???") + nss_svcs[i].word.bv_len + + base.bv_len + scope.bv_len + mi->mi_filter.bv_len; + ssd.bv_val = ch_malloc( ssd.bv_len + 1 ); + sprintf(ssd.bv_val, "%s ldap:///%s??%s?%s", nss_svcs[i].word.bv_val, + base.bv_val, scope.bv_val, mi->mi_filter.bv_val ); + ber_bvarray_add( &c->rvalue_vals, &ssd ); + rc = 0; + } + break; + case NSS_MAP: + rc = 1; + for (i=NM_alias;i<NM_NONE;i++) { + + mi = &ni->ni_maps[i]; + for (j=0;!BER_BVISNULL(&mi->mi_attrkeys[j]);j++) { + if ( ber_bvstrcasecmp(&mi->mi_attrkeys[j], + &mi->mi_attrs[j].an_name)) { + struct berval map; + + map.bv_len = nss_svcs[i].word.bv_len + + mi->mi_attrkeys[j].bv_len + + mi->mi_attrs[j].an_desc->ad_cname.bv_len + 2; + map.bv_val = ch_malloc(map.bv_len + 1); + sprintf(map.bv_val, "%s %s %s", nss_svcs[i].word.bv_val, + mi->mi_attrkeys[j].bv_val, mi->mi_attrs[j].an_desc->ad_cname.bv_val ); + ber_bvarray_add( &c->rvalue_vals, &map ); + rc = 0; + } + } + } + break; + case NSS_PAM: + rc = mask_to_verbs( pam_opts, ni->ni_pam_opts, &c->rvalue_vals ); + break; + case NSS_PAMGROUP: + if (!BER_BVISEMPTY( &ni->ni_pam_group_dn )) { + value_add_one( &c->rvalue_vals, &ni->ni_pam_group_dn ); + value_add_one( &c->rvalue_nvals, &ni->ni_pam_group_dn ); + } else { + rc = 1; + } + break; + case NSS_PAMSESS: + if (ni->ni_pam_sessions) { + ber_bvarray_dup_x( &c->rvalue_vals, ni->ni_pam_sessions, NULL ); + } else { + rc = 1; + } + break; + } + return rc; + } else if ( c->op == LDAP_MOD_DELETE ) { + /* FIXME */ + return 1; + } + switch( c->type ) { + case NSS_SSD: { + LDAPURLDesc *lud; + + i = verb_to_mask(c->argv[1], nss_svcs); + if ( i == NM_NONE ) + return 1; + + mi = &ni->ni_maps[i]; + rc = ldap_url_parse(c->argv[2], &lud); + if ( rc ) + return 1; + do { + struct berval base; + /* Must be LDAP scheme */ + if (strcasecmp(lud->lud_scheme,"ldap")) { + rc = 1; + break; + } + /* Host part, attrs, and extensions must be empty */ + if (( lud->lud_host && *lud->lud_host ) || + lud->lud_attrs || lud->lud_exts ) { + rc = 1; + break; + } + ber_str2bv( lud->lud_dn,0,0,&base); + rc = dnNormalize( 0,NULL,NULL,&base,&mi->mi_base,NULL); + if ( rc ) + break; + if ( lud->lud_filter ) { + /* steal this */ + ber_str2bv( lud->lud_filter,0,0,&mi->mi_filter); + lud->lud_filter = NULL; + } + mi->mi_scope = lud->lud_scope; + } while(0); + ldap_free_urldesc( lud ); + } + break; + case NSS_MAP: + i = verb_to_mask(c->argv[1], nss_svcs); + if ( i == NM_NONE ) + return 1; + rc = 1; + mi = &ni->ni_maps[i]; + for (j=0; !BER_BVISNULL(&mi->mi_attrkeys[j]); j++) { + if (!strcasecmp(c->argv[2],mi->mi_attrkeys[j].bv_val)) { + AttributeDescription *ad = NULL; + const char *text; + rc = slap_str2ad( c->argv[3], &ad, &text); + if ( rc == 0 ) { + mi->mi_attrs[j].an_desc = ad; + mi->mi_attrs[j].an_name = ad->ad_cname; + } + break; + } + } + break; + case NSS_PAM: + m = ni->ni_pam_opts; + i = verbs_to_mask(c->argc, c->argv, pam_opts, &m); + if (i == 0) { + ni->ni_pam_opts = m; + if ((m & NI_PAM_USERHOST) && !nssov_pam_host_ad) { + const char *text; + i = slap_str2ad("host", &nssov_pam_host_ad, &text); + if (i != LDAP_SUCCESS) { + snprintf(c->cr_msg, sizeof(c->cr_msg), + "nssov: host attr unknown: %s", text); + Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0); + rc = 1; + break; + } + } + if ((m & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && !nssov_pam_svc_ad) { + const char *text; + i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text); + if (i != LDAP_SUCCESS) { + snprintf(c->cr_msg, sizeof(c->cr_msg), + "nssov: authorizedService attr unknown: %s", text); + Debug(LDAP_DEBUG_ANY,"%s\n",c->cr_msg,0,0); + rc = 1; + break; + } + } + } else { + rc = 1; + } + break; + case NSS_PAMGROUP: + ni->ni_pam_group_dn = c->value_ndn; + ch_free( c->value_dn.bv_val ); + break; + case NSS_PAMSESS: + ber_str2bv( c->argv[1], 0, 1, &c->value_bv ); + ber_bvarray_add( &ni->ni_pam_sessions, &c->value_bv ); + break; + } + return rc; +} + +static int +nssov_db_init( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + nssov_info *ni; + int rc; + + rc = nssov_pam_init(); + if (rc) return rc; + + ni = ch_calloc( 1, sizeof(nssov_info) ); + on->on_bi.bi_private = ni; + + /* set up map keys */ + nssov_alias_init(ni); + nssov_ether_init(ni); + nssov_group_init(ni); + nssov_host_init(ni); + nssov_netgroup_init(ni); + nssov_network_init(ni); + nssov_passwd_init(ni); + nssov_protocol_init(ni); + nssov_rpc_init(ni); + nssov_service_init(ni); + nssov_shadow_init(ni); + + ni->ni_db = be->bd_self; + ni->ni_pam_opts = NI_PAM_UID2DN; + + return 0; +} + +static int +nssov_db_destroy( + BackendDB *be, + ConfigReply *cr ) +{ + return 0; +} + +static int +nssov_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + nssov_info *ni = on->on_bi.bi_private; + nssov_mapinfo *mi; + + int i, sock; + struct sockaddr_un addr; + + /* Set default bases */ + for (i=0; i<NM_NONE; i++) { + if ( BER_BVISNULL( &ni->ni_maps[i].mi_base )) { + ber_dupbv( &ni->ni_maps[i].mi_base, &be->be_nsuffix[0] ); + } + if ( ni->ni_maps[i].mi_scope == LDAP_SCOPE_DEFAULT ) + ni->ni_maps[i].mi_scope = LDAP_SCOPE_SUBTREE; + } + /* validate attribute maps */ + mi = ni->ni_maps; + for ( i=0; i<NM_NONE; i++,mi++) { + const char *text; + int j; + for (j=0; !BER_BVISNULL(&mi->mi_attrkeys[j]); j++) { + /* skip attrs we already validated */ + if ( mi->mi_attrs[j].an_desc ) continue; + if ( slap_bv2ad( &mi->mi_attrs[j].an_name, + &mi->mi_attrs[j].an_desc, &text )) { + Debug(LDAP_DEBUG_ANY,"nssov: invalid attr \"%s\": %s\n", + mi->mi_attrs[j].an_name.bv_val, text, 0 ); + return -1; + } + } + BER_BVZERO(&mi->mi_attrs[j].an_name); + mi->mi_attrs[j].an_desc = NULL; + } + + /* Find host and authorizedService definitions */ + if ((ni->ni_pam_opts & NI_PAM_USERHOST) && !nssov_pam_host_ad) + { + const char *text; + i = slap_str2ad("host", &nssov_pam_host_ad, &text); + if (i != LDAP_SUCCESS) { + Debug(LDAP_DEBUG_ANY,"nssov: host attr unknown: %s\n", + text, 0, 0 ); + return -1; + } + } + if ((ni->ni_pam_opts & (NI_PAM_USERSVC|NI_PAM_HOSTSVC)) && + !nssov_pam_svc_ad) + { + const char *text; + i = slap_str2ad("authorizedService", &nssov_pam_svc_ad, &text); + if (i != LDAP_SUCCESS) { + Debug(LDAP_DEBUG_ANY,"nssov: authorizedService attr unknown: %s\n", + text, 0, 0 ); + return -1; + } + } + if ( slapMode & SLAP_SERVER_MODE ) { + /* make sure /var/run/nslcd exists */ + if (mkdir(NSLCD_PATH, (mode_t) 0555)) { + Debug(LDAP_DEBUG_TRACE,"nssov: mkdir(%s) failed (ignored): %s\n", + NSLCD_PATH,strerror(errno),0); + } else { + Debug(LDAP_DEBUG_TRACE,"nssov: created %s\n",NSLCD_PATH,0,0); + } + + /* create a socket */ + if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 ) + { + Debug(LDAP_DEBUG_ANY,"nssov: cannot create socket: %s\n",strerror(errno),0,0); + return -1; + } + /* remove existing named socket */ + if (unlink(NSLCD_SOCKET)<0) + { + Debug( LDAP_DEBUG_TRACE,"nssov: unlink() of "NSLCD_SOCKET" failed (ignored): %s\n", + strerror(errno),0,0); + } + /* create socket address structure */ + memset(&addr,0,sizeof(struct sockaddr_un)); + addr.sun_family=AF_UNIX; + strncpy(addr.sun_path,NSLCD_SOCKET,sizeof(addr.sun_path)); + addr.sun_path[sizeof(addr.sun_path)-1]='\0'; + /* bind to the named socket */ + if (bind(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr_un))) + { + Debug( LDAP_DEBUG_ANY,"nssov: bind() to "NSLCD_SOCKET" failed: %s", + strerror(errno),0,0); + if (close(sock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return -1; + } + /* close the file descriptor on exit */ + if (fcntl(sock,F_SETFD,FD_CLOEXEC)<0) + { + Debug( LDAP_DEBUG_ANY,"nssov: fcntl(F_SETFL,O_NONBLOCK) failed: %s",strerror(errno),0,0); + if (close(sock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return -1; + } + /* set permissions of socket so anybody can do requests */ + /* Note: we use chmod() here instead of fchmod() because + fchmod does not work on sockets + http://www.opengroup.org/onlinepubs/009695399/functions/fchmod.html + http://lkml.org/lkml/2005/5/16/11 */ + if (chmod(NSLCD_SOCKET,(mode_t)0666)) + { + Debug( LDAP_DEBUG_ANY,"nssov: chmod(0666) failed: %s",strerror(errno),0,0); + if (close(sock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return -1; + } + /* start listening for connections */ + if (listen(sock,SOMAXCONN)<0) + { + Debug( LDAP_DEBUG_ANY,"nssov: listen() failed: %s",strerror(errno),0,0); + if (close(sock)) + Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",strerror(errno),0,0); + return -1; + } + ni->ni_socket = sock; + ni->ni_conn = connection_client_setup( sock, acceptconn, ni ); + } + + return 0; +} + +static int +nssov_db_close( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + nssov_info *ni = on->on_bi.bi_private; + + if ( slapMode & SLAP_SERVER_MODE ) { + /* close socket if it's still in use */ + if (ni->ni_socket >= 0) + { + if (close(ni->ni_socket)) + Debug( LDAP_DEBUG_ANY,"problem closing server socket (ignored): %s",strerror(errno),0,0); + ni->ni_socket = -1; + } + /* remove existing named socket */ + if (unlink(NSLCD_SOCKET)<0) + { + Debug( LDAP_DEBUG_TRACE,"unlink() of "NSLCD_SOCKET" failed (ignored): %s", + strerror(errno),0,0); + } + } + return 0; +} + +static slap_overinst nssov; + +int +nssov_initialize( void ) +{ + int rc; + + nssov.on_bi.bi_type = "nssov"; + nssov.on_bi.bi_db_init = nssov_db_init; + nssov.on_bi.bi_db_destroy = nssov_db_destroy; + nssov.on_bi.bi_db_open = nssov_db_open; + nssov.on_bi.bi_db_close = nssov_db_close; + + nssov.on_bi.bi_cf_ocs = nssocs; + + rc = config_register_schema( nsscfg, nssocs ); + if ( rc ) return rc; + + return overlay_register(&nssov); +} + +#if SLAPD_OVER_NSSOV == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return nssov_initialize(); +} +#endif diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h new file mode 100644 index 0000000..9677e21 --- /dev/null +++ b/contrib/slapd-modules/nssov/nssov.h @@ -0,0 +1,347 @@ +/* nssov.h - NSS overlay header file */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Howard Chu. + * Portions Copyright 2013 Ted C. Cheng, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#ifndef NSSOV_H +#define NSSOV_H + +#ifndef NSLCD_PATH +#define NSLCD_PATH "/var/run/nslcd" +#endif + +#ifndef NSLCD_SOCKET +#define NSLCD_SOCKET NSLCD_PATH "/socket" +#endif + +#include <stdio.h> + +#include "nslcd.h" +#include "nslcd-prot.h" +#include "tio.h" +#include "attrs.h" + +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include "portable.h" +#include "slap.h" +#include <ac/string.h> + +/* selectors for different maps */ +enum nssov_map_selector +{ + NM_alias, + NM_ether, + NM_group, + NM_host, + NM_netgroup, + NM_network, + NM_passwd, + NM_protocol, + NM_rpc, + NM_service, + NM_shadow, + NM_NONE +}; + +typedef struct nssov_mapinfo { + struct berval mi_base; + int mi_scope; + struct berval mi_filter0; + struct berval mi_filter; + struct berval *mi_attrkeys; + AttributeName *mi_attrs; +} nssov_mapinfo; + +typedef struct nssov_info +{ + /* search timelimit */ + int ni_timelimit; + struct nssov_mapinfo ni_maps[NM_NONE]; + int ni_socket; + Connection *ni_conn; + BackendDB *ni_db; + + /* PAM authz support... */ + slap_mask_t ni_pam_opts; + struct berval ni_pam_group_dn; + AttributeDescription *ni_pam_group_ad; + int ni_pam_min_uid; + int ni_pam_max_uid; + AttributeDescription *ni_pam_template_ad; + struct berval ni_pam_template; + struct berval ni_pam_defhost; + struct berval *ni_pam_sessions; + struct berval ni_pam_password_prohibit_message; + struct berval ni_pam_pwdmgr_dn; + struct berval ni_pam_pwdmgr_pwd; +} nssov_info; + +#define NI_PAM_USERHOST 1 /* old style host checking */ +#define NI_PAM_USERSVC 2 /* old style service checking */ +#define NI_PAM_USERGRP 4 /* old style group checking */ +#define NI_PAM_HOSTSVC 8 /* new style authz checking */ +#define NI_PAM_SASL2DN 0x10 /* use sasl2dn */ +#define NI_PAM_UID2DN 0x20 /* use uid2dn */ + +#define NI_PAM_OLD (NI_PAM_USERHOST|NI_PAM_USERSVC|NI_PAM_USERGRP) +#define NI_PAM_NEW NI_PAM_HOSTSVC + +extern AttributeDescription *nssov_pam_host_ad; +extern AttributeDescription *nssov_pam_svc_ad; + +/* Read the default configuration file. */ +void nssov_cfg_init(nssov_info *ni,const char *fname); + +/* macros for basic read and write operations, the following + ERROR_OUT* marcos define the action taken on errors + the stream is not closed because the caller closes the + stream */ + +#define ERROR_OUT_WRITEERROR(fp) \ + Debug(LDAP_DEBUG_ANY,"nssov: error writing to client\n",0,0,0); \ + return -1; + +#define ERROR_OUT_READERROR(fp) \ + Debug(LDAP_DEBUG_ANY,"nssov: error reading from client\n",0,0,0); \ + return -1; + +#define ERROR_OUT_BUFERROR(fp) \ + Debug(LDAP_DEBUG_ANY,"nssov: client supplied argument too large\n",0,0,0); \ + return -1; + +#define WRITE_BERVAL(fp, bv) \ + DEBUG_PRINT("WRITE_BERVAL: var="__STRING(bv)" bv_val=\"%s\"", (bv)->bv_val); \ + if ((bv) == NULL) \ + { \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + WRITE_INT32(fp, (bv)->bv_len); \ + tmpint32 = ntohl(tmpint32); \ + if (tmpint32 > 0) \ + { \ + WRITE(fp, (bv)->bv_val, tmpint32); \ + } \ + } \ + +#define WRITE_BVARRAY(fp, arr) \ + if ((arr) == NULL) \ + { \ + DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", 0); \ + WRITE_INT32(fp, 0); \ + } \ + else \ + { \ + /* first determine length of array */ \ + for (tmp3int32 = 0; (arr)[tmp3int32].bv_val != NULL; tmp3int32++) \ + /* nothing */ ; \ + /* write number of strings */ \ + DEBUG_PRINT("WRITE_BVARRAY: var="__STRING(arr)" num=%d", (int)tmp3int32); \ + WRITE_INT32(fp, tmp3int32); \ + /* write strings */ \ + for (tmp2int32 = 0; tmp2int32 < tmp3int32; tmp2int32++) \ + { \ + WRITE_BERVAL(fp, &(arr)[tmp2int32]); \ + } \ + } \ + +/* Find the given attribute's value in the RDN of the DN. */ +void nssov_find_rdnval(struct berval *dn,AttributeDescription *ad,struct berval *value); + +/* This tries to get the user password attribute from the entry. + It will try to return an encrypted password as it is used in /etc/passwd, + /etc/group or /etc/shadow depending upon what is in the directory. + This function will return NULL if no passwd is found and will return the + literal value in the directory if conversion is not possible. */ +void get_userpassword(struct berval *attr, struct berval *pw); + +/* write out an address, parsing the addr value */ +int write_address(TFILE *fp,struct berval *addr); + +/* a helper macro to write out addresses and bail out on errors */ +#define WRITE_ADDRESS(fp,addr) \ + if (write_address(fp,addr)) \ + return -1; + +/* read an address from the stream */ +int read_address(TFILE *fp,char *addr,int *addrlen,int *af); + +/* helper macro to read an address from the stream */ +#define READ_ADDRESS(fp,addr,len,af) \ + len=(int)sizeof(addr); \ + if (read_address(fp,addr,&(len),&(af))) \ + return -1; + +/* checks to see if the specified string is a valid username */ +int isvalidusername(struct berval *name); + +/* transforms the DN into a uid doing an LDAP lookup if needed */ +int nssov_dn2uid(Operation *op,nssov_info *ni,struct berval *dn,struct berval *uid); + +/* transforms the uid into a DN by doing an LDAP lookup */ +int nssov_uid2dn(Operation *op,nssov_info *ni,struct berval *uid,struct berval *dn); +int nssov_name2dn_cb(Operation *op, SlapReply *rs); + +/* Escapes characters in a string for use in a search filter. */ +int nssov_escape(struct berval *src,struct berval *dst); + +int nssov_filter_byname(nssov_mapinfo *mi,int key,struct berval *name,struct berval *buf); +int nssov_filter_byid(nssov_mapinfo *mi,int key,struct berval *id,struct berval *buf); + +void nssov_alias_init(nssov_info *ni); +void nssov_ether_init(nssov_info *ni); +void nssov_group_init(nssov_info *ni); +void nssov_host_init(nssov_info *ni); +void nssov_netgroup_init(nssov_info *ni); +void nssov_network_init(nssov_info *ni); +void nssov_passwd_init(nssov_info *ni); +void nssov_protocol_init(nssov_info *ni); +void nssov_rpc_init(nssov_info *ni); +void nssov_service_init(nssov_info *ni); +void nssov_shadow_init(nssov_info *ni); + +int nssov_pam_init(void); + +/* these are the different functions that handle the database + specific actions, see nslcd.h for the action descriptions */ +int nssov_alias_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_alias_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_ether_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_ether_byether(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_ether_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_group_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_group_bygid(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_group_bymember(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_group_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_host_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_host_byaddr(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_host_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_netgroup_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_network_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_network_byaddr(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_network_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_passwd_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_passwd_byuid(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_passwd_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_protocol_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_protocol_bynumber(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_protocol_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_rpc_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_rpc_bynumber(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_rpc_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_service_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op); +int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op); +int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid); +int pam_authz(nssov_info *ni,TFILE *fp,Operation *op); +int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op); +int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op); +int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid); + +/* config initialization */ +#define NSSOV_INIT(db) \ + void nssov_##db##_init(nssov_info *ni) \ + { \ + nssov_mapinfo *mi = &ni->ni_maps[NM_##db]; \ + int i; \ + for (i=0;!BER_BVISNULL(&db##_keys[i]);i++); \ + i++; \ + mi->mi_attrs = ch_malloc( i*sizeof(AttributeName)); \ + for (i=0;!BER_BVISNULL(&db##_keys[i]);i++) { \ + mi->mi_attrs[i].an_name = db##_keys[i]; \ + mi->mi_attrs[i].an_desc = NULL; \ + } \ + mi->mi_scope = LDAP_SCOPE_DEFAULT; \ + mi->mi_filter0 = db##_filter; \ + ber_dupbv( &mi->mi_filter, &mi->mi_filter0 ); \ + mi->mi_filter = db##_filter; \ + mi->mi_attrkeys = db##_keys; \ + BER_BVZERO(&mi->mi_base); \ + } + +/* param structure for search callback */ +#define NSSOV_CBPRIV(db,parms) \ + typedef struct nssov_##db##_cbp { \ + nssov_mapinfo *mi; \ + TFILE *fp; \ + Operation *op; \ + parms \ + } nssov_##db##_cbp + +/* callback for writing search results */ +#define NSSOV_CB(db) \ + static int nssov_##db##_cb(Operation *op, SlapReply *rs) \ + { \ + if ( rs->sr_type == REP_SEARCH ) { \ + nssov_##db##_cbp *cbp = op->o_callback->sc_private; \ + if (write_##db(cbp,rs->sr_entry)) return LDAP_OTHER; \ + } \ + return LDAP_SUCCESS; \ + } \ + +/* macro for generating service handling code */ +#define NSSOV_HANDLE(db,fn,readfn,logcall,action,mkfilter) \ + int nssov_##db##_##fn(nssov_info *ni,TFILE *fp,Operation *op) \ + { \ + /* define common variables */ \ + int32_t tmpint32; \ + nssov_##db##_cbp cbp; \ + slap_callback cb = {0}; \ + SlapReply rs = {REP_RESULT}; \ + cbp.mi = &ni->ni_maps[NM_##db]; \ + cbp.fp = fp; \ + cbp.op = op; \ + /* read request parameters */ \ + readfn; \ + /* log call */ \ + logcall; \ + /* write the response header */ \ + WRITE_INT32(fp,NSLCD_VERSION); \ + WRITE_INT32(fp,action); \ + /* prepare the search filter */ \ + if (mkfilter) \ + { \ + Debug(LDAP_DEBUG_ANY,"nssov_" __STRING(db) "_" __STRING(fn) "(): filter buffer too small",0,0,0); \ + return -1; \ + } \ + cb.sc_private = &cbp; \ + op->o_callback = &cb; \ + cb.sc_response = nssov_##db##_cb; \ + slap_op_time( &op->o_time, &op->o_tincr ); \ + op->o_req_dn = cbp.mi->mi_base; \ + op->o_req_ndn = cbp.mi->mi_base; \ + op->ors_scope = cbp.mi->mi_scope; \ + op->ors_filterstr = filter; \ + op->ors_filter = str2filter_x( op, filter.bv_val ); \ + op->ors_attrs = cbp.mi->mi_attrs; \ + op->ors_tlimit = SLAP_NO_LIMIT; \ + op->ors_slimit = SLAP_NO_LIMIT; \ + /* do the internal search */ \ + op->o_bd->be_search( op, &rs ); \ + filter_free_x( op, op->ors_filter, 1 ); \ + WRITE_INT32(fp,NSLCD_RESULT_END); \ + return 0; \ + } + +#endif /* NSSOV_H */ diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c new file mode 100644 index 0000000..e4eb3d2 --- /dev/null +++ b/contrib/slapd-modules/nssov/pam.c @@ -0,0 +1,864 @@ +/* pam.c - pam processing routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * Portions Copyright 2013 by Ted C. Cheng, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "nssov.h" +#include "lutil.h" + +#undef ldap_debug /* silence a warning in ldap-int.h */ +#include "../../../libraries/libldap/ldap-int.h" /* for ldap_ld_free */ + +static int ppolicy_cid; +static AttributeDescription *ad_loginStatus; + +struct paminfo { + struct berval uid; + struct berval dn; + struct berval svc; + struct berval ruser; + struct berval rhost; + struct berval tty; + struct berval pwd; + int authz; + struct berval msg; + int ispwdmgr; +}; + +static int pam_bindcb( + Operation *op, SlapReply *rs) +{ + struct paminfo *pi = op->o_callback->sc_private; + LDAPControl *ctrl = ldap_control_find(LDAP_CONTROL_PASSWORDPOLICYRESPONSE, + rs->sr_ctrls, NULL); + if (ctrl) { + LDAP *ld; + ber_int_t expire, grace; + LDAPPasswordPolicyError error; + + ldap_create(&ld); + if (ld) { + int rc = ldap_parse_passwordpolicy_control(ld,ctrl, + &expire,&grace,&error); + if (rc == LDAP_SUCCESS) { + if (expire >= 0) { + char *unit = "seconds"; + if (expire > 60) { + expire /= 60; + unit = "minutes"; + } + if (expire > 60) { + expire /= 60; + unit = "hours"; + } + if (expire > 24) { + expire /= 24; + unit = "days"; + } +#if 0 /* Who warns about expiration so far in advance? */ + if (expire > 7) { + expire /= 7; + unit = "weeks"; + } + if (expire > 4) { + expire /= 4; + unit = "months"; + } + if (expire > 12) { + expire /= 12; + unit = "years"; + } +#endif + pi->msg.bv_len = sprintf(pi->msg.bv_val, + "\nWARNING: Password expires in %d %s\n", expire, unit); + } else if (grace > 0) { + pi->msg.bv_len = sprintf(pi->msg.bv_val, + "Password expired; %d grace logins remaining", + grace); + pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD; + } else if (error != PP_noError) { + ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0, + &pi->msg); + switch (error) { + case PP_passwordExpired: + /* report this during authz */ + rs->sr_err = LDAP_SUCCESS; + /* fallthru */ + case PP_changeAfterReset: + pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD; + } + } + } + ldap_ld_free(ld,0,NULL,NULL); + } + } + return LDAP_SUCCESS; +} + +static int pam_uid2dn(nssov_info *ni, Operation *op, + struct paminfo *pi) +{ + struct berval sdn; + + BER_BVZERO(&pi->dn); + + if (!isvalidusername(&pi->uid)) { + Debug(LDAP_DEBUG_ANY,"nssov_pam_uid2dn(%s): invalid user name\n", + pi->uid.bv_val ? pi->uid.bv_val : "NULL",0,0); + return NSLCD_PAM_USER_UNKNOWN; + } + + if (ni->ni_pam_opts & NI_PAM_SASL2DN) { + int hlen = global_host_bv.bv_len; + + /* cn=<service>+uid=<user>,cn=<host>,cn=pam,cn=auth */ + sdn.bv_len = pi->uid.bv_len + pi->svc.bv_len + hlen + + STRLENOF( "cn=+uid=,cn=,cn=pam,cn=auth" ); + sdn.bv_val = op->o_tmpalloc( sdn.bv_len + 1, op->o_tmpmemctx ); + sprintf(sdn.bv_val, "cn=%s+uid=%s,cn=%s,cn=pam,cn=auth", + pi->svc.bv_val, pi->uid.bv_val, global_host_bv.bv_val); + slap_sasl2dn(op, &sdn, &pi->dn, 0); + op->o_tmpfree( sdn.bv_val, op->o_tmpmemctx ); + } + + /* If no luck, do a basic uid search */ + if (BER_BVISEMPTY(&pi->dn) && (ni->ni_pam_opts & NI_PAM_UID2DN)) { + nssov_uid2dn(op, ni, &pi->uid, &pi->dn); + if (!BER_BVISEMPTY(&pi->dn)) { + sdn = pi->dn; + dnNormalize( 0, NULL, NULL, &sdn, &pi->dn, op->o_tmpmemctx ); + } + } + if (BER_BVISEMPTY(&pi->dn)) { + return NSLCD_PAM_USER_UNKNOWN; + } + return 0; +} + +int pam_do_bind(nssov_info *ni,TFILE *fp,Operation *op, + struct paminfo *pi) +{ + int rc; + slap_callback cb = {0}; + SlapReply rs = {REP_RESULT}; + + pi->msg.bv_val = pi->pwd.bv_val; + pi->msg.bv_len = 0; + pi->authz = NSLCD_PAM_SUCCESS; + + if (!pi->ispwdmgr) { + + rc = pam_uid2dn(ni, op, pi); + if (rc) goto finish; + + if (BER_BVISEMPTY(&pi->pwd)) { + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } + + /* Should only need to do this once at open time, but there's always + * the possibility that ppolicy will get loaded later. + */ + if (!ppolicy_cid) { + rc = slap_find_control_id(LDAP_CONTROL_PASSWORDPOLICYREQUEST, + &ppolicy_cid); + } + /* of course, 0 is a valid cid, but it won't be ppolicy... */ + if (ppolicy_cid) { + op->o_ctrlflag[ppolicy_cid] = SLAP_CONTROL_NONCRITICAL; + } + } + + cb.sc_response = pam_bindcb; + cb.sc_private = pi; + op->o_callback = &cb; + op->o_dn.bv_val[0] = 0; + op->o_dn.bv_len = 0; + op->o_ndn.bv_val[0] = 0; + op->o_ndn.bv_len = 0; + op->o_tag = LDAP_REQ_BIND; + op->o_protocol = LDAP_VERSION3; + op->orb_method = LDAP_AUTH_SIMPLE; + op->orb_cred = pi->pwd; + op->o_req_dn = pi->dn; + op->o_req_ndn = pi->dn; + slap_op_time( &op->o_time, &op->o_tincr ); + rc = op->o_bd->be_bind( op, &rs ); + memset(pi->pwd.bv_val,0,pi->pwd.bv_len); + /* quirk: on successful bind, caller has to send result. we need + * to make sure callbacks run. + */ + if (rc == LDAP_SUCCESS) + send_ldap_result(op, &rs); + switch(rs.sr_err) { + case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break; + case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break; + default: rc = NSLCD_PAM_AUTH_ERR; break; + } +finish: + Debug(LDAP_DEBUG_ANY,"pam_do_bind (%s): rc (%d)\n", + pi->dn.bv_val ? pi->dn.bv_val : "NULL", rc, 0); + return rc; +} + +int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) +{ + int32_t tmpint32; + int rc; + char uidc[32]; + char svcc[256]; + char ruserc[32]; + char rhostc[256]; + char ttyc[256]; + char pwdc[256]; + struct paminfo pi; + + + READ_STRING(fp,uidc); + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; + READ_STRING(fp,svcc); + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; + READ_STRING(fp,pwdc); + pi.pwd.bv_val = pwdc; + pi.pwd.bv_len = tmpint32; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s)\n", + pi.uid.bv_val ? pi.uid.bv_val : "NULL",0,0); + + BER_BVZERO(&pi.msg); + pi.ispwdmgr = 0; + + /* if service is "passwd" and "nssov-pam-password-prohibit-message */ + /* is set, deny the auth request */ + if (!strcmp(svcc, "passwd") && + !BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(): %s (%s)\n", + "password_prohibit_message for passwd", + ni->ni_pam_password_prohibit_message.bv_val,0); + ber_str2bv(ni->ni_pam_password_prohibit_message.bv_val, 0, 0, &pi.msg); + pi.authz = NSLCD_PAM_PERM_DENIED; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } + + /* if username is null, pwdmgr password preliminary check */ + if (BER_BVISEMPTY(&pi.uid)) { + if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) { + /* pwdmgr dn not configured */ + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n", + "pwdmgr dn not configured", 0, 0); + ber_str2bv("pwdmgr dn not configured", 0, 0, &pi.msg); + pi.authz = NSLCD_PAM_PERM_DENIED; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } else if (calleruid != 0) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n", + "caller is not root", 0, 0); + ber_str2bv("only root may do that", 0, 0, &pi.msg); + pi.authz = NSLCD_PAM_PERM_DENIED; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } else { + /* use pwdmgr dn */ + ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn); + } + + /* use pwdmgr pwd if configured */ + if (BER_BVISEMPTY(&pi.pwd)) { + if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_pwd)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n", + "no pwdmgr pwd", 0, 0); + ber_str2bv("pwdmgr pwd not configured", 0, 0, &pi.msg); + pi.authz = NSLCD_PAM_PERM_DENIED; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } + /* use configured pwdmgr pwd */ + memset((void *) pwdc, 0, 256); + strncpy(pi.pwd.bv_val, ni->ni_pam_pwdmgr_pwd.bv_val, + ni->ni_pam_pwdmgr_pwd.bv_len); + pi.pwd.bv_len = ni->ni_pam_pwdmgr_pwd.bv_len; + } + pi.ispwdmgr = 1; + } + + + rc = pam_do_bind(ni, fp, op, &pi); + +finish: + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(%s): rc (%d)\n", + pi.dn.bv_val ? pi.dn.bv_val : "NULL",rc,0); + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + WRITE_INT32(fp,rc); + WRITE_BERVAL(fp,&pi.uid); + WRITE_INT32(fp,pi.authz); /* authz */ + WRITE_BERVAL(fp,&pi.msg); /* authzmsg */ + WRITE_INT32(fp,NSLCD_RESULT_END); + return 0; +} + +static struct berval grpmsg = + BER_BVC("Access denied by group check"); +static struct berval hostmsg = + BER_BVC("Access denied for this host"); +static struct berval svcmsg = + BER_BVC("Access denied for this service"); +static struct berval uidmsg = + BER_BVC("Access denied by UID check"); + +static int pam_compare_cb(Operation *op, SlapReply *rs) +{ + if (rs->sr_err == LDAP_COMPARE_TRUE) + op->o_callback->sc_private = (void *)1; + return LDAP_SUCCESS; +} + +int pam_authz(nssov_info *ni,TFILE *fp,Operation *op) +{ + struct berval authzmsg = BER_BVNULL; + int32_t tmpint32; + char uidc[32]; + char svcc[256]; + char ruserc[32]; + char rhostc[256]; + char ttyc[256]; + int rc; + struct paminfo pi; + Entry *e = NULL; + Attribute *a; + slap_callback cb = {0}; + + READ_STRING(fp,uidc); + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; + READ_STRING(fp,svcc); + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; + + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto finish; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(%s)\n", + pi.dn.bv_val ? pi.dn.bv_val : "NULL",0,0); + + /* See if they have access to the host and service */ + if ((ni->ni_pam_opts & NI_PAM_HOSTSVC) && nssov_pam_svc_ad) { + AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; + struct berval hostdn = BER_BVNULL; + struct berval odn = op->o_ndn; + SlapReply rs = {REP_RESULT}; + op->o_dn = pi.dn; + op->o_ndn = pi.dn; + { + nssov_mapinfo *mi = &ni->ni_maps[NM_host]; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf),fbuf}; + SlapReply rs2 = {REP_RESULT}; + + /* Lookup the host entry */ + nssov_filter_byname(mi,0,&global_host_bv,&filter); + cb.sc_private = &hostdn; + cb.sc_response = nssov_name2dn_cb; + op->o_callback = &cb; + op->o_req_dn = mi->mi_base; + op->o_req_ndn = mi->mi_base; + op->ors_scope = mi->mi_scope; + op->ors_filterstr = filter; + op->ors_filter = str2filter_x(op, filter.bv_val); + op->ors_attrs = slap_anlist_no_attrs; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = 2; + rc = op->o_bd->be_search(op, &rs2); + filter_free_x(op, op->ors_filter, 1); + + if (BER_BVISEMPTY(&hostdn) && + !BER_BVISEMPTY(&ni->ni_pam_defhost)) { + filter.bv_len = sizeof(fbuf); + filter.bv_val = fbuf; + rs_reinit(&rs2, REP_RESULT); + nssov_filter_byname(mi,0,&ni->ni_pam_defhost,&filter); + op->ors_filterstr = filter; + op->ors_filter = str2filter_x(op, filter.bv_val); + rc = op->o_bd->be_search(op, &rs2); + filter_free_x(op, op->ors_filter, 1); + } + + /* no host entry, no default host -> deny */ + if (BER_BVISEMPTY(&hostdn)) { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = hostmsg; + goto finish; + } + } + + cb.sc_response = pam_compare_cb; + cb.sc_private = NULL; + op->o_tag = LDAP_REQ_COMPARE; + op->o_req_dn = hostdn; + op->o_req_ndn = hostdn; + ava.aa_desc = nssov_pam_svc_ad; + ava.aa_value = pi.svc; + op->orc_ava = &ava; + rc = op->o_bd->be_compare( op, &rs ); + if ( cb.sc_private == NULL ) { + authzmsg = svcmsg; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } + op->o_dn = odn; + op->o_ndn = odn; + } + + /* See if they're a member of the group */ + if ((ni->ni_pam_opts & NI_PAM_USERGRP) && + !BER_BVISEMPTY(&ni->ni_pam_group_dn) && + ni->ni_pam_group_ad) { + AttributeAssertion ava = ATTRIBUTEASSERTION_INIT; + SlapReply rs = {REP_RESULT}; + op->o_callback = &cb; + cb.sc_response = pam_compare_cb; + cb.sc_private = NULL; + op->o_tag = LDAP_REQ_COMPARE; + op->o_req_dn = ni->ni_pam_group_dn; + op->o_req_ndn = ni->ni_pam_group_dn; + ava.aa_desc = ni->ni_pam_group_ad; + ava.aa_value = pi.dn; + op->orc_ava = &ava; + rc = op->o_bd->be_compare( op, &rs ); + if ( cb.sc_private == NULL ) { + authzmsg = grpmsg; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; + } + } + + /* We need to check the user's entry for these bits */ + if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) || + ni->ni_pam_template_ad || + ni->ni_pam_min_uid || ni->ni_pam_max_uid ) { + rc = be_entry_get_rw( op, &pi.dn, NULL, NULL, 0, &e ); + if (rc != LDAP_SUCCESS) { + rc = NSLCD_PAM_USER_UNKNOWN; + goto finish; + } + } + if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) { + a = attr_find(e->e_attrs, nssov_pam_host_ad); + if (!a || attr_valfind( a, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_VALUE_OF_SYNTAX, + &global_host_bv, NULL, op->o_tmpmemctx )) { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = hostmsg; + goto finish; + } + } + if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) { + a = attr_find(e->e_attrs, nssov_pam_svc_ad); + if (!a || attr_valfind( a, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_VALUE_OF_SYNTAX, + &pi.svc, NULL, op->o_tmpmemctx )) { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = svcmsg; + goto finish; + } + } + +/* from passwd.c */ +#define UIDN_KEY 2 + + if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) { + int id; + char *tmp; + nssov_mapinfo *mi = &ni->ni_maps[NM_passwd]; + a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc); + if (!a) { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = uidmsg; + goto finish; + } + id = (int)strtol(a->a_vals[0].bv_val,&tmp,0); + if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = uidmsg; + goto finish; + } + if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) || + (ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) { + rc = NSLCD_PAM_PERM_DENIED; + authzmsg = uidmsg; + goto finish; + } + } + + if (ni->ni_pam_template_ad) { + a = attr_find(e->e_attrs, ni->ni_pam_template_ad); + if (a) + pi.uid = a->a_vals[0]; + else if (!BER_BVISEMPTY(&ni->ni_pam_template)) + pi.uid = ni->ni_pam_template; + } + rc = NSLCD_PAM_SUCCESS; + +finish: + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHZ); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + WRITE_INT32(fp,rc); + WRITE_BERVAL(fp,&authzmsg); + WRITE_INT32(fp,NSLCD_RESULT_END); + if (e) { + be_entry_release_r(op, e); + } + switch (rc) { + case NSLCD_PAM_SUCCESS: + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(): success\n", 0,0,0); + break; + case NSLCD_PAM_PERM_DENIED: + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authz(): %s\n", + authzmsg.bv_val ? authzmsg.bv_val : "NULL",0,0); + break; + default: + Debug(LDAP_DEBUG_TRACE, + "nssov_pam_authz(): permission denied, rc (%d)\n", + rc, 0, 0); + } + return 0; +} + +static int pam_sess(nssov_info *ni,TFILE *fp,Operation *op,int action) +{ + int32_t tmpint32; + char svcc[256]; + char uidc[32]; + char ttyc[32]; + char rhostc[256]; + char ruserc[32]; + char sessionID[64]; + struct paminfo pi; + slap_callback cb = {0}; + SlapReply rs = {REP_RESULT}; + char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE]; + struct berval timestamp, bv[2], *nbv; + time_t stamp; + Modifications mod; + int rc = 0; + + READ_STRING(fp,uidc); + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; + READ_STRING(fp,svcc); + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = ruserc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = rhostc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = ttyc; + pi.tty.bv_len = tmpint32; + + if (action==NSLCD_ACTION_PAM_SESS_O) { + slap_op_time( &op->o_time, &op->o_tincr ); + timestamp.bv_len = sizeof(timebuf); + timestamp.bv_val = timebuf; + stamp = op->o_time; + slap_timestamp( &stamp, ×tamp ); + } else { + READ_STRING(fp,sessionID); + timestamp.bv_val = sessionID; + timestamp.bv_len = tmpint32; + } + + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto done; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(%s)\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', pi.dn.bv_val,0); + + if (!ni->ni_pam_sessions) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_sess_%c(): %s\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', + "pam session(s) not configured, ignored",0); + rc = -1; + goto done; + } + + { + int i, found=0; + for (i=0; !BER_BVISNULL(&ni->ni_pam_sessions[i]); i++) { + if (ni->ni_pam_sessions[i].bv_len != pi.svc.bv_len) + continue; + if (!strcasecmp(ni->ni_pam_sessions[i].bv_val, pi.svc.bv_val)) { + found = 1; + break; + } + } + if (!found) { + Debug(LDAP_DEBUG_TRACE, + "nssov_pam_sess_%c(): service(%s) not configured, ignored\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', + pi.svc.bv_val,0); + rc = -1; + goto done; + } + } + + bv[0].bv_len = timestamp.bv_len + global_host_bv.bv_len + pi.svc.bv_len + + pi.tty.bv_len + pi.ruser.bv_len + pi.rhost.bv_len + STRLENOF(" (@)"); + bv[0].bv_val = op->o_tmpalloc( bv[0].bv_len+1, op->o_tmpmemctx ); + sprintf(bv[0].bv_val, "%s %s %s %s (%s@%s)", + timestamp.bv_val, global_host_bv.bv_val, pi.svc.bv_val, pi.tty.bv_val, + pi.ruser.bv_val, pi.rhost.bv_val); + + Debug(LDAP_DEBUG_TRACE, "nssov_pam_sess_%c(): loginStatus (%s) \n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', bv[0].bv_val,0); + + mod.sml_numvals = 1; + mod.sml_values = bv; + BER_BVZERO(&bv[1]); + attr_normalize( ad_loginStatus, bv, &nbv, op->o_tmpmemctx ); + mod.sml_nvalues = nbv; + mod.sml_desc = ad_loginStatus; + mod.sml_op = action == NSLCD_ACTION_PAM_SESS_O ? LDAP_MOD_ADD : + LDAP_MOD_DELETE; + mod.sml_flags = SLAP_MOD_INTERNAL; + mod.sml_next = NULL; + + cb.sc_response = slap_null_cb; + op->o_callback = &cb; + op->o_tag = LDAP_REQ_MODIFY; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + op->orm_modlist = &mod; + op->orm_no_opattrs = 1; + op->o_req_dn = pi.dn; + op->o_req_ndn = pi.dn; + if (op->o_bd->be_modify( op, &rs ) != LDAP_SUCCESS) { + Debug(LDAP_DEBUG_TRACE, + "nssov_pam_sess_%c(): modify op failed\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', + 0,0); + rc = -1; + } + + if ( mod.sml_next ) { + slap_mods_free( mod.sml_next, 1 ); + } + ber_bvarray_free_x( nbv, op->o_tmpmemctx ); + +done:; + + if (rc == 0) { + Debug(LDAP_DEBUG_TRACE, + "nssov_pam_sess_%c(): success\n", + action==NSLCD_ACTION_PAM_SESS_O ? 'o' : 'c', + 0,0); + } + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,action); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + if (action==NSLCD_ACTION_PAM_SESS_O) + WRITE_STRING(fp,timestamp.bv_val); + WRITE_INT32(fp,NSLCD_RESULT_END); + return 0; +} + +int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op) +{ + return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_O); +} + +int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op) +{ + return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C); +} + +int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) +{ + struct berval npw; + int32_t tmpint32; + char uidc[32]; + char svcc[256]; + char ruserc[32]; + char rhostc[256]; + char ttyc[256]; + int asroot; + char opwc[256]; + char npwc[256]; + struct paminfo pi; + int rc; + + READ_STRING(fp,uidc); + pi.uid.bv_val = uidc; + pi.uid.bv_len = tmpint32; + READ_STRING(fp,svcc); + pi.svc.bv_val = svcc; + pi.svc.bv_len = tmpint32; + READ_STRING(fp,ruserc); + pi.ruser.bv_val = svcc; + pi.ruser.bv_len = tmpint32; + READ_STRING(fp,rhostc); + pi.rhost.bv_val = svcc; + pi.rhost.bv_len = tmpint32; + READ_STRING(fp,ttyc); + pi.tty.bv_val = svcc; + pi.tty.bv_len = tmpint32; + READ_INT32(fp, asroot); + READ_STRING(fp,opwc); + pi.pwd.bv_val = opwc; + pi.pwd.bv_len = tmpint32; + READ_STRING(fp,npwc); + npw.bv_val = npwc; + npw.bv_len = tmpint32; + + rc = pam_uid2dn(ni, op, &pi); + if (rc) goto done; + + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(%s), %s %s\n", + pi.dn.bv_val ? pi.dn.bv_val : "NULL", + pi.uid.bv_val ? pi.uid.bv_val : "NULL", + asroot ? "as root" : "as user"); + + BER_BVZERO(&pi.msg); + pi.ispwdmgr = 0; + + /* nssov_pam prohibits password mod */ + if (!BER_BVISEMPTY(&ni->ni_pam_password_prohibit_message)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s (%s)\n", + "password_prohibit_message", + ni->ni_pam_password_prohibit_message.bv_val,0); + ber_str2bv(ni->ni_pam_password_prohibit_message.bv_val, 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } + + if (asroot) { + if (BER_BVISEMPTY(&ni->ni_pam_pwdmgr_dn)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n", + "pwdmgr not configured", 0, 0); + ber_str2bv("pwdmgr not configured", 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } + if (calleruid != 0) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n", + "caller is not root", 0, 0); + ber_str2bv("only root may do that", 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } + /* root user requesting pwmod */ + pi.ispwdmgr = 1; + } + + if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n", + "not pwdmgr and old pwd empty", 0, 0); + ber_str2bv("must provide old password", 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } + + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + struct berval bv; + SlapReply rs = {REP_RESULT}; + slap_callback cb = {0}; + + ber_init_w_nullc(ber, LBER_USE_DER); + ber_printf(ber, "{"); + if (!BER_BVISEMPTY(&pi.dn)) + ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, + &pi.dn); + /* supply old pwd whenever it's given */ + if (!BER_BVISEMPTY(&pi.pwd)) + ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, + &pi.pwd); + if (!BER_BVISEMPTY(&npw)) + ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, + &npw); + ber_printf(ber, "N}"); + ber_flatten2(ber, &bv, 0); + op->o_tag = LDAP_REQ_EXTENDED; + op->ore_reqoid = slap_EXOP_MODIFY_PASSWD; + op->ore_reqdata = &bv; + + if (pi.ispwdmgr) { + /* root user changing end-user passwords */ + op->o_dn = ni->ni_pam_pwdmgr_dn; + op->o_ndn = ni->ni_pam_pwdmgr_dn; + } else { + /* end-user self-pwd-mod */ + op->o_dn = pi.dn; + op->o_ndn = pi.dn; + } + op->o_callback = &cb; + op->o_conn->c_authz_backend = op->o_bd; + cb.sc_response = slap_null_cb; + op->o_bd = frontendDB; + rc = op->o_bd->be_extended(op, &rs); + if (rs.sr_text) + ber_str2bv(rs.sr_text, 0, 0, &pi.msg); + if (rc == LDAP_SUCCESS) + rc = NSLCD_PAM_SUCCESS; + else + rc = NSLCD_PAM_PERM_DENIED; + +done:; + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), rc (%d)\n", rc, 0, 0); + WRITE_INT32(fp,NSLCD_VERSION); + WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD); + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); + WRITE_INT32(fp,rc); + WRITE_BERVAL(fp,&pi.msg); + return 0; +} + +int nssov_pam_init() +{ + int code = 0; + const char *text; + if (!ad_loginStatus) + code = slap_str2ad("loginStatus", &ad_loginStatus, &text); + + return code; +} diff --git a/contrib/slapd-modules/nssov/passwd.c b/contrib/slapd-modules/nssov/passwd.c new file mode 100644 index 0000000..6e141ca --- /dev/null +++ b/contrib/slapd-modules/nssov/passwd.c @@ -0,0 +1,435 @@ +/* passwd.c - password lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY + * DESC 'Abstraction of an account with POSIX attributes' + * MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + * MAY ( userPassword $ loginShell $ gecos $ description ) ) + */ + +/* the basic search filter for searches */ +static struct berval passwd_filter = BER_BVC("(objectClass=posixAccount)"); + +/* the attributes used in searches */ +static struct berval passwd_keys[] = { + BER_BVC("uid"), + BER_BVC("userPassword"), + BER_BVC("uidNumber"), + BER_BVC("gidNumber"), + BER_BVC("gecos"), + BER_BVC("cn"), + BER_BVC("homeDirectory"), + BER_BVC("loginShell"), + BER_BVC("objectClass"), + BER_BVNULL +}; + +#define UID_KEY 0 +#define PWD_KEY 1 +#define UIDN_KEY 2 +#define GIDN_KEY 3 +#define GEC_KEY 4 +#define CN_KEY 5 +#define DIR_KEY 6 +#define SHL_KEY 7 + +/* default values for attributes */ +static struct berval default_passwd_userPassword = BER_BVC("*"); /* unmatchable */ +static struct berval default_passwd_homeDirectory = BER_BVC(""); +static struct berval default_passwd_loginShell = BER_BVC(""); + +static struct berval shadow_passwd = BER_BVC("x"); + +NSSOV_INIT(passwd) + +/* + Checks to see if the specified name is a valid user name. + + This test is based on the definition from POSIX (IEEE Std 1003.1, 2004, 3.426 User Name + and 3.276 Portable Filename Character Set): + http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_426 + http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276 + + The standard defines user names valid if they contain characters from + the set [A-Za-z0-9._-] where the hyphen should not be used as first + character. As an extension this test allows the dolar '$' sign as the last + character to support Samba special accounts. +*/ +int isvalidusername(struct berval *bv) +{ + int i; + char *name = bv->bv_val; + if ((name==NULL)||(name[0]=='\0')) + return 0; + /* check first character */ + if ( ! ( (name[0]>='A' && name[0] <= 'Z') || + (name[0]>='a' && name[0] <= 'z') || + (name[0]>='0' && name[0] <= '9') || + name[0]=='.' || name[0]=='_' ) ) + return 0; + /* check other characters */ + for (i=1;i<bv->bv_len;i++) + { + if ( name[i]=='$' ) + { + /* if the char is $ we require it to be the last char */ + if (name[i+1]!='\0') + return 0; + } + else if ( ! ( (name[i]>='A' && name[i] <= 'Z') || + (name[i]>='a' && name[i] <= 'z') || + (name[i]>='0' && name[i] <= '9') || + name[i]=='.' || name[i]=='_' || name[i]=='-') ) + return 0; + } + /* no test failed so it must be good */ + return -1; +} + +/* return 1 on success */ +int nssov_dn2uid(Operation *op,nssov_info *ni,struct berval *dn,struct berval *uid) +{ + nssov_mapinfo *mi = &ni->ni_maps[NM_passwd]; + AttributeDescription *ad = mi->mi_attrs[UID_KEY].an_desc; + Entry *e; + + /* check for empty string */ + if (!dn->bv_len) + return 0; + /* try to look up uid within DN string */ + if (!strncmp(dn->bv_val,ad->ad_cname.bv_val,ad->ad_cname.bv_len) && + dn->bv_val[ad->ad_cname.bv_len] == '=') + { + struct berval bv, rdn; + dnRdn(dn, &rdn); + /* check if it is valid */ + bv.bv_val = dn->bv_val + ad->ad_cname.bv_len + 1; + bv.bv_len = rdn.bv_len - ad->ad_cname.bv_len - 1; + if (!isvalidusername(&bv)) + return 0; + ber_dupbv_x( uid, &bv, op->o_tmpmemctx ); + return 1; + } + /* look up the uid from the entry itself */ + if (be_entry_get_rw( op, dn, NULL, ad, 0, &e) == LDAP_SUCCESS) + { + Attribute *a = attr_find(e->e_attrs, ad); + if (a) { + ber_dupbv_x(uid, &a->a_vals[0], op->o_tmpmemctx); + } + be_entry_release_r(op, e); + if (a) + return 1; + } + return 0; +} + +int nssov_name2dn_cb(Operation *op,SlapReply *rs) +{ + if ( rs->sr_type == REP_SEARCH ) + { + struct berval *bv = op->o_callback->sc_private; + if ( !BER_BVISNULL(bv)) { + op->o_tmpfree( bv->bv_val, op->o_tmpmemctx ); + BER_BVZERO(bv); + return LDAP_ALREADY_EXISTS; + } + ber_dupbv_x(bv, &rs->sr_entry->e_name, op->o_tmpmemctx); + } + return LDAP_SUCCESS; +} + +int nssov_uid2dn(Operation *op,nssov_info *ni,struct berval *uid,struct berval *dn) +{ + nssov_mapinfo *mi = &ni->ni_maps[NM_passwd]; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf),fbuf}; + slap_callback cb = {0}; + SlapReply rs = {REP_RESULT}; + Operation op2; + int rc; + + /* if it isn't a valid username, just bail out now */ + if (!isvalidusername(uid)) + return 0; + /* we have to look up the entry */ + nssov_filter_byid(mi,UID_KEY,uid,&filter); + BER_BVZERO(dn); + cb.sc_private = dn; + cb.sc_response = nssov_name2dn_cb; + op2 = *op; + op2.o_callback = &cb; + op2.o_req_dn = mi->mi_base; + op2.o_req_ndn = mi->mi_base; + op2.ors_scope = mi->mi_scope; + op2.ors_filterstr = filter; + op2.ors_filter = str2filter_x( op, filter.bv_val ); + op2.ors_attrs = slap_anlist_no_attrs; + op2.ors_tlimit = SLAP_NO_LIMIT; + op2.ors_slimit = SLAP_NO_LIMIT; + rc = op2.o_bd->be_search( &op2, &rs ); + filter_free_x( op, op2.ors_filter, 1 ); + return rc == LDAP_SUCCESS && !BER_BVISNULL(dn); +} + +/* the maximum number of uidNumber attributes per entry */ +#define MAXUIDS_PER_ENTRY 5 + +NSSOV_CBPRIV(passwd, + char buf[256]; + struct berval name; + struct berval id;); + +static struct berval shadowclass = BER_BVC("shadowAccount"); + +static int write_passwd(nssov_passwd_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + struct berval tmparr[2], tmpuid[2]; + char *tmp; + struct berval *names; + struct berval *uids; + struct berval passwd = {0}; + gid_t gid; + struct berval gecos; + struct berval homedir; + struct berval shell; + Attribute *a; + int i,j; + int use_shadow = 0; + /* get the usernames for this entry */ + if (BER_BVISNULL(&cbp->name)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[UID_KEY].an_desc); + if (!a) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + names = a->a_vals; + } + else + { + names=tmparr; + names[0]=cbp->name; + BER_BVZERO(&names[1]); + } + /* get the password for this entry */ + a = attr_find(entry->e_attrs, slap_schema.si_ad_objectClass); + if ( a ) { + for ( i=0; i<a->a_numvals; i++) { + if ( bvmatch( &shadowclass, &a->a_nvals[i] )) { + use_shadow = 1; + break; + } + } + } + if ( use_shadow ) + { + /* if the entry has a shadowAccount entry, point to that instead */ + passwd = shadow_passwd; + } + else + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[PWD_KEY].an_desc); + if (a) + get_userpassword(&a->a_vals[0], &passwd); + if (BER_BVISNULL(&passwd)) + passwd=default_passwd_userPassword; + } + /* get the uids for this entry */ + if (BER_BVISNULL(&cbp->id)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[UIDN_KEY].an_desc); + if ( !a ) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[UIDN_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + uids = a->a_vals; + } + else + { + uids = tmpuid; + uids[0] = cbp->id; + BER_BVZERO(&uids[1]); + } + /* get the gid for this entry */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[GIDN_KEY].an_desc); + if (!a) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[GIDN_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + else if (a->a_numvals != 1) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[GIDN_KEY].an_desc->ad_cname.bv_val,0); + } + gid=(gid_t)strtol(a->a_vals[0].bv_val,&tmp,0); + if ((a->a_vals[0].bv_val[0]=='\0')||(*tmp!='\0')) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s contains non-numeric %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[GIDN_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + /* get the gecos for this entry (fall back to cn) */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[GEC_KEY].an_desc); + if (!a) + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[CN_KEY].an_desc); + if (!a || !a->a_numvals) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s does not contain %s or %s value\n", + entry->e_name.bv_val, + cbp->mi->mi_attrs[GEC_KEY].an_desc->ad_cname.bv_val, + cbp->mi->mi_attrs[CN_KEY].an_desc->ad_cname.bv_val); + return 0; + } + else if (a->a_numvals > 1) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s contains multiple %s or %s values\n", + entry->e_name.bv_val, + cbp->mi->mi_attrs[GEC_KEY].an_desc->ad_cname.bv_val, + cbp->mi->mi_attrs[CN_KEY].an_desc->ad_cname.bv_val); + } + gecos=a->a_vals[0]; + /* get the home directory for this entry */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[DIR_KEY].an_desc); + if (!a) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[DIR_KEY].an_desc->ad_cname.bv_val,0); + homedir=default_passwd_homeDirectory; + } + else + { + if (a->a_numvals > 1) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[DIR_KEY].an_desc->ad_cname.bv_val,0); + } + homedir=a->a_vals[0]; + if (homedir.bv_val[0]=='\0') + homedir=default_passwd_homeDirectory; + } + /* get the shell for this entry */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[SHL_KEY].an_desc); + if (!a) + { + shell=default_passwd_loginShell; + } + else + { + if (a->a_numvals > 1) + { + Debug(LDAP_DEBUG_ANY,"passwd entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[SHL_KEY].an_desc->ad_cname.bv_val,0); + } + shell=a->a_vals[0]; + if (shell.bv_val[0]=='\0') + shell=default_passwd_loginShell; + } + /* write the entries */ + for (i=0;!BER_BVISNULL(&names[i]);i++) + { + if (!isvalidusername(&names[i])) + { + Debug(LDAP_DEBUG_ANY,"nssov: passwd entry %s contains invalid user name: \"%s\"\n", + entry->e_name.bv_val,names[i].bv_val,0); + } + else + { + for (j=0;!BER_BVISNULL(&uids[j]);j++) + { + char *tmp; + uid_t uid; + uid = strtol(uids[j].bv_val, &tmp, 0); + if ( *tmp ) { + Debug(LDAP_DEBUG_ANY,"nssov: passwd entry %s contains non-numeric %s value: \"%s\"\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[UIDN_KEY].an_desc->ad_cname.bv_val, + names[i].bv_val); + continue; + } + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&names[i]); + WRITE_BERVAL(cbp->fp,&passwd); + WRITE_INT32(cbp->fp,uid); + WRITE_INT32(cbp->fp,gid); + WRITE_BERVAL(cbp->fp,&gecos); + WRITE_BERVAL(cbp->fp,&homedir); + WRITE_BERVAL(cbp->fp,&shell); + } + } + } + return 0; +} + +NSSOV_CB(passwd) + +NSSOV_HANDLE( + passwd,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf; + if (!isvalidusername(&cbp.name)) { + Debug(LDAP_DEBUG_ANY,"nssov_passwd_byname(%s): invalid user name\n",cbp.name.bv_val,0,0); + return -1; + } + BER_BVZERO(&cbp.id); , + Debug(LDAP_DEBUG_TRACE,"nssov_passwd_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_PASSWD_BYNAME, + nssov_filter_byname(cbp.mi,UID_KEY,&cbp.name,&filter) +) + +NSSOV_HANDLE( + passwd,byuid, + uid_t uid; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_INT32(fp,uid); + cbp.id.bv_val = cbp.buf; + cbp.id.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",uid); + BER_BVZERO(&cbp.name);, + Debug(LDAP_DEBUG_TRACE,"nssov_passwd_byuid(%s)\n",cbp.id.bv_val,0,0);, + NSLCD_ACTION_PASSWD_BYUID, + nssov_filter_byid(cbp.mi,UIDN_KEY,&cbp.id,&filter) +) + +NSSOV_HANDLE( + passwd,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name); + BER_BVZERO(&cbp.id);, + Debug(LDAP_DEBUG_TRACE,"nssov_passwd_all()\n",0,0,0);, + NSLCD_ACTION_PASSWD_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/protocol.c b/contrib/slapd-modules/nssov/protocol.c new file mode 100644 index 0000000..a248451 --- /dev/null +++ b/contrib/slapd-modules/nssov/protocol.c @@ -0,0 +1,156 @@ +/* protocol.c - network protocol lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* + * ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + * DESC 'Abstraction of an IP protocol. Maps a protocol number + * to one or more names. The distinguished value of the cn + * attribute denotes the protocol's canonical name' + * MUST ( cn $ ipProtocolNumber ) + * MAY description ) + */ + +/* the basic search filter for searches */ +static struct berval protocol_filter = BER_BVC("(objectClass=ipProtocol)"); + +/* the attributes used in searches */ +static struct berval protocol_keys[] = { + BER_BVC("cn"), + BER_BVC("ipProtocolNumber"), + BER_BVNULL +}; + +NSSOV_INIT(protocol) + +NSSOV_CBPRIV(protocol, + char buf[256]; + struct berval name; + struct berval numb;); + +static int write_protocol(nssov_protocol_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + int i,numname,dupname,proto; + struct berval name,*names; + Attribute *a; + char *tmp; + + /* get the most canonical name */ + nssov_find_rdnval( &entry->e_nname, cbp->mi->mi_attrs[0].an_desc, &name ); + /* get the other names for the protocol */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[0].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"protocol entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + names = a->a_vals; + numname = a->a_numvals; + /* if the name is not yet found, get the first entry from names */ + if (BER_BVISNULL(&name)) { + name=names[0]; + dupname = 0; + } else { + dupname = -1; + for (i=0; i<numname; i++) { + if ( bvmatch(&name, &a->a_nvals[i])) { + dupname = i; + break; + } + } + } + /* get the protocol number */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[1].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"protocol entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } else if ( a->a_numvals > 1 ) { + Debug(LDAP_DEBUG_ANY,"protocol entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + } + proto=(int)strtol(a->a_vals[0].bv_val,&tmp,0); + if (*tmp) + { + Debug(LDAP_DEBUG_ANY,"protocol entry %s contains non-numeric %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + /* write the entry */ + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&name); + if ( dupname >= 0 ) { + WRITE_INT32(cbp->fp,numname-1); + } else { + WRITE_INT32(cbp->fp,numname); + } + for (i=0;i<numname;i++) { + if (i == dupname) continue; + WRITE_BERVAL(cbp->fp,&names[i]); + } + WRITE_INT32(cbp->fp,proto); + return 0; +} + +NSSOV_CB(protocol) + +NSSOV_HANDLE( + protocol,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.numb); + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_protocol_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_PROTOCOL_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + protocol,bynumber, + int protocol; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_INT32(fp,protocol); + cbp.numb.bv_val = cbp.buf; + cbp.numb.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",protocol); + BER_BVZERO(&cbp.name);, + Debug(LDAP_DEBUG_TRACE,"nssov_protocol_bynumber(%s)\n",cbp.numb.bv_val,0,0);, + NSLCD_ACTION_PROTOCOL_BYNUMBER, + nssov_filter_byid(cbp.mi,1,&cbp.numb,&filter) +) + +NSSOV_HANDLE( + protocol,all, + struct berval filter; + /* no parameters to read */, + Debug(LDAP_DEBUG_TRACE,"nssov_protocol_all()\n",0,0,0);, + NSLCD_ACTION_PROTOCOL_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/rpc.c b/contrib/slapd-modules/nssov/rpc.c new file mode 100644 index 0000000..a157871 --- /dev/null +++ b/contrib/slapd-modules/nssov/rpc.c @@ -0,0 +1,158 @@ +/* rpc.c - rpc lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL + * DESC 'Abstraction of an Open Network Computing (ONC) + * [RFC1057] Remote Procedure Call (RPC) binding. + * This class maps an ONC RPC number to a name. + * The distinguished value of the cn attribute denotes + * the RPC service's canonical name' + * MUST ( cn $ oncRpcNumber ) + * MAY description ) + */ + +/* the basic search filter for searches */ +static struct berval rpc_filter = BER_BVC("(objectClass=oncRpc)"); + +/* the attributes to request with searches */ +static struct berval rpc_keys[] = { + BER_BVC("cn"), + BER_BVC("oncRpcNumber"), + BER_BVNULL +}; + +NSSOV_INIT(rpc) + +NSSOV_CBPRIV(rpc, + char buf[256]; + struct berval name; + struct berval numb;); + +/* write a single rpc entry to the stream */ +static int write_rpc(nssov_rpc_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + int i,numname,dupname,number; + struct berval name,*names; + Attribute *a; + char *tmp; + + /* get the most canonical name */ + nssov_find_rdnval( &entry->e_nname, cbp->mi->mi_attrs[0].an_desc, &name ); + /* get the other names for the rpc */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[0].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"rpc entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + names = a->a_vals; + numname = a->a_numvals; + /* if the name is not yet found, get the first entry from names */ + if (BER_BVISNULL(&name)) { + name=names[0]; + dupname = 0; + } else { + dupname = -1; + for (i=0; i<numname; i++) { + if ( bvmatch(&name, &a->a_nvals[i])) { + dupname = i; + break; + } + } + } + /* get the rpc number */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[1].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"rpc entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } else if ( a->a_numvals > 1 ) { + Debug(LDAP_DEBUG_ANY,"rpc entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + } + number=(int)strtol(a->a_vals[0].bv_val,&tmp,0); + if (*tmp) + { + Debug(LDAP_DEBUG_ANY,"rpc entry %s contains non-numeric %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + /* write the entry */ + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&name); + if ( dupname >= 0 ) { + WRITE_INT32(cbp->fp,numname-1); + } else { + WRITE_INT32(cbp->fp,numname); + } + for (i=0;i<numname;i++) { + if (i == dupname) continue; + WRITE_BERVAL(cbp->fp,&names[i]); + } + WRITE_INT32(cbp->fp,number); + return 0; +} + +NSSOV_CB(rpc) + +NSSOV_HANDLE( + rpc,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + BER_BVZERO(&cbp.numb); + READ_STRING(fp,cbp.buf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf;, + Debug(LDAP_DEBUG_TRACE,"nssov_rpc_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_RPC_BYNAME, + nssov_filter_byname(cbp.mi,0,&cbp.name,&filter) +) + +NSSOV_HANDLE( + rpc,bynumber, + int number; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_INT32(fp,number); + cbp.numb.bv_val = cbp.buf; + cbp.numb.bv_len = snprintf(cbp.buf,sizeof(cbp.buf),"%d",number); + BER_BVZERO(&cbp.name);, + Debug(LDAP_DEBUG_TRACE,"nssov_rpc_bynumber(%s)\n",cbp.numb.bv_val,0,0);, + NSLCD_ACTION_RPC_BYNUMBER, + nssov_filter_byid(cbp.mi,1,&cbp.numb,&filter) +) + +NSSOV_HANDLE( + rpc,all, + struct berval filter; + /* no parameters to read */, + Debug(LDAP_DEBUG_TRACE,"nssov_rpc_all()\n",0,0,0);, + NSLCD_ACTION_RPC_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/service.c b/contrib/slapd-modules/nssov/service.c new file mode 100644 index 0000000..df87c86 --- /dev/null +++ b/contrib/slapd-modules/nssov/service.c @@ -0,0 +1,250 @@ +/* service.c - service lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL + * DESC 'Abstraction an Internet Protocol service. + * Maps an IP port and protocol (such as tcp or udp) + * to one or more names; the distinguished value of + * the cn attribute denotes the service's canonical + * name' + * MUST ( cn $ ipServicePort $ ipServiceProtocol ) + * MAY ( description ) ) + */ + +/* the basic search filter for searches */ +static struct berval service_filter = BER_BVC("(objectClass=ipService)"); + +/* the attributes to request with searches */ +static struct berval service_keys[] = { + BER_BVC("cn"), + BER_BVC("ipServicePort"), + BER_BVC("ipServiceProtocol"), + BER_BVNULL +}; + +static int mkfilter_service_byname(nssov_mapinfo *mi,struct berval *name, + struct berval *protocol,struct berval *buf) +{ + char buf2[1024],buf3[1024]; + struct berval bv2 = {sizeof(buf2),buf2}; + struct berval bv3 = {sizeof(buf3),buf3}; + + /* escape attributes */ + if (nssov_escape(name,&bv2)) + return -1; + if (!BER_BVISNULL(protocol)) { + if (nssov_escape(protocol,&bv3)) + return -1; + if (bv2.bv_len + mi->mi_filter.bv_len + mi->mi_attrs[0].an_desc->ad_cname.bv_len + + bv3.bv_len + mi->mi_attrs[2].an_desc->ad_cname.bv_len + 9 > buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s)(%s=%s))", + mi->mi_filter.bv_val, + mi->mi_attrs[0].an_desc->ad_cname.bv_val, bv2.bv_val, + mi->mi_attrs[2].an_desc->ad_cname.bv_val, bv3.bv_val ); + } else { + if (bv2.bv_len + mi->mi_filter.bv_len + mi->mi_attrs[0].an_desc->ad_cname.bv_len + 6 > + buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s))", + mi->mi_filter.bv_val, mi->mi_attrs[0].an_desc->ad_cname.bv_val, + bv2.bv_val ); + } + return 0; +} + +static int mkfilter_service_bynumber(nssov_mapinfo *mi,struct berval *numb, + struct berval *protocol,struct berval *buf) +{ + char buf2[1024]; + struct berval bv2 = {sizeof(buf2),buf2}; + + /* escape attribute */ + if (!BER_BVISNULL(protocol)) { + if (nssov_escape(protocol,&bv2)) + return -1; + if (numb->bv_len + mi->mi_filter.bv_len + mi->mi_attrs[1].an_desc->ad_cname.bv_len + + bv2.bv_len + mi->mi_attrs[2].an_desc->ad_cname.bv_len + 9 > buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s)(%s=%s))", + mi->mi_filter.bv_val, + mi->mi_attrs[1].an_desc->ad_cname.bv_val, numb->bv_val, + mi->mi_attrs[2].an_desc->ad_cname.bv_val, bv2.bv_val ); + } else { + if (numb->bv_len + mi->mi_filter.bv_len + mi->mi_attrs[1].an_desc->ad_cname.bv_len + 6 > + buf->bv_len ) + return -1; + buf->bv_len = snprintf(buf->bv_val, buf->bv_len, "(&%s(%s=%s))", + mi->mi_filter.bv_val, mi->mi_attrs[1].an_desc->ad_cname.bv_val, + numb->bv_val ); + } + return 0; +} + +NSSOV_INIT(service) + +NSSOV_CBPRIV(service, + char nbuf[256]; + char pbuf[256]; + struct berval name; + struct berval prot;); + +static int write_service(nssov_service_cbp *cbp,Entry *entry) +{ + int32_t tmpint32; + struct berval name,*names,*protos; + struct berval tmparr[2]; + Attribute *a; + char *tmp; + int port; + int i,numname,dupname,numprot; + + /* get the most canonical name */ + nssov_find_rdnval( &entry->e_nname, cbp->mi->mi_attrs[0].an_desc, &name ); + /* get the other names for the rpc */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[0].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"service entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[0].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + names = a->a_vals; + numname = a->a_numvals; + /* if the name is not yet found, get the first entry from names */ + if (BER_BVISNULL(&name)) { + name=names[0]; + dupname = 0; + } else { + dupname = -1; + for (i=0; i<numname; i++) { + if ( bvmatch(&name, &a->a_nvals[i])) { + dupname = i; + break; + } + } + } + /* get the service number */ + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[1].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"service entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } else if ( a->a_numvals > 1 ) { + Debug(LDAP_DEBUG_ANY,"service entry %s contains multiple %s values\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + } + port=(int)strtol(a->a_vals[0].bv_val,&tmp,0); + if (*tmp) + { + Debug(LDAP_DEBUG_ANY,"service entry %s contains non-numeric %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[1].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + /* get protocols */ + if (BER_BVISNULL(&cbp->prot)) + { + a = attr_find( entry->e_attrs, cbp->mi->mi_attrs[2].an_desc ); + if ( !a || !a->a_vals ) + { + Debug(LDAP_DEBUG_ANY,"service entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[2].an_desc->ad_cname.bv_val, 0 ); + return 0; + } + protos = a->a_vals; + numprot = a->a_numvals; + } + else + { + protos=tmparr; + protos[0]=cbp->prot; + BER_BVZERO(&protos[1]); + numprot = 1; + } + /* write the entries */ + for (i=0;i<numprot;i++) + { + int j; + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&name); + if ( dupname >= 0 ) { + WRITE_INT32(cbp->fp,numname-1); + } else { + WRITE_INT32(cbp->fp,numname); + } + for (j=0;j<numname;j++) { + if (j == dupname) continue; + WRITE_BERVAL(cbp->fp,&names[j]); + } + WRITE_INT32(cbp->fp,port); + WRITE_BERVAL(cbp->fp,&protos[i]); + } + return 0; +} + +NSSOV_CB(service) + +NSSOV_HANDLE( + service,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.nbuf); + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.nbuf; + READ_STRING(fp,cbp.pbuf); + cbp.prot.bv_len = tmpint32; + cbp.prot.bv_val = tmpint32 ? cbp.pbuf : NULL;, + Debug(LDAP_DEBUG_TRACE,"nssov_service_byname(%s,%s)\n",cbp.name.bv_val,cbp.prot.bv_val ? cbp.prot.bv_val : "",0);, + NSLCD_ACTION_SERVICE_BYNAME, + mkfilter_service_byname(cbp.mi,&cbp.name,&cbp.prot,&filter) +) + +NSSOV_HANDLE( + service,bynumber, + int number; + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_INT32(fp,number); + cbp.name.bv_val = cbp.nbuf; + cbp.name.bv_len = snprintf(cbp.nbuf,sizeof(cbp.nbuf),"%d",number); + READ_STRING(fp,cbp.pbuf); + cbp.prot.bv_len = tmpint32; + cbp.prot.bv_val = tmpint32 ? cbp.pbuf : NULL;, + Debug(LDAP_DEBUG_TRACE,"nssov_service_bynumber(%s,%s)\n",cbp.name.bv_val,cbp.prot.bv_val,0);, + NSLCD_ACTION_SERVICE_BYNUMBER, + mkfilter_service_bynumber(cbp.mi,&cbp.name,&cbp.prot,&filter) +) + +NSSOV_HANDLE( + service,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.prot);, + Debug(LDAP_DEBUG_TRACE,"nssov_service_all()\n",0,0,0);, + NSLCD_ACTION_SERVICE_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/shadow.c b/contrib/slapd-modules/nssov/shadow.c new file mode 100644 index 0000000..5789a88 --- /dev/null +++ b/contrib/slapd-modules/nssov/shadow.c @@ -0,0 +1,257 @@ +/* shadow.c - shadow account lookup routines */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2008-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This code references portions of the nss-ldapd package + * written by Arthur de Jong. The nss-ldapd code was forked + * from the nss-ldap library written by Luke Howard. + */ + +#include "nssov.h" + +/* ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY + * DESC 'Additional attributes for shadow passwords' + * MUST uid + * MAY ( userPassword $ shadowLastChange $ shadowMin + * shadowMax $ shadowWarning $ shadowInactive $ + * shadowExpire $ shadowFlag $ description ) ) + */ + +/* the basic search filter for searches */ +static struct berval shadow_filter = BER_BVC("(objectClass=shadowAccount)"); + +/* the attributes to request with searches */ +static struct berval shadow_keys[] = { + BER_BVC("uid"), + BER_BVC("userPassword"), + BER_BVC("shadowLastChange"), + BER_BVC("shadowMin"), + BER_BVC("shadowMax"), + BER_BVC("shadowWarning"), + BER_BVC("shadowInactive"), + BER_BVC("shadowExpire"), + BER_BVC("shadowFlag"), + BER_BVNULL +}; + +#define UID_KEY 0 +#define PWD_KEY 1 +#define CHG_KEY 2 +#define MIN_KEY 3 +#define MAX_KEY 4 +#define WRN_KEY 5 +#define INA_KEY 6 +#define EXP_KEY 7 +#define FLG_KEY 8 + +/* default values for attributes */ +static struct berval default_shadow_userPassword = BER_BVC("*"); /* unmatchable */ +static int default_nums[] = { 0,0, + -1, /* LastChange */ + -1, /* Min */ + -1, /* Max */ + -1, /* Warning */ + -1, /* Inactive */ + -1, /* Expire */ + 0 /* Flag */ +}; + +NSSOV_INIT(shadow) + +static long to_date(struct berval *date,AttributeDescription *attr) +{ + long value; + char *tmp; + /* do some special handling for date values on AD */ + if (strcasecmp(attr->ad_cname.bv_val,"pwdLastSet")==0) + { + char buffer[8]; + size_t l; + /* we expect an AD 64-bit datetime value; + we should do date=date/864000000000-134774 + but that causes problems on 32-bit platforms, + first we devide by 1000000000 by stripping the + last 9 digits from the string and going from there */ + l=date->bv_len-9; + if (l<1 || l>(sizeof(buffer)-1)) + return 0; /* error */ + strncpy(buffer,date->bv_val,l); + buffer[l]='\0'; + value=strtol(buffer,&tmp,0); + if ((buffer[0]=='\0')||(*tmp!='\0')) + { + Debug(LDAP_DEBUG_ANY,"shadow entry contains non-numeric %s value\n", + attr->ad_cname.bv_val,0,0); + return 0; + } + return value/864-134774; + /* note that AD does not have expiry dates but a lastchangeddate + and some value that needs to be added */ + } + value=strtol(date->bv_val,&tmp,0); + if ((date->bv_val[0]=='\0')||(*tmp!='\0')) + { + Debug(LDAP_DEBUG_ANY,"shadow entry contains non-numeric %s value\n", + attr->ad_cname.bv_val,0,0); + return 0; + } + return value; +} + +#ifndef UF_DONT_EXPIRE_PASSWD +#define UF_DONT_EXPIRE_PASSWD 0x10000 +#endif + +#define GET_OPTIONAL_LONG(var,key) \ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[key].an_desc); \ + if ( !a || BER_BVISNULL(&a->a_vals[0])) \ + var = default_nums[key]; \ + else \ + { \ + if (a->a_numvals > 1) \ + { \ + Debug(LDAP_DEBUG_ANY,"shadow entry %s contains multiple %s values\n", \ + entry->e_name.bv_val, cbp->mi->mi_attrs[key].an_desc->ad_cname.bv_val,0); \ + } \ + var=strtol(a->a_vals[0].bv_val,&tmp,0); \ + if ((a->a_vals[0].bv_val[0]=='\0')||(*tmp!='\0')) \ + { \ + Debug(LDAP_DEBUG_ANY,"shadow entry %s contains non-numeric %s value\n", \ + entry->e_name.bv_val, cbp->mi->mi_attrs[key].an_desc->ad_cname.bv_val,0); \ + return 0; \ + } \ + } + +#define GET_OPTIONAL_DATE(var,key) \ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[key].an_desc); \ + if ( !a || BER_BVISNULL(&a->a_vals[0])) \ + var = default_nums[key]; \ + else \ + { \ + if (a->a_numvals > 1) \ + { \ + Debug(LDAP_DEBUG_ANY,"shadow entry %s contains multiple %s values\n", \ + entry->e_name.bv_val, cbp->mi->mi_attrs[key].an_desc->ad_cname.bv_val,0); \ + } \ + var=to_date(&a->a_vals[0],cbp->mi->mi_attrs[key].an_desc); \ + } + +NSSOV_CBPRIV(shadow, + char buf[256]; + struct berval name;); + +static int write_shadow(nssov_shadow_cbp *cbp,Entry *entry) +{ + struct berval tmparr[2]; + struct berval *names; + Attribute *a; + char *tmp; + struct berval passwd = {0}; + long lastchangedate; + long mindays; + long maxdays; + long warndays; + long inactdays; + long expiredate; + unsigned long flag; + int i; + int32_t tmpint32; + /* get username */ + if (BER_BVISNULL(&cbp->name)) + { + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[UID_KEY].an_desc); + if (!a) + { + Debug(LDAP_DEBUG_ANY,"shadow entry %s does not contain %s value\n", + entry->e_name.bv_val, cbp->mi->mi_attrs[UID_KEY].an_desc->ad_cname.bv_val,0); + return 0; + } + names = a->a_vals; + } + else + { + names=tmparr; + names[0]=cbp->name; + BER_BVZERO(&names[1]); + } + /* get password */ + a = attr_find(entry->e_attrs, cbp->mi->mi_attrs[PWD_KEY].an_desc); + if ( a ) + get_userpassword(&a->a_vals[0], &passwd); + if (BER_BVISNULL(&passwd)) + passwd=default_shadow_userPassword; + /* get lastchange date */ + GET_OPTIONAL_DATE(lastchangedate,CHG_KEY); + /* get mindays */ + GET_OPTIONAL_LONG(mindays,MIN_KEY); + /* get maxdays */ + GET_OPTIONAL_LONG(maxdays,MAX_KEY); + /* get warndays */ + GET_OPTIONAL_LONG(warndays,WRN_KEY); + /* get inactdays */ + GET_OPTIONAL_LONG(inactdays,INA_KEY); + /* get expire date */ + GET_OPTIONAL_LONG(expiredate,EXP_KEY); + /* get flag */ + GET_OPTIONAL_LONG(flag,FLG_KEY); + /* if we're using AD handle the flag specially */ + if (strcasecmp(cbp->mi->mi_attrs[CHG_KEY].an_desc->ad_cname.bv_val,"pwdLastSet")==0) + { + if (flag&UF_DONT_EXPIRE_PASSWD) + maxdays=99999; + flag=0; + } + /* write the entries */ + for (i=0;!BER_BVISNULL(&names[i]);i++) + { + WRITE_INT32(cbp->fp,NSLCD_RESULT_BEGIN); + WRITE_BERVAL(cbp->fp,&names[i]); + WRITE_BERVAL(cbp->fp,&passwd); + WRITE_INT32(cbp->fp,lastchangedate); + WRITE_INT32(cbp->fp,mindays); + WRITE_INT32(cbp->fp,maxdays); + WRITE_INT32(cbp->fp,warndays); + WRITE_INT32(cbp->fp,inactdays); + WRITE_INT32(cbp->fp,expiredate); + WRITE_INT32(cbp->fp,flag); + } + return 0; +} + +NSSOV_CB(shadow) + +NSSOV_HANDLE( + shadow,byname, + char fbuf[1024]; + struct berval filter = {sizeof(fbuf)}; + filter.bv_val = fbuf; + READ_STRING(fp,cbp.buf);, + cbp.name.bv_len = tmpint32; + cbp.name.bv_val = cbp.buf; + Debug(LDAP_DEBUG_ANY,"nssov_shadow_byname(%s)\n",cbp.name.bv_val,0,0);, + NSLCD_ACTION_SHADOW_BYNAME, + nssov_filter_byname(cbp.mi,UID_KEY,&cbp.name,&filter) +) + +NSSOV_HANDLE( + shadow,all, + struct berval filter; + /* no parameters to read */ + BER_BVZERO(&cbp.name);, + Debug(LDAP_DEBUG_ANY,"nssov_shadow_all()\n",0,0,0);, + NSLCD_ACTION_SHADOW_ALL, + (filter=cbp.mi->mi_filter,0) +) diff --git a/contrib/slapd-modules/nssov/slapo-nssov.5 b/contrib/slapd-modules/nssov/slapo-nssov.5 new file mode 100644 index 0000000..83f1af7 --- /dev/null +++ b/contrib/slapd-modules/nssov/slapo-nssov.5 @@ -0,0 +1,316 @@ +.TH SLAPO-NSSOV 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved. +.\" Copying restrictions apply. See the COPYRIGHT file. +.\" $OpenLDAP$ +.SH NAME +slapo-nssov \- NSS and PAM requests through a local Unix Domain socket +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B nssov +overlay to +.BR slapd (8) +services NSS and PAM requests through a local Unix Domain socket. +It uses the same IPC protocol as Arthur de Jong's nss-pam-ldapd. +An extract of the nss-ldapd source is included along with the +nssov source code to allow the overlay to communicate with the +nss-pam-ldapd client stubs. +.LP +Using a separate IPC protocol for NSS and PAM requests eliminates the +libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions +all suffer from. Both the original nss-ldapd and this nssov solution +are free from these library issues. +.LP +Unlike nss-pam-ldapd, since this overlay executes inside slapd it allows for +the possibility of sophisticated caching, without any of the weaknesses of +nscd and other related caching solutions. E.g., a remote LDAP database can +be accessed using back-ldap with proxy caching (see +.BR slapd-ldap (5) +and +.BR slapo-pcache (5) +) to leverage back-ldap's +connection pooling as well as pcache's persistent caching, to provide +high performance and a measure of support for disconnected operation. +Alternatively, cache considerations can be completely eliminated by running +a regular database with syncrepl to maintain synchronization with a remote +LDAP database. +.LP +Another major benefit of nssov is that it allows all security policy to be +administered centrally via LDAP, instead of having fragile rules scattered +across multiple flat files. As such, there is no client-side configuration at +all for the NSS/PAM stub libraries. (The stubs talk to the server via a Unix +domain socket whose path is hardcoded to NSLCDPATH). As a side benefit, +this can finally eliminate the perpetual confusion between OpenLDAP's +ldap.conf file in ETCDIR/ldap.conf and the similarly named files typically +used by pam_ldap and nss_ldap. +.LP +User authentication is performed by internal simple Binds. User authorization +leverages the slapd ACL engine, which offers much more power and flexibility +than the simple group/hostname checks in the old pam_ldap code. +.LP +To use this code, you will need the client-side stub library from +nss-pam-ldapd. You can get it from: +http://arthurdejong.org/nss-pam-ldapd +You will not need the nslcd daemon; this overlay replaces that part. +To disable building of the nslcd daemon in nss-pam-ldapd, add the +--disable-nslcd option to the nss-pam-ldapd configure script. You +should already be familiar with the RFC2307 and RFC2307bis schema +to use this overlay. See the nss-pam-ldapd README for more information +on the schema and which features are supported. +.LP +You will also need to include the nis.schema in your slapd configuration +for RFC2307 support. If you wish to use RFC2307bis you will need a slightly +different schema. You will also need the ldapns.schema for PAM authorization +management. +.LP +You must select +.B ldap +in the appropriate services in +.I /etc/nsswitch.conf +in order for these NSS features to take effect. Likewise, you must +enable +.B pam_ldap +for the authenticate, account, session, and password services in +.I /etc/pam.conf +or +.I /etc/pam.d +for these PAM features to take effect. + +.TP +.B overlay nssov +This directive adds the nssov overlay to the current backend. +.TP +.B nssov-ssd <service> <url> +This directive configures a Service Search Descriptor (SSD) for each NSS +service that will be used. The <service> may be one of +.RS +.nf + aliases + ethers + group + hosts + netgroup + networks + passwd + protocols + rpc + services + shadow +.fi +.RE +and the <url> must be of the form +.RS +.TP +.B ldap:///[<basedn>][??[<scope>][?<filter>]] +.RE +The +.B <basedn> +will default to the first suffix of the current database. +The +.B <scope> +defaults to "subtree". The default +.B <filter> +depends on which service is being used. +.TP +.B nssov-map <service> <orig> <new> +If the local database is actually a proxy to a foreign LDAP server, some +mapping of schema may be needed. This directive allows some simple attribute +substitutions to be performed. See the +.B nss-ldapd/README +for the original attribute names used in this code. +.TP +.B nssov-pam <option> [...] +This directive determines a number of PAM behaviors. Multiple options may +be used at once, and available levels are: +.RS +.RS +.PD 0 +.TP +.B userhost +check host attribute in user entry for authorization +.TP +.B userservice +check authorizedService attribute in user entry for authorization +.TP +.B usergroup +check that user is a member of specific group for authorization +.TP +.B hostservice +check authorizedService attribute in host entry for authorization +.TP +.B authz2dn +use authz-regexp mapping to map uid to LDAP DN +.TP +.B uid2dn +use NSS passwd SSD to map uid to LDAP DN +.PD +.RE + +Setting the +.BR userhost , +.BR userservice , +and +.B usergroup +options duplicates the original pam_ldap authorization behavior. + +The recommended approach is to use +.B hostservice +instead. In this case, ipHost entries must be created for all hosts +being managed, and they must also have the authorizedServiceObject +class to allow authorizedService attributes to be used. Also the +NSS host SSD must be configured so that ipHost entries can be found. +Authorization is checked by performing an LDAP Compare operation +looking for the PAM service name in the authorizedService attribute. +.B slapd +ACLs should be set to grant or deny +.B Compare +privilege to the appropriate users or groups as desired. + +If the +.B authz2dn +option is set then authz-regexp mappings will be used to map the +PAM username to an LDAP DN. The authentication DN will be of the +form +.RS +.B cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth +.RE + +If no mapping is found for this authentication DN, then this +mapping will be ignored. + +If the +.B uid2dn +option is set then the NSS passwd SSD will be used to map the +PAM username to an LDAP DN. The passwd SSD must have already been +configured for this mapping to succeed. + +If neither the authz2dn nor the uid2dn mapping succeeds, the module +will return a PAM_USER_UNKNOWN failure code. If both options are set, +the authz mapping is attempted first; if it succeeds the uid2dn mapping +will be skipped. + +By default only the +.B uid2dn +option is set. +.RE +.TP +.B nssov-pam-defhost <hostname> +Specify a default hostname to check if an ipHost entry for the current +hostname cannot be found. This setting is only relevant if the +.B hostservice +option has been set. +.TP +.B nssov-pam-group-dn <DN> +Specify the DN of an LDAP group to check for authorization. The LDAP user +must be a member of this group for the login to be allowed. There is no +default value. This setting is only relevant if the +.B usergroup +option has been set. +.TP +.B nssov-pam-group-ad <attribute> +Specify the attribute to use for group membership checks. +There is no default value. This setting is only relevant if the +.B usergroup +option has been set. +.TP +.B nssov-pam-min-uid <integer> +Specify a minimum uid that is allowed to login. Users with a uidNumber +lower than this value will be denied access. The default is zero, which +disables this setting. +.TP +.B nssov-pam-max-uid <integer> +Specify a maximum uid that is allowed to login. Users with a uidNumber +higher than this value will be denied access. The default is zero, which +disables this setting. +.TP +.B nssov-pam-template-ad <attribute> +Specify an attribute to check in a user's entry for a template login name. +The template login feature is used by FreeBSD's PAM framework. It can be +viewed as a form of proxying, where a user can authenticate with one +username/password pair, but is assigned the identity and credentials of +the template user. This setting is disabled by default. +.TP +.B nssov-pam-template <name> +Specify a default username to be used if no template attribute is found +in the user's entry. The +.B nssov-pam-template-ad +directive must be configured for this setting to have any effect. +.TP +.B nssov-pam-session <service> +Specify a PAM service name whose sessions will be recorded. For the +configured services, logins will be recorded in the +.TP +.B nssov-pam-password-prohibit-message <message> +Diable password change service and return the specified message to +users. +.TP +.B nssov-pam-pwdmgr-dn <dn> +Specify the dn of the password manager. +.TP +.B nssov-pam-pwdmgr-pwd <pwd> +Specify the pwd of the password manager. +.TP +.B loginStatus +operational attribute of the user's entry. The attribute's values are +of the form +.RS +.RS +.B <generalizedTime> <host> <service> <tty> (<ruser@rhost>) +.RE +.RE +Upon logout the corresponding value will be deleted. This feature allows +a single LDAP Search to be used to check which users are logged in across +all the hosts of a network. The rootdn of the database is used to perform +the updates of the loginStatus attribute, so a rootdn must already be +configured for this feature to work. By default no services are configured. +.LP +The PAM functions support LDAP Password Policy as well. If the password +policy overlay is in use (see +.BR slapo-ppolicy (5)), +policy +information (e.g. password expiration, password quality, etc.) +may be returned to the PAM client as a result of authentication, +account management, and password modification requests. + +The overlay also supports dynamic configuration in cn=config. An example +of the config entry is +.LP +.RS +.nf + dn: olcOverlay={0}nssov,ocDatabase={1}hdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcNssOvConfig + olcOverlay: {0}nssov + olcNssSsd: passwd ldap:///ou=users,dc=example,dc=com??one + olcNssMap: passwd uid accountName + olcNssPam: hostservice uid2dn + olcNssPamDefHost: defaulthost + olcNssPamMinUid: 500 + olcNssPamMaxUid: 32000 + olcNssPamSession: login + olcNssPamSession: sshd +.fi +.RE +.LP +which enables the passwd service, and uses the accountName attribute to +fetch what is usually retrieved from the uid attribute. It also enables +some PAM authorization controls, and specifies that the PAM +.B login +and +.B sshd +services should have their logins recorded. +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd\-config (5), +.BR slapd\-ldap (5), +.BR slapo\-pcache (5), +.BR slapo\-ppolicy (5), +.BR slapd (8). +.SH AUTHOR +Howard Chu, inspired by nss-ldapd by Arthur de Jong and pam_ldap by Luke Howard +Enhancements by Ted C. Cheng, Symas Corp. diff --git a/contrib/slapd-modules/passwd/Makefile b/contrib/slapd-modules/passwd/Makefile new file mode 100644 index 0000000..b4f2b93 --- /dev/null +++ b/contrib/slapd-modules/passwd/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pw-kerberos.la: kerberos.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lkrb5 + +pw-netscape.la: netscape.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + +pw-radius.la: radius.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lradius + +pw-apr1.la: apr1.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/passwd/README b/contrib/slapd-modules/passwd/README new file mode 100644 index 0000000..aff7c85 --- /dev/null +++ b/contrib/slapd-modules/passwd/README @@ -0,0 +1,69 @@ +This directory contains native slapd plugins for password mechanisms that +are not actively supported by the project. Currently this includes the +Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms. The Apache +APR1 MD5 and BSD/Paul Henning Kamp MD5 mechanisms are also included. + +To use the Kerberos plugin, add: + +moduleload pw-kerberos.so + +to your slapd configuration file. + +To use the Netscape plugin, add: + +moduleload pw-netscape.so + +to your slapd configuration file. + +To use the APR1/BSD/MD5 plugin, add: + +moduleload pw-apr1.so + +to your slapd configuration file. + +To use the RADIUS plugin, add: + +moduleload pw-radius.so + +to your slapd configuration file; optionally, the path to a configuration +file can be appended in the form + +moduleload pw-radius.so config="/etc/radius.conf" + +Use Makefile to compile this plugin or use a command line similar to: + +gcc -shared -I../../../include -Wall -g -DHAVE_KRB5 -o pw-kerberos.so kerberos.c + +Replace HAVE_KRB5 with HAVE_KRB4 if you want to use Kerberos IV. +If your Kerberos header files are not in the C compiler's +default path, you will need to add a "-I" directive for that as well. + +The corresponding command for the Netscape plugin would be: + +gcc -shared -I../../../include -Wall -g -o pw-netscape.so netscape.c + +The corresponding command for the RADIUS plugin would be: + +gcc -shared -I../../../include -Wall -g -o pw-radius.so radius.c -lradius + +(Actually, you might want to statically link the RADIUS client library +libradius.a into the module). + +The corresponding command for the APR1 plugin would be: + +gcc -shared -I../../../include -Wall -g -o pw-apr1.so apr1.c + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2004-2021 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/passwd/apr1-atol.pl b/contrib/slapd-modules/passwd/apr1-atol.pl new file mode 100644 index 0000000..d6eaee7 --- /dev/null +++ b/contrib/slapd-modules/passwd/apr1-atol.pl @@ -0,0 +1,29 @@ +#!/usr/bin/perl -w
+
+# Apache $apr1$ to OpenLDAP {APR1} hash converter
+# (C) 2011 Devin J. Pohly
+# You may use this code freely. It would be nice to be credited.
+
+use MIME::Base64;
+
+while (<>) {
+ ($user, $hash) = split(/:/, $_);
+ unless ($hash =~ /^\$apr1\$/) {
+ print STDERR "Not an Apache MD5 hash\n";
+ exit 1;
+ }
+
+ chomp $hash;
+ ($_,$_,$salt,$hash) = split(/\$/, $hash);
+
+ $hash =~ tr|./0-9A-Za-z|A-Za-z0-9+/|;
+ $hash .= "AA";
+ $hash =~ s/(.)(.)(.)(.)/$4$3$2$1/gs;
+ $hash = decode_base64($hash);
+ $hash =~ s/(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)..(.)/$1$4$7$10$13$15$2$5$8$11$14$16$3$6$9$12/s;
+ $hash .= $salt;
+ $hash = encode_base64($hash);
+ chop $hash;
+
+ print "$user:{APR1}$hash\n";
+}
\ No newline at end of file diff --git a/contrib/slapd-modules/passwd/apr1-ltoa.pl b/contrib/slapd-modules/passwd/apr1-ltoa.pl new file mode 100644 index 0000000..ee628ec --- /dev/null +++ b/contrib/slapd-modules/passwd/apr1-ltoa.pl @@ -0,0 +1,31 @@ +#!/usr/bin/perl -w
+
+# OpenLDAP {APR1} to Apache $apr1$ hash converter
+# (C) 2011 Devin J. Pohly
+# You may use this code freely. It would be nice to be credited.
+
+use MIME::Base64;
+
+while (<>) {
+ ($user, $hash) = split(/:/, $_);
+ unless ($hash =~ /^{APR1}/) {
+ print STDERR "Not an Apache MD5 hash\n";
+ next;
+ }
+
+ chomp $hash;
+ $hash = decode_base64(substr($hash, 6));
+ ($hash, $salt) = (substr($hash, 0, 16), substr($hash, 16));
+ $hash = $hash;
+ $hash =~ s/(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)(.)/$1$7$13$2$8$14$3$9$15$4$10$16$5$11$6\0\0$12/s;
+ $hash = encode_base64($hash);
+ chomp $hash;
+ $hash =~ s/(.)(.)(.)(.)/$4$3$2$1/gs;
+ unless ($hash =~ /AA$/) {
+ #print "Problem with hash\n";
+ next;
+ }
+ $hash =~ s/AA$//;
+ $hash =~ tr|A-Za-z0-9+/|./0-9A-Za-z|;
+ print "$user:\$apr1\$$salt\$$hash\n"
+}
\ No newline at end of file diff --git a/contrib/slapd-modules/passwd/apr1.c b/contrib/slapd-modules/passwd/apr1.c new file mode 100644 index 0000000..0ddb01b --- /dev/null +++ b/contrib/slapd-modules/passwd/apr1.c @@ -0,0 +1,233 @@ +/* $OpenLDAP$ */ +/* + * This file is derived from OpenLDAP Software. All of the modifications to + * OpenLDAP Software represented in the following file were developed by + * Devin J. Pohly <djpohly@gmail.com>. I have not assigned rights and/or + * interest in this work to any party. + * + * The extensions to OpenLDAP Software herein are subject to the following + * notice: + * + * Copyright 2011 Devin J. Pohly + * Portions Copyright 2011 Howard Chu + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP Public + * License. + * + * A portion of this code is used in accordance with the Beer-ware License, + * revision 42, as noted. + * + */ +#include <lber.h> +#include <lber_pvt.h> +#include "lutil.h" +#include "lutil_md5.h" +#include <ac/string.h> + +#include <assert.h> + +/* the only difference between this and straight PHK is the magic */ +static LUTIL_PASSWD_CHK_FUNC chk_apr1; +static LUTIL_PASSWD_HASH_FUNC hash_apr1; +static const struct berval scheme_apr1 = BER_BVC("{APR1}"); +static const struct berval magic_apr1 = BER_BVC("$apr1$"); + +static LUTIL_PASSWD_CHK_FUNC chk_bsdmd5; +static LUTIL_PASSWD_HASH_FUNC hash_bsdmd5; +static const struct berval scheme_bsdmd5 = BER_BVC("{BSDMD5}"); +static const struct berval magic_bsdmd5 = BER_BVC("$1$"); + +static const unsigned char apr64[] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +#define APR_SALT_SIZE 8 + +/* The algorithm implemented in this function was created by Poul-Henning + * Kamp and released under the following license: + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ +static void do_phk_hash( + const struct berval *passwd, + const struct berval *salt, + const struct berval *magic, + unsigned char *digest) +{ + lutil_MD5_CTX ctx, ctx1; + int n; + + /* Start hashing */ + lutil_MD5Init(&ctx); + lutil_MD5Update(&ctx, (const unsigned char *) passwd->bv_val, passwd->bv_len); + lutil_MD5Update(&ctx, (const unsigned char *) magic->bv_val, magic->bv_len); + lutil_MD5Update(&ctx, (const unsigned char *) salt->bv_val, salt->bv_len); + /* Inner hash */ + lutil_MD5Init(&ctx1); + lutil_MD5Update(&ctx1, (const unsigned char *) passwd->bv_val, passwd->bv_len); + lutil_MD5Update(&ctx1, (const unsigned char *) salt->bv_val, salt->bv_len); + lutil_MD5Update(&ctx1, (const unsigned char *) passwd->bv_val, passwd->bv_len); + lutil_MD5Final(digest, &ctx1); + /* Nom start mixing things up */ + for (n = passwd->bv_len; n > 0; n -= LUTIL_MD5_BYTES) + lutil_MD5Update(&ctx, digest, + (n > LUTIL_MD5_BYTES ? LUTIL_MD5_BYTES : n)); + memset(digest, 0, LUTIL_MD5_BYTES); + /* Curiouser and curiouser... */ + for (n = passwd->bv_len; n; n >>= 1) + if (n & 1) + lutil_MD5Update(&ctx, digest, 1); + else + lutil_MD5Update(&ctx, (const unsigned char *) passwd->bv_val, 1); + lutil_MD5Final(digest, &ctx); + /* + * Repeatedly hash things into the final value. This was originally + * intended to slow the algorithm down. + */ + for (n = 0; n < 1000; n++) { + lutil_MD5Init(&ctx1); + if (n & 1) + lutil_MD5Update(&ctx1, + (const unsigned char *) passwd->bv_val, passwd->bv_len); + else + lutil_MD5Update(&ctx1, digest, LUTIL_MD5_BYTES); + + if (n % 3) + lutil_MD5Update(&ctx1, + (const unsigned char *) salt->bv_val, salt->bv_len); + if (n % 7) + lutil_MD5Update(&ctx1, + (const unsigned char *) passwd->bv_val, passwd->bv_len); + + if (n & 1) + lutil_MD5Update(&ctx1, digest, LUTIL_MD5_BYTES); + else + lutil_MD5Update(&ctx1, + (const unsigned char *) passwd->bv_val, passwd->bv_len); + lutil_MD5Final(digest, &ctx1); + } +} + +static int chk_phk( + const struct berval *magic, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + unsigned char digest[LUTIL_MD5_BYTES]; + unsigned char *orig_pass; + int rc; + struct berval salt; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len <= sizeof(digest)) + return LUTIL_PASSWD_ERR; + + /* base64 un-encode password hash */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if (orig_pass == NULL) + return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if (rc <= (int) sizeof(digest)) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + salt.bv_val = (char *) &orig_pass[sizeof(digest)]; + salt.bv_len = rc - sizeof(digest); + + do_phk_hash(cred, &salt, magic, digest); + + if (text) + *text = NULL; + + /* compare */ + rc = memcmp((char *) orig_pass, (char *) digest, sizeof(digest)); + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_apr1( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + return chk_phk(&magic_apr1, passwd, cred, text); +} + +static int chk_bsdmd5( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + return chk_phk(&magic_bsdmd5, passwd, cred, text); +} + +static int hash_phk( + const struct berval *scheme, + const struct berval *magic, + const struct berval *passwd, + struct berval *hash, + const char **text) +{ + unsigned char digest_buf[LUTIL_MD5_BYTES]; + char salt_buf[APR_SALT_SIZE]; + struct berval digest; + struct berval salt; + int n; + + digest.bv_val = (char *) digest_buf; + digest.bv_len = sizeof(digest_buf); + salt.bv_val = salt_buf; + salt.bv_len = APR_SALT_SIZE; + + /* generate random salt */ + if (lutil_entropy( (unsigned char *) salt.bv_val, salt.bv_len) < 0) + return LUTIL_PASSWD_ERR; + /* limit it to characters in the 64-char set */ + for (n = 0; n < salt.bv_len; n++) + salt.bv_val[n] = apr64[salt.bv_val[n] % (sizeof(apr64) - 1)]; + + do_phk_hash(passwd, &salt, magic, digest_buf); + + if (text) + *text = NULL; + + return lutil_passwd_string64(scheme, &digest, hash, &salt); +} + +static int hash_apr1( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text) +{ + return hash_phk(scheme, &magic_apr1, passwd, hash, text); +} + +static int hash_bsdmd5( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text) +{ + return hash_phk(scheme, &magic_bsdmd5, passwd, hash, text); +} + +int init_module(int argc, char *argv[]) { + int rc; + rc = lutil_passwd_add((struct berval *) &scheme_apr1, chk_apr1, hash_apr1); + if ( !rc ) + rc = lutil_passwd_add((struct berval *) &scheme_bsdmd5, + chk_bsdmd5, hash_bsdmd5); + return rc; +} diff --git a/contrib/slapd-modules/passwd/argon2/Makefile b/contrib/slapd-modules/passwd/argon2/Makefile new file mode 100644 index 0000000..0294ba0 --- /dev/null +++ b/contrib/slapd-modules/passwd/argon2/Makefile @@ -0,0 +1,70 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../../.. +LDAP_BUILD = ../../../.. +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install +CC = gcc +OPT = -g -O2 -Wall +#DEFS = -DSLAPD_ARGON2_DEBUG + +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +implementation = sodium + +ifeq ($(implementation),argon2) +LIBS += -largon2 +DEFS += -DSLAPD_ARGON2_USE_ARGON2 +else ifeq ($(implementation),sodium) +LIBS += -lsodium +DEFS += -DSLAPD_ARGON2_USE_SODIUM +else +$(error Unsupported implementation $(implementation)) +endif + +PROGRAMS = pw-argon2.la +MANPAGES = slapd-pw-argon2.5 +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pw-argon2.la: pw-argon2.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: diff --git a/contrib/slapd-modules/passwd/argon2/README b/contrib/slapd-modules/passwd/argon2/README new file mode 100644 index 0000000..13ba69f --- /dev/null +++ b/contrib/slapd-modules/passwd/argon2/README @@ -0,0 +1,109 @@ +Argon2 OpenLDAP support +---------------------- + +pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For +instance, one could have the LDAP attribute: + +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng + +or: + +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw + +Both hash the password "secret", the first using the salt "saltsalt", the second using the salt "saltsaltsalt" + +Building +-------- + +1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP +source root. + +For initial testing you might also want to edit DEFS to define +SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on +in production, as it prints passwords in cleartext). + +2) Run 'make' to produce pw-argon2.so + +3) Copy pw-argon2.so somewhere permanent. + +4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: + +moduleload ...path/to/pw-argon2.so + +5) Restart slapd. + + +Configuring +----------- + +The {ARGON2} password scheme should now be recognised. + +You can also tell OpenLDAP to use one of this scheme when processing LDAP +Password Modify Extended Operations, thanks to the password-hash option in +slapd.conf: + +password-hash {ARGON2} + + +Testing +------- + +A quick way to test whether it's working is to customize the rootdn and +rootpw in slapd.conf, eg: + +rootdn "cn=admin,dc=example,dc=com" + +# This hashes the string 'secret', with a random salt +rootpw {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc + + +Then to test, run something like: + +ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret + + +-- Test hashes: + +Test hashes can be generated with argon2: +$ echo -n "secret" | argon2 "saltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng + +$ echo -n "secret" | argon2 "saltsaltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw + +$ echo -n "secretsecret" | argon2 "saltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$U0Pd/wEsssZ9bHezDA8oxHnWe01xftykEy+7ehM2vic + +$ echo -n "secretsecret" | argon2 "saltsaltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$fkvoOwKgVtlX9ZDqcHFyyArBvqnAM0Igca8SScB4Jsc + + + +Alternatively we could modify an existing user's password with +ldappasswd, and then test binding as that user: + +$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com +New password: secret +Re-enter new password: secret +Enter LDAP Password: <cn=admin's password> + +$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret + + + +--- + +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2017-2021 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + +--- diff --git a/contrib/slapd-modules/passwd/argon2/pw-argon2.c b/contrib/slapd-modules/passwd/argon2/pw-argon2.c new file mode 100644 index 0000000..94c9e46 --- /dev/null +++ b/contrib/slapd-modules/passwd/argon2/pw-argon2.c @@ -0,0 +1,220 @@ +/* pw-argon2.c - Password module for argon2 */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2017-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "portable.h" +#include "ac/string.h" +#include "lber_pvt.h" +#include "lutil.h" + +#include <stdint.h> +#include <stdlib.h> + +#ifdef SLAPD_ARGON2_USE_ARGON2 +#include <argon2.h> + +/* + * For now, we hardcode the default values from the argon2 command line tool + * (as of argon2 release 20161029) + */ +#define SLAPD_ARGON2_ITERATIONS 3 +#define SLAPD_ARGON2_MEMORY (1 << 12) +#define SLAPD_ARGON2_PARALLELISM 1 +#define SLAPD_ARGON2_SALT_LENGTH 16 +#define SLAPD_ARGON2_HASH_LENGTH 32 + +#else /* !SLAPD_ARGON2_USE_ARGON2 */ +#include <sodium.h> + +/* + * Or libsodium interactive settings + */ +#define SLAPD_ARGON2_ITERATIONS crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE +#define SLAPD_ARGON2_MEMORY (crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE / 1024) +#define SLAPD_ARGON2_PARALLELISM 1 +#define SLAPD_ARGON2_SALT_LENGTH crypto_pwhash_argon2id_SALTBYTES +#define SLAPD_ARGON2_HASH_LENGTH 32 + +#endif + +static unsigned long iterations = SLAPD_ARGON2_ITERATIONS; +static unsigned long memory = SLAPD_ARGON2_MEMORY; +static unsigned long parallelism = SLAPD_ARGON2_PARALLELISM; + +const struct berval slapd_argon2_scheme = BER_BVC("{ARGON2}"); + +static int +slapd_argon2_hash( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + + /* + * Duplicate these values here so future code which allows + * configuration has an easier time. + */ + uint32_t salt_length, hash_length; + char *p; + int rc = LUTIL_PASSWD_ERR; + +#ifdef SLAPD_ARGON2_USE_ARGON2 + struct berval salt; + size_t encoded_length; + + salt_length = SLAPD_ARGON2_SALT_LENGTH; + hash_length = SLAPD_ARGON2_HASH_LENGTH; + + encoded_length = argon2_encodedlen( iterations, memory, parallelism, + salt_length, hash_length, Argon2_id ); + + salt.bv_len = salt_length; + salt.bv_val = ber_memalloc( salt.bv_len ); + + if ( salt.bv_val == NULL ) { + return LUTIL_PASSWD_ERR; + } + + if ( lutil_entropy( (unsigned char*)salt.bv_val, salt.bv_len ) ) { + ber_memfree( salt.bv_val ); + return LUTIL_PASSWD_ERR; + } + + p = hash->bv_val = ber_memalloc( scheme->bv_len + encoded_length ); + if ( p == NULL ) { + ber_memfree( salt.bv_val ); + return LUTIL_PASSWD_ERR; + } + + AC_MEMCPY( p, scheme->bv_val, scheme->bv_len ); + p += scheme->bv_len; + + /* + * Do the actual heavy lifting + */ + if ( argon2i_hash_encoded( iterations, memory, parallelism, + passwd->bv_val, passwd->bv_len, + salt.bv_val, salt_length, hash_length, + p, encoded_length ) == 0 ) { + rc = LUTIL_PASSWD_OK; + } + hash->bv_len = scheme->bv_len + encoded_length; + ber_memfree( salt.bv_val ); + +#else /* !SLAPD_ARGON2_USE_ARGON2 */ + /* Not exposed by libsodium + salt_length = SLAPD_ARGON2_SALT_LENGTH; + hash_length = SLAPD_ARGON2_HASH_LENGTH; + */ + + p = hash->bv_val = ber_memalloc( scheme->bv_len + crypto_pwhash_STRBYTES ); + if ( p == NULL ) { + return LUTIL_PASSWD_ERR; + } + + AC_MEMCPY( hash->bv_val, scheme->bv_val, scheme->bv_len ); + p += scheme->bv_len; + + if ( crypto_pwhash_str_alg( p, passwd->bv_val, passwd->bv_len, + iterations, memory * 1024, + crypto_pwhash_ALG_ARGON2ID13 ) == 0 ) { + hash->bv_len = strlen( hash->bv_val ); + rc = LUTIL_PASSWD_OK; + } +#endif + + if ( rc ) { + ber_memfree( hash->bv_val ); + return LUTIL_PASSWD_ERR; + } + + return LUTIL_PASSWD_OK; +} + +static int +slapd_argon2_verify( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + int rc = LUTIL_PASSWD_ERR; + +#ifdef SLAPD_ARGON2_USE_ARGON2 + if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) { + rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) { + rc = argon2d_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) { + rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } +#else /* !SLAPD_ARGON2_USE_ARGON2 */ + rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); +#endif + + if ( rc ) { + return LUTIL_PASSWD_ERR; + } + return LUTIL_PASSWD_OK; +} + +int init_module( int argc, char *argv[] ) +{ + int i; + +#ifndef SLAPD_ARGON2_USE_ARGON2 + if ( sodium_init() == -1 ) { + return -1; + } +#endif + + for ( i=0; i < argc; i++ ) { + char *p; + unsigned long value; + + switch ( *argv[i] ) { + case 'm': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + memory = value; + break; + + case 't': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + iterations = value; + break; + + case 'p': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + parallelism = value; + break; + + default: + return -1; + } + } + + return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme, + slapd_argon2_verify, slapd_argon2_hash ); +} diff --git a/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 new file mode 100644 index 0000000..23cc87a --- /dev/null +++ b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 @@ -0,0 +1,122 @@ +.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-pw-argon2 \- Argon2 password module to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +.B moduleload pw-argon2 +.RI [ <parameters> ] +.RE +.SH DESCRIPTION +.LP +The +.B pw-argon2 +module to +.BR slapd (8) +provides support for the use of the key derivation function Argon2, +that was selected as the winner of the Password Hashing Competition in July 2015, +in hashed passwords in OpenLDAP. +.LP +It does so by providing the additional password scheme +.B {ARGON2} +for use in slapd. + +.SH CONFIGURATION +The +.B pw-argon2 +module does not need any configuration, +but it can be configured by giving the following parameters: +.TP +.BI m= <memory> +Set memory usage to +.I <memory> +kiB. +.TP +.BI p= <parallelism> +Set parallelism to +.I <parallelism> +threads. +.TP +.BI t= <iterations> +Set the number of iterations to +.IR <iterations> . +.LP +These replace defaults when preparing hashes for new passwords where possible. +.LP +After loading the module, the password scheme +.B {ARGON2} +will be recognised in values of the +.I userPassword +attribute. +.LP +You can then instruct OpenLDAP to use this scheme when processing +the LDAPv3 Password Modify (RFC 3062) extended operations by using the +.BR password-hash +option in +.BR slapd.conf (5): +.RS +.LP +.B password\-hash {ARGON2} +.RE +.LP + +.SS NOTES +If you want to use the scheme described here with +.BR slappasswd (8), +remember to load the module using its command line options. +The relevant option/value is: +.RS +.LP +.B \-o +.BR module\-load = pw-argon2 +.LP +.RE +Depending on +.BR pw-argon2 's +location, you may also need: +.RS +.LP +.B \-o +.BR module\-path = \fIpathspec\fP +.RE + +.SH EXAMPLES +Both userPassword LDAP attributes below encode the password +.RI ' secret ' +using different salts: +.EX +.LP +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng +.LP +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw +.EE + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR slappasswd (8), +.BR ldap (3), +.LP +.UR http://www.OpenLDAP.org/doc/ +"OpenLDAP Administrator's Guide" +.UE +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been written by Peter Marschall based on the +module's README file written by +.MT simon@levermann.de +Simon Levermann +.ME . +.LP +.B OpenLDAP +is developed and maintained by +.UR http://www.openldap.org/ +The OpenLDAP Project +.UE . +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/contrib/slapd-modules/passwd/kerberos.c b/contrib/slapd-modules/passwd/kerberos.c new file mode 100644 index 0000000..eecf00a --- /dev/null +++ b/contrib/slapd-modules/passwd/kerberos.c @@ -0,0 +1,209 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <unistd.h> + +#include <lber.h> +#include <lber_pvt.h> /* BER_BVC definition */ +#include "lutil.h" +#include <ac/string.h> + +#ifdef HAVE_KRB5 +#include <krb5.h> +#elif defined(HAVE_KRB4) +#include <krb.h> +#endif + +/* From <ldap_pvt.h> */ +LDAP_F( char *) ldap_pvt_get_fqdn LDAP_P(( char * )); + +static LUTIL_PASSWD_CHK_FUNC chk_kerberos; +static const struct berval scheme = BER_BVC("{KERBEROS}"); + +static int chk_kerberos( + const struct berval *sc, + const struct berval * passwd, + const struct berval * cred, + const char **text ) +{ + unsigned int i; + int rtn; + + for( i=0; i<cred->bv_len; i++) { + if(cred->bv_val[i] == '\0') { + return LUTIL_PASSWD_ERR; /* NUL character in password */ + } + } + + if( cred->bv_val[i] != '\0' ) { + return LUTIL_PASSWD_ERR; /* cred must behave like a string */ + } + + for( i=0; i<passwd->bv_len; i++) { + if(passwd->bv_val[i] == '\0') { + return LUTIL_PASSWD_ERR; /* NUL character in password */ + } + } + + if( passwd->bv_val[i] != '\0' ) { + return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ + } + + rtn = LUTIL_PASSWD_ERR; + +#ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */ + { +/* Portions: + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + krb5_context context; + krb5_error_code ret; + krb5_creds creds; + krb5_get_init_creds_opt get_options; + krb5_verify_init_creds_opt verify_options; + krb5_principal client, server; +#ifdef notdef + krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; +#endif + + ret = krb5_init_context( &context ); + if (ret) { + return LUTIL_PASSWD_ERR; + } + +#ifdef notdef + krb5_get_init_creds_opt_set_preauth_list(&get_options, + pre_auth_types, 1); +#endif + + krb5_get_init_creds_opt_init( &get_options ); + + krb5_verify_init_creds_opt_init( &verify_options ); + + ret = krb5_parse_name( context, passwd->bv_val, &client ); + + if (ret) { + krb5_free_context( context ); + return LUTIL_PASSWD_ERR; + } + + ret = krb5_get_init_creds_password( context, + &creds, client, cred->bv_val, NULL, + NULL, 0, NULL, &get_options ); + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return LUTIL_PASSWD_ERR; + } + + { + char *host = ldap_pvt_get_fqdn( NULL ); + + if( host == NULL ) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return LUTIL_PASSWD_ERR; + } + + ret = krb5_sname_to_principal( context, + host, "ldap", KRB5_NT_SRV_HST, &server ); + + ber_memfree( host ); + } + + if (ret) { + krb5_free_principal( context, client ); + krb5_free_context( context ); + return LUTIL_PASSWD_ERR; + } + + ret = krb5_verify_init_creds( context, + &creds, server, NULL, NULL, &verify_options ); + + krb5_free_principal( context, client ); + krb5_free_principal( context, server ); + krb5_free_cred_contents( context, &creds ); + krb5_free_context( context ); + + rtn = ret ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; + } +#elif defined(HAVE_KRB4) + { + /* Borrowed from Heimdal kpopper */ +/* Portions: + * Copyright (c) 1989 Regents of the University of California. + * All rights reserved. The Berkeley software License Agreement + * specifies the terms and conditions for redistribution. + */ + + int status; + char lrealm[REALM_SZ]; + char tkt[MAXHOSTNAMELEN]; + + status = krb_get_lrealm(lrealm,1); + if (status == KFAILURE) { + return LUTIL_PASSWD_ERR; + } + + snprintf(tkt, sizeof(tkt), "%s_slapd.%u", + TKT_ROOT, (unsigned)getpid()); + krb_set_tkt_string (tkt); + + status = krb_verify_user( passwd->bv_val, "", lrealm, + cred->bv_val, 1, "ldap"); + + dest_tkt(); /* no point in keeping the tickets */ + + return status == KFAILURE ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; + } +#endif + + return rtn; +} + +int init_module(int argc, char *argv[]) { + return lutil_passwd_add( (struct berval *)&scheme, chk_kerberos, NULL ); +} diff --git a/contrib/slapd-modules/passwd/netscape.c b/contrib/slapd-modules/passwd/netscape.c new file mode 100644 index 0000000..0551fe6 --- /dev/null +++ b/contrib/slapd-modules/passwd/netscape.c @@ -0,0 +1,81 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <unistd.h> + +#include <lber.h> +#include <lber_pvt.h> +#include "lutil.h" +#include "lutil_md5.h" +#include <ac/string.h> + +static LUTIL_PASSWD_CHK_FUNC chk_ns_mta_md5; +static const struct berval scheme = BER_BVC("{NS-MTA-MD5}"); + +#define NS_MTA_MD5_PASSLEN 64 +static int chk_ns_mta_md5( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + lutil_MD5_CTX MD5context; + unsigned char MD5digest[LUTIL_MD5_BYTES], c; + char buffer[LUTIL_MD5_BYTES*2]; + int i; + + if( passwd->bv_len != NS_MTA_MD5_PASSLEN ) { + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + lutil_MD5Init(&MD5context); + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + c = 0x59; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) cred->bv_val, + cred->bv_len ); + + c = 0xF7; + lutil_MD5Update(&MD5context, + (const unsigned char *) &c, + 1 ); + + lutil_MD5Update(&MD5context, + (const unsigned char *) &passwd->bv_val[32], + 32 ); + + lutil_MD5Final(MD5digest, &MD5context); + + for( i=0; i < sizeof( MD5digest ); i++ ) { + buffer[i+i] = "0123456789abcdef"[(MD5digest[i]>>4) & 0x0F]; + buffer[i+i+1] = "0123456789abcdef"[ MD5digest[i] & 0x0F]; + } + + /* compare */ + return memcmp((char *)passwd->bv_val, + (char *)buffer, sizeof(buffer)) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +int init_module(int argc, char *argv[]) { + return lutil_passwd_add( (struct berval *)&scheme, chk_ns_mta_md5, NULL ); +} diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile new file mode 100644 index 0000000..5234629 --- /dev/null +++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../../.. +LDAP_BUILD = ../../../.. +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +#DEFS = -DSLAPD_PBKDF2_DEBUG + +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) -lcrypto + +PROGRAMS = pw-pbkdf2.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pw-pbkdf2.la: pw-pbkdf2.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done diff --git a/contrib/slapd-modules/passwd/pbkdf2/README b/contrib/slapd-modules/passwd/pbkdf2/README new file mode 100644 index 0000000..2f9a635 --- /dev/null +++ b/contrib/slapd-modules/passwd/pbkdf2/README @@ -0,0 +1,99 @@ +PBKDF2 for OpenLDAP +======================= + +pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP. + +Schemes: + + * {PBKDF2} - alias to {PBKDF2-SHA1} + * {PBKDF2-SHA1} + * {PBKDF2-SHA256} + * {PBKDF2-SHA512} + +# Requirements + + * OpenSSL 1.0.0 or later + +# Installations + +First, You need to configure and build OpenLDAP. + + $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/ + $ git clone https://github.com/hamano/openldap-pbkdf2.git + $ cd openldap-pbkdf2/ + $ make + # make install + +# Configration + +In slapd.conf: + + moduleload pw-pbkdf2.so + +You can also tell OpenLDAP to use the schemes when processing LDAP +Password Modify Extended Operations, thanks to the password-hash +option in slapd.conf. For example: + + password-hash {PBKDF2} +or + password-hash {PBKDF2-SHA256} +or + password-hash {PBKDF2-SHA512} + +# Testing + +You can get hash to use slappasswd. + + $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret + {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw + +A quick way to test whether it's working is to customize the rootdn and +rootpw in slapd.conf, eg: + + rootdn "cn=Manager,dc=example,dc=com" + rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw + +Then to test, run something like: + + $ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret + +# Debugging +You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging. + +# Message Format + + {PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK> + +# References + +* [RFC 2898 Password-Based Cryptography][^1] +[^1]: http://tools.ietf.org/html/rfc2898 + +* [PKCS #5 PBKDF2 Test Vectors][^2] +[^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06 + +* [RFC 2307 Using LDAP as a Network Information Service][^3] +[^3]: http://tools.ietf.org/html/rfc2307 + +* [Python Passlib][^4] +[^4]: http://pythonhosted.org/passlib/ + +* [Adapted Base64 Encoding][^5] +[^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode + +# License +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2009-2021 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + +# ACKNOWLEDGEMENT +This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp> diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c new file mode 100644 index 0000000..a931179 --- /dev/null +++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c @@ -0,0 +1,451 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2009-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENT: + * This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp> + */ + +#define _GNU_SOURCE + +#include "portable.h" +#include <ac/string.h> +#include "lber_pvt.h" +#include "lutil.h" +#include <stdio.h> +#include <stdlib.h> + +#ifdef HAVE_OPENSSL +#include <openssl/evp.h> +#elif HAVE_GNUTLS +#include <nettle/pbkdf2.h> +#include <nettle/hmac.h> +typedef void (*pbkdf2_hmac_update)(void *, unsigned, const uint8_t *); +typedef void (*pbkdf2_hmac_digest)(void *, unsigned, uint8_t *); +#else +#error Unsupported crypto backend. +#endif + +#define PBKDF2_ITERATION 10000 +#define PBKDF2_SALT_SIZE 16 +#define PBKDF2_SHA1_DK_SIZE 20 +#define PBKDF2_SHA256_DK_SIZE 32 +#define PBKDF2_SHA512_DK_SIZE 64 +#define PBKDF2_MAX_DK_SIZE 64 + +const struct berval pbkdf2_scheme = BER_BVC("{PBKDF2}"); +const struct berval pbkdf2_sha1_scheme = BER_BVC("{PBKDF2-SHA1}"); +const struct berval pbkdf2_sha256_scheme = BER_BVC("{PBKDF2-SHA256}"); +const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}"); + +/* + * Converting base64 string to adapted base64 string. + * Adapted base64 encode is identical to general base64 encode except + * that it uses '.' instead of '+', and omits trailing padding '=' and + * whitepsace. + * see http://pythonhosted.org/passlib/lib/passlib.utils.html + * This is destructive function. + */ +static int b64_to_ab64(char *str) +{ + char *p = str; + do { + if(*p == '+'){ + *p = '.'; + } + if(*p == '='){ + *p = '\0'; + } + } while(*p++); + return 0; +} + +/* + * Converting adapted base64 string to base64 string. + * dstsize will require src length + 2, due to output string have + * potential to append "=" or "==". + * return -1 if few output buffer. + */ +static int ab64_to_b64(char *src, char *dst, size_t dstsize){ + int i; + char *p = src; + for(i=0; p[i] && p[i] != '$'; i++){ + if(i >= dstsize){ + dst[0] = '\0'; + return -1; + } + if(p[i] == '.'){ + dst[i] = '+'; + }else{ + dst[i] = p[i]; + } + } + for(;i%4;i++){ + if(i >= dstsize){ + dst[0] = '\0'; + return -1; + } + dst[i] = '='; + } + dst[i] = '\0'; + return 0; +} + +static int pbkdf2_format( + const struct berval *sc, + int iteration, + const struct berval *salt, + const struct berval *dk, + struct berval *msg) +{ + + int rc, msg_len; + char salt_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_SALT_SIZE) + 1]; + char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1]; + + rc = lutil_b64_ntop((unsigned char *)salt->bv_val, salt->bv_len, + salt_b64, sizeof(salt_b64)); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + b64_to_ab64(salt_b64); + rc = lutil_b64_ntop((unsigned char *)dk->bv_val, dk->bv_len, + dk_b64, sizeof(dk_b64)); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + b64_to_ab64(dk_b64); + msg_len = asprintf(&msg->bv_val, "%s%d$%s$%s", + sc->bv_val, iteration, + salt_b64, dk_b64); + if(msg_len < 0){ + msg->bv_len = 0; + return LUTIL_PASSWD_ERR; + } + + msg->bv_len = msg_len; + return LUTIL_PASSWD_OK; +} + +static int pbkdf2_encrypt( + const struct berval *scheme, + const struct berval *passwd, + struct berval *msg, + const char **text) +{ + unsigned char salt_value[PBKDF2_SALT_SIZE]; + struct berval salt; + unsigned char dk_value[PBKDF2_MAX_DK_SIZE]; + struct berval dk; + int iteration = PBKDF2_ITERATION; + int rc; +#ifdef HAVE_OPENSSL + const EVP_MD *md; +#elif HAVE_GNUTLS + struct hmac_sha1_ctx sha1_ctx; + struct hmac_sha256_ctx sha256_ctx; + struct hmac_sha512_ctx sha512_ctx; + void * current_ctx = NULL; + pbkdf2_hmac_update current_hmac_update = NULL; + pbkdf2_hmac_digest current_hmac_digest = NULL; +#endif + + salt.bv_val = (char *)salt_value; + salt.bv_len = sizeof(salt_value); + dk.bv_val = (char *)dk_value; + +#ifdef HAVE_OPENSSL + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk.bv_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ + dk.bv_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ + dk.bv_len = PBKDF2_SHA256_DK_SIZE; + md = EVP_sha256(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ + dk.bv_len = PBKDF2_SHA512_DK_SIZE; + md = EVP_sha512(); + }else{ + return LUTIL_PASSWD_ERR; + } +#elif HAVE_GNUTLS + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk.bv_len = PBKDF2_SHA1_DK_SIZE; + current_ctx = &sha1_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; + hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ + dk.bv_len = PBKDF2_SHA1_DK_SIZE; + current_ctx = &sha1_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; + hmac_sha1_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ + dk.bv_len = PBKDF2_SHA256_DK_SIZE; + current_ctx = &sha256_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest; + hmac_sha256_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ + dk.bv_len = PBKDF2_SHA512_DK_SIZE; + current_ctx = &sha512_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest; + hmac_sha512_set_key(current_ctx, passwd->bv_len, (const uint8_t *) passwd->bv_val); + }else{ + return LUTIL_PASSWD_ERR; + } +#endif + + if(lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0){ + return LUTIL_PASSWD_ERR; + } + +#ifdef HAVE_OPENSSL + if(!PKCS5_PBKDF2_HMAC(passwd->bv_val, passwd->bv_len, + (unsigned char *)salt.bv_val, salt.bv_len, + iteration, md, dk.bv_len, dk_value)){ + return LUTIL_PASSWD_ERR; + } +#elif HAVE_GNUTLS + PBKDF2(current_ctx, current_hmac_update, current_hmac_digest, + dk.bv_len, iteration, + salt.bv_len, (const uint8_t *) salt.bv_val, + dk.bv_len, dk_value); +#endif + +#ifdef SLAPD_PBKDF2_DEBUG + printf("Encrypt for %s\n", scheme->bv_val); + printf(" Password:\t%s\n", passwd->bv_val); + + printf(" Salt:\t\t"); + int i; + for(i=0; i<salt.bv_len; i++){ + printf("%02x", salt_value[i]); + } + printf("\n"); + printf(" Iteration:\t%d\n", iteration); + + printf(" DK:\t\t"); + for(i=0; i<dk.bv_len; i++){ + printf("%02x", dk_value[i]); + } + printf("\n"); +#endif + + rc = pbkdf2_format(scheme, iteration, &salt, &dk, msg); + +#ifdef SLAPD_PBKDF2_DEBUG + printf(" Output:\t%s\n", msg->bv_val); +#endif + + return rc; +} + +static int pbkdf2_check( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text) +{ + int rc; + int iteration; + + /* salt_value require PBKDF2_SALT_SIZE + 1 in lutil_b64_pton. */ + unsigned char salt_value[PBKDF2_SALT_SIZE + 1]; + char salt_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_SALT_SIZE) + 1]; + /* dk_value require PBKDF2_MAX_DK_SIZE + 1 in lutil_b64_pton. */ + unsigned char dk_value[PBKDF2_MAX_DK_SIZE + 1]; + char dk_b64[LUTIL_BASE64_ENCODE_LEN(PBKDF2_MAX_DK_SIZE) + 1]; + unsigned char input_dk_value[PBKDF2_MAX_DK_SIZE]; + size_t dk_len; +#ifdef HAVE_OPENSSL + const EVP_MD *md; +#elif HAVE_GNUTLS + struct hmac_sha1_ctx sha1_ctx; + struct hmac_sha256_ctx sha256_ctx; + struct hmac_sha512_ctx sha512_ctx; + void * current_ctx = NULL; + pbkdf2_hmac_update current_hmac_update = NULL; + pbkdf2_hmac_digest current_hmac_digest = NULL; +#endif + +#ifdef SLAPD_PBKDF2_DEBUG + printf("Checking for %s\n", scheme->bv_val); + printf(" Stored Value:\t%s\n", passwd->bv_val); + printf(" Input Cred:\t%s\n", cred->bv_val); +#endif + +#ifdef HAVE_OPENSSL + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ + dk_len = PBKDF2_SHA1_DK_SIZE; + md = EVP_sha1(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ + dk_len = PBKDF2_SHA256_DK_SIZE; + md = EVP_sha256(); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ + dk_len = PBKDF2_SHA512_DK_SIZE; + md = EVP_sha512(); + }else{ + return LUTIL_PASSWD_ERR; + } +#elif HAVE_GNUTLS + if(!ber_bvcmp(scheme, &pbkdf2_scheme)){ + dk_len = PBKDF2_SHA1_DK_SIZE; + current_ctx = &sha1_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; + hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha1_scheme)){ + dk_len = PBKDF2_SHA1_DK_SIZE; + current_ctx = &sha1_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha1_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha1_digest; + hmac_sha1_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha256_scheme)){ + dk_len = PBKDF2_SHA256_DK_SIZE; + current_ctx = &sha256_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha256_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha256_digest; + hmac_sha256_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); + }else if(!ber_bvcmp(scheme, &pbkdf2_sha512_scheme)){ + dk_len = PBKDF2_SHA512_DK_SIZE; + current_ctx = &sha512_ctx; + current_hmac_update = (pbkdf2_hmac_update) &hmac_sha512_update; + current_hmac_digest = (pbkdf2_hmac_digest) &hmac_sha512_digest; + hmac_sha512_set_key(current_ctx, cred->bv_len, (const uint8_t *) cred->bv_val); + }else{ + return LUTIL_PASSWD_ERR; + } +#endif + + iteration = atoi(passwd->bv_val); + if(iteration < 1){ + return LUTIL_PASSWD_ERR; + } + + char *ptr; + ptr = strchr(passwd->bv_val, '$'); + if(!ptr){ + return LUTIL_PASSWD_ERR; + } + ptr++; /* skip '$' */ + rc = ab64_to_b64(ptr, salt_b64, sizeof(salt_b64)); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + + ptr = strchr(ptr, '$'); + if(!ptr){ + return LUTIL_PASSWD_ERR; + } + ptr++; /* skip '$' */ + rc = ab64_to_b64(ptr, dk_b64, sizeof(dk_b64)); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + + /* The targetsize require PBKDF2_SALT_SIZE + 1 in lutil_b64_pton. */ + rc = lutil_b64_pton(salt_b64, salt_value, PBKDF2_SALT_SIZE + 1); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + + /* consistency check */ + if(rc != PBKDF2_SALT_SIZE){ + return LUTIL_PASSWD_ERR; + } + + /* The targetsize require PBKDF2_MAX_DK_SIZE + 1 in lutil_b64_pton. */ + rc = lutil_b64_pton(dk_b64, dk_value, sizeof(dk_value)); + if(rc < 0){ + return LUTIL_PASSWD_ERR; + } + + /* consistency check */ + if(rc != dk_len){ + return LUTIL_PASSWD_ERR; + } + +#ifdef HAVE_OPENSSL + if(!PKCS5_PBKDF2_HMAC(cred->bv_val, cred->bv_len, + salt_value, PBKDF2_SALT_SIZE, + iteration, md, dk_len, input_dk_value)){ + return LUTIL_PASSWD_ERR; + } +#elif HAVE_GNUTLS + PBKDF2(current_ctx, current_hmac_update, current_hmac_digest, + dk_len, iteration, + PBKDF2_SALT_SIZE, salt_value, + dk_len, input_dk_value); +#endif + + rc = memcmp(dk_value, input_dk_value, dk_len); +#ifdef SLAPD_PBKDF2_DEBUG + printf(" Iteration:\t%d\n", iteration); + printf(" Base64 Salt:\t%s\n", salt_b64); + printf(" Base64 DK:\t%s\n", dk_b64); + int i; + printf(" Stored Salt:\t"); + for(i=0; i<PBKDF2_SALT_SIZE; i++){ + printf("%02x", salt_value[i]); + } + printf("\n"); + + printf(" Stored DK:\t"); + for(i=0; i<dk_len; i++){ + printf("%02x", dk_value[i]); + } + printf("\n"); + + printf(" Input DK:\t"); + for(i=0; i<dk_len; i++){ + printf("%02x", input_dk_value[i]); + } + printf("\n"); + printf(" Result:\t%d\n", rc); +#endif + return rc?LUTIL_PASSWD_ERR:LUTIL_PASSWD_OK; +} + +int init_module(int argc, char *argv[]) { + int rc; + rc = lutil_passwd_add((struct berval *)&pbkdf2_scheme, + pbkdf2_check, pbkdf2_encrypt); + if(rc) return rc; + rc = lutil_passwd_add((struct berval *)&pbkdf2_sha1_scheme, + pbkdf2_check, pbkdf2_encrypt); + if(rc) return rc; + + rc = lutil_passwd_add((struct berval *)&pbkdf2_sha256_scheme, + pbkdf2_check, pbkdf2_encrypt); + if(rc) return rc; + + rc = lutil_passwd_add((struct berval *)&pbkdf2_sha512_scheme, + pbkdf2_check, pbkdf2_encrypt); + return rc; +} + +/* + * Local variables: + * indent-tabs-mode: t + * tab-width: 4 + * c-basic-offset: 4 + * End: + */ diff --git a/contrib/slapd-modules/passwd/radius.c b/contrib/slapd-modules/passwd/radius.c new file mode 100644 index 0000000..af8a8ef --- /dev/null +++ b/contrib/slapd-modules/passwd/radius.c @@ -0,0 +1,149 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "portable.h" + +#include <stdio.h> + +#include <lber.h> +#include <lber_pvt.h> /* BER_BVC definition */ +#include "lutil.h" +#include <ldap_pvt_thread.h> +#include <ac/string.h> +#include <ac/unistd.h> + +#include <radlib.h> + +extern char *global_host; /* from slapd */ +static LUTIL_PASSWD_CHK_FUNC chk_radius; +static const struct berval scheme = BER_BVC("{RADIUS}"); +static char *config_filename; +static ldap_pvt_thread_mutex_t libradius_mutex; + +static int +chk_radius( + const struct berval *sc, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + unsigned int i; + int rc = LUTIL_PASSWD_ERR; + + struct rad_handle *h = NULL; + + for ( i = 0; i < cred->bv_len; i++ ) { + if ( cred->bv_val[ i ] == '\0' ) { + return LUTIL_PASSWD_ERR; /* NUL character in cred */ + } + } + + if ( cred->bv_val[ i ] != '\0' ) { + return LUTIL_PASSWD_ERR; /* cred must behave like a string */ + } + + for ( i = 0; i < passwd->bv_len; i++ ) { + if ( passwd->bv_val[ i ] == '\0' ) { + return LUTIL_PASSWD_ERR; /* NUL character in password */ + } + } + + if ( passwd->bv_val[ i ] != '\0' ) { + return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ + } + + ldap_pvt_thread_mutex_lock( &libradius_mutex ); + + h = rad_auth_open(); + if ( h == NULL ) { + ldap_pvt_thread_mutex_unlock( &libradius_mutex ); + return LUTIL_PASSWD_ERR; + } + + if ( rad_config( h, config_filename ) != 0 ) { + goto done; + } + + if ( rad_create_request( h, RAD_ACCESS_REQUEST ) ) { + goto done; + } + + if ( rad_put_string( h, RAD_USER_NAME, passwd->bv_val ) != 0 ) { + goto done; + } + + if ( rad_put_string( h, RAD_USER_PASSWORD, cred->bv_val ) != 0 ) { + goto done; + } + + if ( rad_put_string( h, RAD_NAS_IDENTIFIER, global_host ) != 0 ) { + goto done; + } + + switch ( rad_send_request( h ) ) { + case RAD_ACCESS_ACCEPT: + rc = LUTIL_PASSWD_OK; + break; + + case RAD_ACCESS_REJECT: + rc = LUTIL_PASSWD_ERR; + break; + + case RAD_ACCESS_CHALLENGE: + rc = LUTIL_PASSWD_ERR; + break; + + case -1: + /* no valid response is received */ + break; + } + +done:; + rad_close( h ); + + ldap_pvt_thread_mutex_unlock( &libradius_mutex ); + return rc; +} + +int +term_module() +{ + return ldap_pvt_thread_mutex_destroy( &libradius_mutex ); +} + +int +init_module( int argc, char *argv[] ) +{ + int i; + + for ( i = 0; i < argc; i++ ) { + if ( strncasecmp( argv[ i ], "config=", STRLENOF( "config=" ) ) == 0 ) { + /* FIXME: what if multiple loads of same module? + * does it make sense (e.g. override an existing one)? */ + if ( config_filename == NULL ) { + config_filename = ber_strdup( &argv[ i ][ STRLENOF( "config=" ) ] ); + } + + } else { + fprintf( stderr, "init_module(radius): unknown arg#%d=\"%s\".\n", + i, argv[ i ] ); + return 1; + } + } + + ldap_pvt_thread_mutex_init( &libradius_mutex ); + + return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL ); +} diff --git a/contrib/slapd-modules/passwd/sha2/Makefile b/contrib/slapd-modules/passwd/sha2/Makefile new file mode 100644 index 0000000..0abab68 --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/Makefile @@ -0,0 +1,47 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +#DEFS = -DSLAPD_SHA2_DEBUG +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = pw-sha2.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pw-sha2.la: slapd-sha2.lo sha2.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/passwd/sha2/README b/contrib/slapd-modules/passwd/sha2/README new file mode 100644 index 0000000..10a2537 --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/README @@ -0,0 +1,144 @@ +SHA-2 OpenLDAP support +---------------------- + +slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256, +SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For +instance, one could have the LDAP attribute: + +userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== + +or: + +userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt + +or: + +userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + +all of which encode the password 'secret'. + + +Building +-------- + +1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP +source root. + +For initial testing you might also want to edit DEFS to define +SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on +in production, as it prints passwords in cleartext). + +2) Run 'make' to produce slapd-sha2.so + +3) Copy slapd-sha2.so somewhere permanent. + +4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: + +moduleload ...path/to/slapd-sha2.so + +5) Restart slapd. + + +Configuring +----------- + +The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512} +password schemes should now be recognised. + +You can also tell OpenLDAP to use one of these new schemes when processing LDAP +Password Modify Extended Operations, thanks to the password-hash option in +slapd.conf. For example: + +password-hash {SSHA512} + + +Testing +------- + +A quick way to test whether it's working is to customize the rootdn and +rootpw in slapd.conf, eg: + +rootdn "cn=admin,dc=example,dc=com" +# This encrypts the string 'secret' + +rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + +Then to test, run something like: + +ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret + + +-- Test hashes: + +Test hashes can be generated with openssl: + +$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 +K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= +$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64 +WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt +$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 +vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm +W192CF5bDufKRpayrW/isg== + +(join those lines up to form the full hash) + + + +Alternatively we could modify an existing user's password with +ldappasswd, and then test binding as that user: + +$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com +New password: secret +Re-enter new password: secret +Enter LDAP Password: <cn=admin's password> + +$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret + + +Debugging (SHA-512, SHA-384 and SHA-256 only) +--------------------------------------------- + +To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the +commented-out DEFS in Makefile), and then run slapd from the console +to see stderr: + +$ sudo /etc/init.d/slapd stop +Stopping OpenLDAP: slapd. +$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats +@(#) $OpenLDAP$ + buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd +slapd starting +... +Validating password + Hash scheme: {SHA256} + Password to validate: secret + Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Result: match +conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 +conn=0 op=0 RESULT tag=97 err=0 text= +conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" +conn=0 fd=12 closed (connection lost) + +--- + +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2009-2021 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + +--- + +ACKNOWLEDGEMENT: +This work was initially developed by Jeff Turner for inclusion in +OpenLDAP Software, based upon the SHA-2 implementation independently +developed by Aaron Gifford. + diff --git a/contrib/slapd-modules/passwd/sha2/sha2.c b/contrib/slapd-modules/passwd/sha2/sha2.c new file mode 100644 index 0000000..808da10 --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/sha2.c @@ -0,0 +1,1070 @@ +/* $OpenLDAP$ */ +/* + * FILE: sha2.c + * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/ + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ + */ + +#include <string.h> /* memcpy()/memset() or bcopy()/bzero() */ +#include <assert.h> /* assert() */ +#include "sha2.h" + +/* + * ASSERT NOTE: + * Some sanity checking code is included using assert(). On my FreeBSD + * system, this additional code can be removed by compiling with NDEBUG + * defined. Check your own systems manpage on assert() to see how to + * compile WITHOUT the sanity checking code on your system. + * + * UNROLLED TRANSFORM LOOP NOTE: + * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform + * loop version for the hash transform rounds (defined using macros + * later in this file). Either define on the command line, for example: + * + * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c + * + * or define below: + * + * #define SHA2_UNROLL_TRANSFORM + * + */ + + +/*** SHA-256/384/512 Machine Architecture Definitions *****************/ +/* + * BYTE_ORDER NOTE: + * + * Please make sure that your system defines BYTE_ORDER. If your + * architecture is little-endian, make sure it also defines + * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are + * equivilent. + * + * If your system does not define the above, then you can do so by + * hand like this: + * + * #define LITTLE_ENDIAN 1234 + * #define BIG_ENDIAN 4321 + * + * And for little-endian machines, add: + * + * #define BYTE_ORDER LITTLE_ENDIAN + * + * Or for big-endian machines: + * + * #define BYTE_ORDER BIG_ENDIAN + * + * The FreeBSD machine this was written on defines BYTE_ORDER + * appropriately by including <sys/types.h> (which in turn includes + * <machine/endian.h> where the appropriate definitions are actually + * made). + */ +#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) +#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN +#endif + +/* + * Define the followingsha2_* types to types of the correct length on + * the native archtecture. Most BSD systems and Linux define u_intXX_t + * types. Machines with very recent ANSI C headers, can use the + * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H + * during compile or in the sha.h header file. + * + * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t + * will need to define these three typedefs below (and the appropriate + * ones in sha.h too) by hand according to their system architecture. + * + * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t + * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. + */ +#ifdef SHA2_USE_INTTYPES_H + +typedef uint8_t sha2_byte; /* Exactly 1 byte */ +typedef uint32_t sha2_word32; /* Exactly 4 bytes */ +typedef uint64_t sha2_word64; /* Exactly 8 bytes */ + +#else /* SHA2_USE_INTTYPES_H */ + +typedef u_int8_t sha2_byte; /* Exactly 1 byte */ +typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ +typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ + +#endif /* SHA2_USE_INTTYPES_H */ + + +/*** SHA-256/384/512 Various Length Definitions ***********************/ +/* NOTE: Most of these are in sha2.h */ +#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) +#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) +#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) + + +/*** ENDIAN REVERSAL MACROS *******************************************/ +#if BYTE_ORDER == LITTLE_ENDIAN +#define REVERSE32(w,x) { \ + sha2_word32 tmp = (w); \ + tmp = (tmp >> 16) | (tmp << 16); \ + (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ +} +#define REVERSE64(w,x) { \ + sha2_word64 tmp = (w); \ + tmp = (tmp >> 32) | (tmp << 32); \ + tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ + ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ + (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ + ((tmp & 0x0000ffff0000ffffULL) << 16); \ +} +#endif /* BYTE_ORDER == LITTLE_ENDIAN */ + +/* + * Macro for incrementally adding the unsigned 64-bit integer n to the + * unsigned 128-bit integer (represented using a two-element array of + * 64-bit words): + */ +#define ADDINC128(w,n) { \ + (w)[0] += (sha2_word64)(n); \ + if ((w)[0] < (n)) { \ + (w)[1]++; \ + } \ +} + +/* + * Macros for copying blocks of memory and for zeroing out ranges + * of memory. Using these macros makes it easy to switch from + * using memset()/memcpy() and using bzero()/bcopy(). + * + * Please define either SHA2_USE_MEMSET_MEMCPY or define + * SHA2_USE_BZERO_BCOPY depending on which function set you + * choose to use: + */ +#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY) +/* Default to memset()/memcpy() if no option is specified */ +#define SHA2_USE_MEMSET_MEMCPY 1 +#endif +#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY) +/* Abort with an error if BOTH options are defined */ +#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both! +#endif + +#ifdef SHA2_USE_MEMSET_MEMCPY +#define MEMSET_BZERO(p,l) memset((p), 0, (l)) +#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) +#endif +#ifdef SHA2_USE_BZERO_BCOPY +#define MEMSET_BZERO(p,l) bzero((p), (l)) +#define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) +#endif + + +/*** THE SIX LOGICAL FUNCTIONS ****************************************/ +/* + * Bit shifting and rotation (used by the six SHA-XYZ logical functions: + * + * NOTE: The naming of R and S appears backwards here (R is a SHIFT and + * S is a ROTATION) because the SHA-256/384/512 description document + * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this + * same "backwards" definition. + */ +/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ +#define R(b,x) ((x) >> (b)) +/* 32-bit Rotate-right (used in SHA-256): */ +#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) +/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ +#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) + +/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +/* Four of six logical functions used in SHA-256: */ +#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) +#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) +#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) +#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) + +/* Four of six logical functions used in SHA-384 and SHA-512: */ +#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) +#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) +#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) +#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) + +/*** INTERNAL FUNCTION PROTOTYPES *************************************/ +/* NOTE: These should not be accessed directly from outside this + * library -- they are intended for private internal visibility/use + * only. + */ +static void SHA512_Last(SHA512_CTX*); +static void SHA256_Transform(SHA256_CTX*, const sha2_word32*); +static void SHA512_Transform(SHA512_CTX*, const sha2_word64*); + + +/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ +/* Hash constant words K for SHA-256: */ +const static sha2_word32 K256[64] = { + 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, + 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, + 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, + 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, + 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, + 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, + 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, + 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, + 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, + 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, + 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, + 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, + 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL +}; + +/* Initial hash value H for SHA-256: */ +const static sha2_word32 sha256_initial_hash_value[8] = { + 0x6a09e667UL, + 0xbb67ae85UL, + 0x3c6ef372UL, + 0xa54ff53aUL, + 0x510e527fUL, + 0x9b05688cUL, + 0x1f83d9abUL, + 0x5be0cd19UL +}; + +/* Hash constant words K for SHA-384 and SHA-512: */ +const static sha2_word64 K512[80] = { + 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, + 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, + 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, + 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, + 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, + 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, + 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, + 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, + 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, + 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, + 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, + 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, + 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, + 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, + 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, + 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, + 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, + 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, + 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, + 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, + 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, + 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, + 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, + 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, + 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, + 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, + 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, + 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, + 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, + 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, + 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, + 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, + 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, + 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, + 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, + 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, + 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, + 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, + 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, + 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL +}; + +/* Initial hash value H for SHA-384 */ +const static sha2_word64 sha384_initial_hash_value[8] = { + 0xcbbb9d5dc1059ed8ULL, + 0x629a292a367cd507ULL, + 0x9159015a3070dd17ULL, + 0x152fecd8f70e5939ULL, + 0x67332667ffc00b31ULL, + 0x8eb44a8768581511ULL, + 0xdb0c2e0d64f98fa7ULL, + 0x47b5481dbefa4fa4ULL +}; + +/* Initial hash value H for SHA-512 */ +const static sha2_word64 sha512_initial_hash_value[8] = { + 0x6a09e667f3bcc908ULL, + 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, + 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, + 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, + 0x5be0cd19137e2179ULL +}; + +/* + * Constant used by SHA256/384/512_End() functions for converting the + * digest to a readable hexadecimal character string: + */ +static const char *sha2_hex_digits = "0123456789abcdef"; + + +/*** SHA-256: *********************************************************/ +void SHA256_Init(SHA256_CTX* context) { + if (context == (SHA256_CTX*)0) { + return; + } + MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); + MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH); + context->bitcount = 0; +} + +#ifdef SHA2_UNROLL_TRANSFORM + +/* Unrolled SHA-256 round macros: */ + +#if BYTE_ORDER == LITTLE_ENDIAN + +#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ + REVERSE32(*data++, W256[j]); \ + T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ + K256[j] + W256[j]; \ + (d) += T1; \ + (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ + j++ + + +#else /* BYTE_ORDER == LITTLE_ENDIAN */ + +#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ + T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ + K256[j] + (W256[j] = *data++); \ + (d) += T1; \ + (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ + j++ + +#endif /* BYTE_ORDER == LITTLE_ENDIAN */ + +#define ROUND256(a,b,c,d,e,f,g,h) \ + s0 = W256[(j+1)&0x0f]; \ + s0 = sigma0_256(s0); \ + s1 = W256[(j+14)&0x0f]; \ + s1 = sigma1_256(s1); \ + T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ + (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ + (d) += T1; \ + (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ + j++ + +void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { + sha2_word32 a, b, c, d, e, f, g, h, s0, s1; + sha2_word32 T1, *W256; + int j; + + W256 = (sha2_word32*)context->buffer; + + /* Initialize registers with the prev. intermediate value */ + a = context->state[0]; + b = context->state[1]; + c = context->state[2]; + d = context->state[3]; + e = context->state[4]; + f = context->state[5]; + g = context->state[6]; + h = context->state[7]; + + j = 0; + do { + /* Rounds 0 to 15 (unrolled): */ + ROUND256_0_TO_15(a,b,c,d,e,f,g,h); + ROUND256_0_TO_15(h,a,b,c,d,e,f,g); + ROUND256_0_TO_15(g,h,a,b,c,d,e,f); + ROUND256_0_TO_15(f,g,h,a,b,c,d,e); + ROUND256_0_TO_15(e,f,g,h,a,b,c,d); + ROUND256_0_TO_15(d,e,f,g,h,a,b,c); + ROUND256_0_TO_15(c,d,e,f,g,h,a,b); + ROUND256_0_TO_15(b,c,d,e,f,g,h,a); + } while (j < 16); + + /* Now for the remaining rounds to 64: */ + do { + ROUND256(a,b,c,d,e,f,g,h); + ROUND256(h,a,b,c,d,e,f,g); + ROUND256(g,h,a,b,c,d,e,f); + ROUND256(f,g,h,a,b,c,d,e); + ROUND256(e,f,g,h,a,b,c,d); + ROUND256(d,e,f,g,h,a,b,c); + ROUND256(c,d,e,f,g,h,a,b); + ROUND256(b,c,d,e,f,g,h,a); + } while (j < 64); + + /* Compute the current intermediate hash value */ + context->state[0] += a; + context->state[1] += b; + context->state[2] += c; + context->state[3] += d; + context->state[4] += e; + context->state[5] += f; + context->state[6] += g; + context->state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = 0; +} + +#else /* SHA2_UNROLL_TRANSFORM */ + +void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { + sha2_word32 a, b, c, d, e, f, g, h, s0, s1; + sha2_word32 T1, T2, *W256; + int j; + + W256 = (sha2_word32*)context->buffer; + + /* Initialize registers with the prev. intermediate value */ + a = context->state[0]; + b = context->state[1]; + c = context->state[2]; + d = context->state[3]; + e = context->state[4]; + f = context->state[5]; + g = context->state[6]; + h = context->state[7]; + + j = 0; + do { +#if BYTE_ORDER == LITTLE_ENDIAN + /* Copy data while converting to host byte order */ + REVERSE32(*data++,W256[j]); + /* Apply the SHA-256 compression function to update a..h */ + T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; +#else /* BYTE_ORDER == LITTLE_ENDIAN */ + /* Apply the SHA-256 compression function to update a..h with copy */ + T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); +#endif /* BYTE_ORDER == LITTLE_ENDIAN */ + T2 = Sigma0_256(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 16); + + do { + /* Part of the message block expansion: */ + s0 = W256[(j+1)&0x0f]; + s0 = sigma0_256(s0); + s1 = W256[(j+14)&0x0f]; + s1 = sigma1_256(s1); + + /* Apply the SHA-256 compression function to update a..h */ + T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + + (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); + T2 = Sigma0_256(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 64); + + /* Compute the current intermediate hash value */ + context->state[0] += a; + context->state[1] += b; + context->state[2] += c; + context->state[3] += d; + context->state[4] += e; + context->state[5] += f; + context->state[6] += g; + context->state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = T2 = 0; +} + +#endif /* SHA2_UNROLL_TRANSFORM */ + +void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { + unsigned int freespace, usedspace; + + if (len == 0) { + /* Calling with no data is valid - we do nothing */ + return; + } + + /* Sanity check: */ + assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); + + usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; + if (usedspace > 0) { + /* Calculate how much free space is available in the buffer */ + freespace = SHA256_BLOCK_LENGTH - usedspace; + + if (len >= freespace) { + /* Fill the buffer completely and process it */ + MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); + context->bitcount += freespace << 3; + len -= freespace; + data += freespace; + SHA256_Transform(context, (sha2_word32*)context->buffer); + } else { + /* The buffer is not yet full */ + MEMCPY_BCOPY(&context->buffer[usedspace], data, len); + context->bitcount += len << 3; + /* Clean up: */ + usedspace = freespace = 0; + return; + } + } + while (len >= SHA256_BLOCK_LENGTH) { + /* Process as many complete blocks as we can */ + SHA256_Transform(context, (sha2_word32*)data); + context->bitcount += SHA256_BLOCK_LENGTH << 3; + len -= SHA256_BLOCK_LENGTH; + data += SHA256_BLOCK_LENGTH; + } + if (len > 0) { + /* There's left-overs, so save 'em */ + MEMCPY_BCOPY(context->buffer, data, len); + context->bitcount += len << 3; + } + /* Clean up: */ + usedspace = freespace = 0; +} + +void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { + sha2_word32 *d = (sha2_word32*)digest; + sha2_word64 *p; + unsigned int usedspace; + + /* Sanity check: */ + assert(context != (SHA256_CTX*)0); + + /* If no digest buffer is passed, we don't bother doing this: */ + if (digest != (sha2_byte*)0) { + usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; +#if BYTE_ORDER == LITTLE_ENDIAN + /* Convert FROM host byte order */ + REVERSE64(context->bitcount,context->bitcount); +#endif + if (usedspace > 0) { + /* Begin padding with a 1 bit: */ + context->buffer[usedspace++] = 0x80; + + if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { + /* Set-up for the last transform: */ + MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); + } else { + if (usedspace < SHA256_BLOCK_LENGTH) { + MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); + } + /* Do second-to-last transform: */ + SHA256_Transform(context, (sha2_word32*)context->buffer); + + /* And set-up for the last transform: */ + MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); + } + } else { + /* Set-up for the last transform: */ + MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); + + /* Begin padding with a 1 bit: */ + *context->buffer = 0x80; + } + /* Set the bit count: */ + p = (sha2_word64 *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH]; + *p = context->bitcount; + + /* Final transform: */ + SHA256_Transform(context, (sha2_word32*)context->buffer); + +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 8; j++) { + REVERSE32(context->state[j],context->state[j]); + *d++ = context->state[j]; + } + } +#else + MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH); +#endif + } + + /* Clean up state data: */ + MEMSET_BZERO(context, sizeof(*context)); + usedspace = 0; +} + +char *SHA256_End(SHA256_CTX* context, char buffer[]) { + sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; + int i; + + /* Sanity check: */ + assert(context != (SHA256_CTX*)0); + + if (buffer != (char*)0) { + SHA256_Final(digest, context); + + for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { + *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; + *buffer++ = sha2_hex_digits[*d & 0x0f]; + d++; + } + *buffer = (char)0; + } else { + MEMSET_BZERO(context, sizeof(*context)); + } + MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH); + return buffer; +} + +char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { + SHA256_CTX context; + + SHA256_Init(&context); + SHA256_Update(&context, data, len); + return SHA256_End(&context, digest); +} + + +/*** SHA-512: *********************************************************/ +void SHA512_Init(SHA512_CTX* context) { + if (context == (SHA512_CTX*)0) { + return; + } + MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); + MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH); + context->bitcount[0] = context->bitcount[1] = 0; +} + +#ifdef SHA2_UNROLL_TRANSFORM + +/* Unrolled SHA-512 round macros: */ +#if BYTE_ORDER == LITTLE_ENDIAN + +#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ + REVERSE64(*data++, W512[j]); \ + T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ + K512[j] + W512[j]; \ + (d) += T1, \ + (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ + j++ + + +#else /* BYTE_ORDER == LITTLE_ENDIAN */ + +#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ + T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ + K512[j] + (W512[j] = *data++); \ + (d) += T1; \ + (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ + j++ + +#endif /* BYTE_ORDER == LITTLE_ENDIAN */ + +#define ROUND512(a,b,c,d,e,f,g,h) \ + s0 = W512[(j+1)&0x0f]; \ + s0 = sigma0_512(s0); \ + s1 = W512[(j+14)&0x0f]; \ + s1 = sigma1_512(s1); \ + T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ + (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ + (d) += T1; \ + (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ + j++ + +void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { + sha2_word64 a, b, c, d, e, f, g, h, s0, s1; + sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = context->state[0]; + b = context->state[1]; + c = context->state[2]; + d = context->state[3]; + e = context->state[4]; + f = context->state[5]; + g = context->state[6]; + h = context->state[7]; + + j = 0; + do { + ROUND512_0_TO_15(a,b,c,d,e,f,g,h); + ROUND512_0_TO_15(h,a,b,c,d,e,f,g); + ROUND512_0_TO_15(g,h,a,b,c,d,e,f); + ROUND512_0_TO_15(f,g,h,a,b,c,d,e); + ROUND512_0_TO_15(e,f,g,h,a,b,c,d); + ROUND512_0_TO_15(d,e,f,g,h,a,b,c); + ROUND512_0_TO_15(c,d,e,f,g,h,a,b); + ROUND512_0_TO_15(b,c,d,e,f,g,h,a); + } while (j < 16); + + /* Now for the remaining rounds up to 79: */ + do { + ROUND512(a,b,c,d,e,f,g,h); + ROUND512(h,a,b,c,d,e,f,g); + ROUND512(g,h,a,b,c,d,e,f); + ROUND512(f,g,h,a,b,c,d,e); + ROUND512(e,f,g,h,a,b,c,d); + ROUND512(d,e,f,g,h,a,b,c); + ROUND512(c,d,e,f,g,h,a,b); + ROUND512(b,c,d,e,f,g,h,a); + } while (j < 80); + + /* Compute the current intermediate hash value */ + context->state[0] += a; + context->state[1] += b; + context->state[2] += c; + context->state[3] += d; + context->state[4] += e; + context->state[5] += f; + context->state[6] += g; + context->state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = 0; +} + +#else /* SHA2_UNROLL_TRANSFORM */ + +void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { + sha2_word64 a, b, c, d, e, f, g, h, s0, s1; + sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = context->state[0]; + b = context->state[1]; + c = context->state[2]; + d = context->state[3]; + e = context->state[4]; + f = context->state[5]; + g = context->state[6]; + h = context->state[7]; + + j = 0; + do { +#if BYTE_ORDER == LITTLE_ENDIAN + /* Convert TO host byte order */ + REVERSE64(*data++, W512[j]); + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; +#else /* BYTE_ORDER == LITTLE_ENDIAN */ + /* Apply the SHA-512 compression function to update a..h with copy */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); +#endif /* BYTE_ORDER == LITTLE_ENDIAN */ + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 16); + + do { + /* Part of the message block expansion: */ + s0 = W512[(j+1)&0x0f]; + s0 = sigma0_512(s0); + s1 = W512[(j+14)&0x0f]; + s1 = sigma1_512(s1); + + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + + (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 80); + + /* Compute the current intermediate hash value */ + context->state[0] += a; + context->state[1] += b; + context->state[2] += c; + context->state[3] += d; + context->state[4] += e; + context->state[5] += f; + context->state[6] += g; + context->state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = T2 = 0; +} + +#endif /* SHA2_UNROLL_TRANSFORM */ + +void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { + unsigned int freespace, usedspace; + + if (len == 0) { + /* Calling with no data is valid - we do nothing */ + return; + } + + /* Sanity check: */ + assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); + + usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; + if (usedspace > 0) { + /* Calculate how much free space is available in the buffer */ + freespace = SHA512_BLOCK_LENGTH - usedspace; + + if (len >= freespace) { + /* Fill the buffer completely and process it */ + MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); + ADDINC128(context->bitcount, freespace << 3); + len -= freespace; + data += freespace; + SHA512_Transform(context, (sha2_word64*)context->buffer); + } else { + /* The buffer is not yet full */ + MEMCPY_BCOPY(&context->buffer[usedspace], data, len); + ADDINC128(context->bitcount, len << 3); + /* Clean up: */ + usedspace = freespace = 0; + return; + } + } + while (len >= SHA512_BLOCK_LENGTH) { + /* Process as many complete blocks as we can */ + SHA512_Transform(context, (sha2_word64*)data); + ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); + len -= SHA512_BLOCK_LENGTH; + data += SHA512_BLOCK_LENGTH; + } + if (len > 0) { + /* There's left-overs, so save 'em */ + MEMCPY_BCOPY(context->buffer, data, len); + ADDINC128(context->bitcount, len << 3); + } + /* Clean up: */ + usedspace = freespace = 0; +} + +void SHA512_Last(SHA512_CTX* context) { + sha2_word64 *p; + unsigned int usedspace; + + usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; +#if BYTE_ORDER == LITTLE_ENDIAN + /* Convert FROM host byte order */ + REVERSE64(context->bitcount[0],context->bitcount[0]); + REVERSE64(context->bitcount[1],context->bitcount[1]); +#endif + if (usedspace > 0) { + /* Begin padding with a 1 bit: */ + context->buffer[usedspace++] = 0x80; + + if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { + /* Set-up for the last transform: */ + MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); + } else { + if (usedspace < SHA512_BLOCK_LENGTH) { + MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); + } + /* Do second-to-last transform: */ + SHA512_Transform(context, (sha2_word64*)context->buffer); + + /* And set-up for the last transform: */ + MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2); + } + } else { + /* Prepare for final transform: */ + MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH); + + /* Begin padding with a 1 bit: */ + *context->buffer = 0x80; + } + /* Store the length of input data (in bits): */ + p = (sha2_word64 *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH]; + p[0] = context->bitcount[1]; + p[1] = context->bitcount[0]; + + /* Final transform: */ + SHA512_Transform(context, (sha2_word64*)context->buffer); +} + +void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { + sha2_word64 *d = (sha2_word64*)digest; + + /* Sanity check: */ + assert(context != (SHA512_CTX*)0); + + /* If no digest buffer is passed, we don't bother doing this: */ + if (digest != (sha2_byte*)0) { + SHA512_Last(context); + + /* Save the hash data for output: */ +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 8; j++) { + REVERSE64(context->state[j],context->state[j]); + *d++ = context->state[j]; + } + } +#else + MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH); +#endif + } + + /* Zero out state data */ + MEMSET_BZERO(context, sizeof(*context)); +} + +char *SHA512_End(SHA512_CTX* context, char buffer[]) { + sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest; + int i; + + /* Sanity check: */ + assert(context != (SHA512_CTX*)0); + + if (buffer != (char*)0) { + SHA512_Final(digest, context); + + for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { + *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; + *buffer++ = sha2_hex_digits[*d & 0x0f]; + d++; + } + *buffer = (char)0; + } else { + MEMSET_BZERO(context, sizeof(*context)); + } + MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH); + return buffer; +} + +char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { + SHA512_CTX context; + + SHA512_Init(&context); + SHA512_Update(&context, data, len); + return SHA512_End(&context, digest); +} + + +/*** SHA-384: *********************************************************/ +void SHA384_Init(SHA384_CTX* context) { + if (context == (SHA384_CTX*)0) { + return; + } + MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); + MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH); + context->bitcount[0] = context->bitcount[1] = 0; +} + +void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { + SHA512_Update((SHA512_CTX*)context, data, len); +} + +void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { + sha2_word64 *d = (sha2_word64*)digest; + + /* Sanity check: */ + assert(context != (SHA384_CTX*)0); + + /* If no digest buffer is passed, we don't bother doing this: */ + if (digest != (sha2_byte*)0) { + SHA512_Last((SHA512_CTX*)context); + + /* Save the hash data for output: */ +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 6; j++) { + REVERSE64(context->state[j],context->state[j]); + *d++ = context->state[j]; + } + } +#else + MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH); +#endif + } + + /* Zero out state data */ + MEMSET_BZERO(context, sizeof(*context)); +} + +char *SHA384_End(SHA384_CTX* context, char buffer[]) { + sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest; + int i; + + /* Sanity check: */ + assert(context != (SHA384_CTX*)0); + + if (buffer != (char*)0) { + SHA384_Final(digest, context); + + for (i = 0; i < SHA384_DIGEST_LENGTH; i++) { + *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; + *buffer++ = sha2_hex_digits[*d & 0x0f]; + d++; + } + *buffer = (char)0; + } else { + MEMSET_BZERO(context, sizeof(*context)); + } + MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH); + return buffer; +} + +char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { + SHA384_CTX context; + + SHA384_Init(&context); + SHA384_Update(&context, data, len); + return SHA384_End(&context, digest); +} + diff --git a/contrib/slapd-modules/passwd/sha2/sha2.h b/contrib/slapd-modules/passwd/sha2/sha2.h new file mode 100644 index 0000000..7fff142 --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/sha2.h @@ -0,0 +1,236 @@ +/* $OpenLDAP$ */ +/* + * FILE: sha2.h + * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/ + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $ + */ + +#ifndef __SHA2_H__ +#define __SHA2_H__ + +#include "portable.h" + +#ifdef HAVE_INTTYPES_H +# define SHA2_USE_INTTYPES_H 1 +#endif + +#ifndef LITTLE_ENDIAN +# define LITTLE_ENDIAN 1234 +#endif +#ifndef BIG_ENDIAN +# define BIG_ENDIAN 4321 +#endif +#ifndef BYTE_ORDER +# ifdef WORDS_BIGENDIAN +# define BYTE_ORDER BIG_ENDIAN +# else +# define BYTE_ORDER LITTLE_ENDIAN +# endif +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * Import u_intXX_t size_t type definitions from system headers. You + * may need to change this, or define these things yourself in this + * file. + */ +#include <sys/types.h> + +#ifdef SHA2_USE_INTTYPES_H + +#include <inttypes.h> + +#endif /* SHA2_USE_INTTYPES_H */ + + +/*** SHA-256/384/512 Various Length Definitions ***********************/ +#define SHA256_BLOCK_LENGTH 64 +#define SHA256_DIGEST_LENGTH 32 +#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1) +#define SHA384_BLOCK_LENGTH 128 +#define SHA384_DIGEST_LENGTH 48 +#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1) +#define SHA512_BLOCK_LENGTH 128 +#define SHA512_DIGEST_LENGTH 64 +#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) + + +/*** SHA-256/384/512 Context Structures *******************************/ +/* NOTE: If your architecture does not define either u_intXX_t types or + * uintXX_t (from inttypes.h), you may need to define things by hand + * for your system: + */ +#if 0 +typedef unsigned char u_int8_t; /* 1-byte (8-bits) */ +typedef unsigned int u_int32_t; /* 4-bytes (32-bits) */ +typedef unsigned long long u_int64_t; /* 8-bytes (64-bits) */ +#endif +/* + * Most BSD systems already define u_intXX_t types, as does Linux. + * Some systems, however, like Compaq's Tru64 Unix instead can use + * uintXX_t types defined by very recent ANSI C standards and included + * in the file: + * + * #include <inttypes.h> + * + * If you choose to use <inttypes.h> then please define: + * + * #define SHA2_USE_INTTYPES_H + * + * Or on the command line during compile: + * + * cc -DSHA2_USE_INTTYPES_H ... + */ +#ifdef SHA2_USE_INTTYPES_H + +typedef struct _SHA256_CTX { + uint32_t state[8]; + uint64_t bitcount; + uint8_t buffer[SHA256_BLOCK_LENGTH]; +} SHA256_CTX; +typedef struct _SHA512_CTX { + uint64_t state[8]; + uint64_t bitcount[2]; + uint8_t buffer[SHA512_BLOCK_LENGTH]; +} SHA512_CTX; + +#else /* SHA2_USE_INTTYPES_H */ + +typedef struct _SHA256_CTX { + u_int32_t state[8]; + u_int64_t bitcount; + u_int8_t buffer[SHA256_BLOCK_LENGTH]; +} SHA256_CTX; +typedef struct _SHA512_CTX { + u_int64_t state[8]; + u_int64_t bitcount[2]; + u_int8_t buffer[SHA512_BLOCK_LENGTH]; +} SHA512_CTX; + +#endif /* SHA2_USE_INTTYPES_H */ + +typedef SHA512_CTX SHA384_CTX; + + +/*** SHA-256/384/512 Function Prototypes ******************************/ +/* avoid symbol clash with other crypto libs */ +#define SHA256_Init pw_SHA256_Init +#define SHA256_Update pw_SHA256_Update +#define SHA256_Final pw_SHA256_Final +#define SHA256_End pw_SHA256_End +#define SHA256_Data pw_SHA256_Data + +#define SHA384_Init pw_SHA384_Init +#define SHA384_Update pw_SHA384_Update +#define SHA384_Final pw_SHA384_Final +#define SHA384_End pw_SHA384_End +#define SHA384_Data pw_SHA384_Data + +#define SHA512_Init pw_SHA512_Init +#define SHA512_Update pw_SHA512_Update +#define SHA512_Final pw_SHA512_Final +#define SHA512_End pw_SHA512_End +#define SHA512_Data pw_SHA512_Data + +#ifndef NOPROTO +#ifdef SHA2_USE_INTTYPES_H + +void SHA256_Init(SHA256_CTX *); +void SHA256_Update(SHA256_CTX*, const uint8_t*, size_t); +void SHA256_Final(uint8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*); +char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]); +char* SHA256_Data(const uint8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]); + +void SHA384_Init(SHA384_CTX*); +void SHA384_Update(SHA384_CTX*, const uint8_t*, size_t); +void SHA384_Final(uint8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*); +char* SHA384_End(SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]); +char* SHA384_Data(const uint8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]); + +void SHA512_Init(SHA512_CTX*); +void SHA512_Update(SHA512_CTX*, const uint8_t*, size_t); +void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*); +char* SHA512_End(SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]); +char* SHA512_Data(const uint8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]); + +#else /* SHA2_USE_INTTYPES_H */ + +void SHA256_Init(SHA256_CTX *); +void SHA256_Update(SHA256_CTX*, const u_int8_t*, size_t); +void SHA256_Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*); +char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]); +char* SHA256_Data(const u_int8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]); + +void SHA384_Init(SHA384_CTX*); +void SHA384_Update(SHA384_CTX*, const u_int8_t*, size_t); +void SHA384_Final(u_int8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*); +char* SHA384_End(SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]); +char* SHA384_Data(const u_int8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]); + +void SHA512_Init(SHA512_CTX*); +void SHA512_Update(SHA512_CTX*, const u_int8_t*, size_t); +void SHA512_Final(u_int8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*); +char* SHA512_End(SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]); +char* SHA512_Data(const u_int8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]); + +#endif /* SHA2_USE_INTTYPES_H */ + +#else /* NOPROTO */ + +void SHA256_Init(); +void SHA256_Update(); +void SHA256_Final(); +char* SHA256_End(); +char* SHA256_Data(); + +void SHA384_Init(); +void SHA384_Update(); +void SHA384_Final(); +char* SHA384_End(); +char* SHA384_Data(); + +void SHA512_Init(); +void SHA512_Update(); +void SHA512_Final(); +char* SHA512_End(); +char* SHA512_Data(); + +#endif /* NOPROTO */ + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __SHA2_H__ */ + diff --git a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c new file mode 100644 index 0000000..c35d9d9 --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c @@ -0,0 +1,508 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2009-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENT: + * This work was initially developed by Jeff Turner for inclusion + * in OpenLDAP Software. + * + * Hash methods for passwords generation added by Cédric Delfosse. + * + * SSHA256 / SSHA384 / SSHA512 support added, and chk_sha*() replaced + * with libraries/liblutil/passwd.c:chk_sha1() implementation to + * fix a race by SATOH Fumiyasu @ OSS Technology, Inc. + */ + +#include "portable.h" + +#include <ac/string.h> + +#include "lber_pvt.h" +#include "lutil.h" +#include "sha2.h" + +#ifdef SLAPD_SHA2_DEBUG +#include <stdio.h> +#endif + +#define SHA2_SALT_SIZE 8 + +static int hash_ssha256( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA256_CTX ct; + unsigned char hash256[SHA256_DIGEST_LENGTH]; + char saltdata[SHA2_SALT_SIZE]; + struct berval digest; + struct berval salt; + + digest.bv_val = (char *) hash256; + digest.bv_len = sizeof(hash256); + salt.bv_val = saltdata; + salt.bv_len = sizeof(saltdata); + + if (lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0) { + return LUTIL_PASSWD_ERR; + } + + SHA256_Init(&ct); + SHA256_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA256_Update(&ct, (const uint8_t*)salt.bv_val, salt.bv_len); + SHA256_Final(hash256, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, &salt); +} + +static int hash_sha256( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA256_CTX ct; + unsigned char hash256[SHA256_DIGEST_LENGTH]; + struct berval digest; + digest.bv_val = (char *) hash256; + digest.bv_len = sizeof(hash256); + + SHA256_Init(&ct); + SHA256_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA256_Final(hash256, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, NULL); +} + +static int hash_ssha384( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA384_CTX ct; + unsigned char hash384[SHA384_DIGEST_LENGTH]; + char saltdata[SHA2_SALT_SIZE]; + struct berval digest; + struct berval salt; + + digest.bv_val = (char *) hash384; + digest.bv_len = sizeof(hash384); + salt.bv_val = saltdata; + salt.bv_len = sizeof(saltdata); + + if (lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0) { + return LUTIL_PASSWD_ERR; + } + + SHA384_Init(&ct); + SHA384_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA384_Update(&ct, (const uint8_t*)salt.bv_val, salt.bv_len); + SHA384_Final(hash384, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, &salt); +} + +static int hash_sha384( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA384_CTX ct; + unsigned char hash384[SHA384_DIGEST_LENGTH]; + struct berval digest; + digest.bv_val = (char *) hash384; + digest.bv_len = sizeof(hash384); + + SHA384_Init(&ct); + SHA384_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA384_Final(hash384, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, NULL); +} + +static int hash_ssha512( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA512_CTX ct; + unsigned char hash512[SHA512_DIGEST_LENGTH]; + char saltdata[SHA2_SALT_SIZE]; + struct berval digest; + struct berval salt; + + digest.bv_val = (char *) hash512; + digest.bv_len = sizeof(hash512); + salt.bv_val = saltdata; + salt.bv_len = sizeof(saltdata); + + if (lutil_entropy((unsigned char *)salt.bv_val, salt.bv_len) < 0) { + return LUTIL_PASSWD_ERR; + } + + SHA512_Init(&ct); + SHA512_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA512_Update(&ct, (const uint8_t*)salt.bv_val, salt.bv_len); + SHA512_Final(hash512, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, &salt); +} + +static int hash_sha512( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + SHA512_CTX ct; + unsigned char hash512[SHA512_DIGEST_LENGTH]; + struct berval digest; + digest.bv_val = (char *) hash512; + digest.bv_len = sizeof(hash512); + + SHA512_Init(&ct); + SHA512_Update(&ct, (const uint8_t*)passwd->bv_val, passwd->bv_len); + SHA512_Final(hash512, &ct); + + return lutil_passwd_string64(scheme, &digest, hash, NULL); +} + +#ifdef SLAPD_SHA2_DEBUG +static void chk_sha_debug( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char *cred_hash, + size_t cred_len, + int cmp_rc) +{ + int rc; + struct berval cred_b64; + + cred_b64.bv_len = LUTIL_BASE64_ENCODE_LEN(cred_len) + 1; + cred_b64.bv_val = ber_memalloc(cred_b64.bv_len + 1); + + if( cred_b64.bv_val == NULL ) { + return; + } + + rc = lutil_b64_ntop( + (unsigned char *) cred_hash, cred_len, + cred_b64.bv_val, cred_b64.bv_len ); + + if( rc < 0 ) { + ber_memfree(cred_b64.bv_val); + return; + } + + fprintf(stderr, "Validating password\n"); + fprintf(stderr, " Hash scheme:\t\t%s\n", scheme->bv_val); + fprintf(stderr, " Password to validate: %s\n", cred->bv_val); + fprintf(stderr, " Password hash:\t%s\n", cred_b64.bv_val); + fprintf(stderr, " Stored password hash:\t%s\n", passwd->bv_val); + fprintf(stderr, " Result:\t\t%s\n", cmp_rc ? "do not match" : "match"); + + ber_memfree(cred_b64.bv_val); +} +#endif + +static int chk_ssha256( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA256_CTX SHAcontext; + unsigned char SHAdigest[SHA256_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len <= sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc <= (int)(sizeof(SHAdigest)) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA256_Init(&SHAcontext); + SHA256_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA256_Update(&SHAcontext, + (const unsigned char *) &orig_pass[sizeof(SHAdigest)], + rc - sizeof(SHAdigest)); + SHA256_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_sha256( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA256_CTX SHAcontext; + unsigned char SHAdigest[SHA256_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len < sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc != sizeof(SHAdigest) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA256_Init(&SHAcontext); + SHA256_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA256_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); +#ifdef SLAPD_SHA2_DEBUG + chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc); +#endif + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_ssha384( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA384_CTX SHAcontext; + unsigned char SHAdigest[SHA384_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len <= sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc <= (int)(sizeof(SHAdigest)) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA384_Init(&SHAcontext); + SHA384_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA384_Update(&SHAcontext, + (const unsigned char *) &orig_pass[sizeof(SHAdigest)], + rc - sizeof(SHAdigest)); + SHA384_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_sha384( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA384_CTX SHAcontext; + unsigned char SHAdigest[SHA384_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len < sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc != sizeof(SHAdigest) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA384_Init(&SHAcontext); + SHA384_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA384_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); +#ifdef SLAPD_SHA2_DEBUG + chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc); +#endif + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_ssha512( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA512_CTX SHAcontext; + unsigned char SHAdigest[SHA512_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len <= sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc <= (int)(sizeof(SHAdigest)) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA512_Init(&SHAcontext); + SHA512_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA512_Update(&SHAcontext, + (const unsigned char *) &orig_pass[sizeof(SHAdigest)], + rc - sizeof(SHAdigest)); + SHA512_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +static int chk_sha512( + const struct berval *scheme, /* Scheme of hashed reference password */ + const struct berval *passwd, /* Hashed reference password to check against */ + const struct berval *cred, /* user-supplied password to check */ + const char **text ) +{ + SHA512_CTX SHAcontext; + unsigned char SHAdigest[SHA512_DIGEST_LENGTH]; + int rc; + unsigned char *orig_pass = NULL; + size_t decode_len = LUTIL_BASE64_DECODE_LEN(passwd->bv_len); + + /* safety check */ + if (decode_len < sizeof(SHAdigest)) { + return LUTIL_PASSWD_ERR; + } + + /* base64 un-encode password */ + orig_pass = (unsigned char *) ber_memalloc(decode_len + 1); + + if( orig_pass == NULL ) return LUTIL_PASSWD_ERR; + + rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len); + + if( rc != sizeof(SHAdigest) ) { + ber_memfree(orig_pass); + return LUTIL_PASSWD_ERR; + } + + /* hash credentials with salt */ + SHA512_Init(&SHAcontext); + SHA512_Update(&SHAcontext, + (const unsigned char *) cred->bv_val, cred->bv_len); + SHA512_Final(SHAdigest, &SHAcontext); + + /* compare */ + rc = memcmp((char *)orig_pass, (char *)SHAdigest, sizeof(SHAdigest)); +#ifdef SLAPD_SHA2_DEBUG + chk_sha_debug(scheme, passwd, cred, (char *)SHAdigest, sizeof(SHAdigest), rc); +#endif + ber_memfree(orig_pass); + return rc ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; +} + +const struct berval ssha256scheme = BER_BVC("{SSHA256}"); +const struct berval sha256scheme = BER_BVC("{SHA256}"); +const struct berval ssha384scheme = BER_BVC("{SSHA384}"); +const struct berval sha384scheme = BER_BVC("{SHA384}"); +const struct berval ssha512scheme = BER_BVC("{SSHA512}"); +const struct berval sha512scheme = BER_BVC("{SHA512}"); + +int init_module(int argc, char *argv[]) { + int result = 0; + result = lutil_passwd_add( (struct berval *)&ssha256scheme, chk_ssha256, hash_ssha256 ); + if (result != 0) return result; + result = lutil_passwd_add( (struct berval *)&sha256scheme, chk_sha256, hash_sha256 ); + if (result != 0) return result; + result = lutil_passwd_add( (struct berval *)&ssha384scheme, chk_ssha384, hash_ssha384 ); + if (result != 0) return result; + result = lutil_passwd_add( (struct berval *)&sha384scheme, chk_sha384, hash_sha384 ); + if (result != 0) return result; + result = lutil_passwd_add( (struct berval *)&ssha512scheme, chk_ssha512, hash_ssha512 ); + if (result != 0) return result; + result = lutil_passwd_add( (struct berval *)&sha512scheme, chk_sha512, hash_sha512 ); + return result; +} diff --git a/contrib/slapd-modules/proxyOld/Makefile b/contrib/slapd-modules/proxyOld/Makefile new file mode 100644 index 0000000..1bc2f57 --- /dev/null +++ b/contrib/slapd-modules/proxyOld/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 2005-2021 The OpenLDAP Foundation. +# Portions Copyright 2005 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = proxyOld.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +proxyOld.la: proxyOld.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/proxyOld/README b/contrib/slapd-modules/proxyOld/README new file mode 100644 index 0000000..b210740 --- /dev/null +++ b/contrib/slapd-modules/proxyOld/README @@ -0,0 +1,31 @@ +This directory contains a slapd module proxyOld that provides support +for the obsolete draft-weltman-ldapb3-proxy-05 revision of the LDAP +Proxy Authorization control. It is merely intended to provide compatibility +in environments where other servers only recognize this old control. +New installations should not use this code. + +To use the module, add: + + moduleload <path to>proxyOld.so + ... + +to your slapd configuration file. Since this is an obsolete feature, +the control is registered with the SLAP_CTRL_HIDE flag so that it will +not be advertised in the rootDSE's supportedControls attribute. + +This code only works as a dynamically loaded module. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 1998-2021 The OpenLDAP Foundation. +Portions Copyright 2005 Howard Chu, Symas Corp. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/proxyOld/proxyOld.c b/contrib/slapd-modules/proxyOld/proxyOld.c new file mode 100644 index 0000000..c161aa3 --- /dev/null +++ b/contrib/slapd-modules/proxyOld/proxyOld.c @@ -0,0 +1,128 @@ +/* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2005-2021 The OpenLDAP Foundation. + * Portions Copyright 2005 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#include <slap.h> + +#include <lber.h> +/* +#include <lber_pvt.h> +#include <lutil.h> +*/ + +/* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot + * of holes in that draft, it doesn't specify that the control is legal + * for Add operations, and it makes no mention of Extended operations. + * It also doesn't specify whether an empty LDAPDN is allowed in the + * control value. + * + * For usability purposes, we're copying the op / exop behavior from the + * newer -12 draft. + */ +#define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12" + +static char *proxyOld_extops[] = { + LDAP_EXOP_MODIFY_PASSWD, + LDAP_EXOP_X_WHO_AM_I, + NULL +}; + +static int +proxyOld_parse( + Operation *op, + SlapReply *rs, + LDAPControl *ctrl ) +{ + int rc; + BerElement *ber; + ber_tag_t tag; + struct berval dn = BER_BVNULL; + struct berval authzDN = BER_BVNULL; + + + /* We hijack the flag for the new control. Clearly only one or the + * other can be used at any given time. + */ + if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { + rs->sr_text = "proxy authorization control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + op->o_proxy_authz = ctrl->ldctl_iscritical + ? SLAP_CONTROL_CRITICAL + : SLAP_CONTROL_NONCRITICAL; + + /* Parse the control value + * proxyAuthzControlValue ::= SEQUENCE { + * proxyDN LDAPDN + * } + */ + ber = ber_init( &ctrl->ldctl_value ); + if ( ber == NULL ) { + rs->sr_text = "ber_init failed"; + return LDAP_OTHER; + } + + tag = ber_scanf( ber, "{m}", &dn ); + + if ( tag == LBER_ERROR ) { + rs->sr_text = "proxyOld control could not be decoded"; + rc = LDAP_OTHER; + goto done; + } + if ( BER_BVISEMPTY( &dn )) { + Debug( LDAP_DEBUG_TRACE, + "proxyOld_parse: conn=%lu anonymous\n", + op->o_connid, 0, 0 ); + authzDN.bv_val = ch_strdup(""); + } else { + Debug( LDAP_DEBUG_ARGS, + "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", + op->o_connid, dn.bv_val, 0 ); + rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); + if ( rc != LDAP_SUCCESS ) { + goto done; + } + rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); + if ( rc ) { + op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); + rs->sr_text = "not authorized to assume identity"; + /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ + rc = LDAP_INSUFFICIENT_ACCESS; + goto done; + } + } + free( op->o_ndn.bv_val ); + free( op->o_dn.bv_val ); + op->o_ndn = authzDN; + ber_dupbv( &op->o_dn, &authzDN ); + + Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", + op->o_connid, op->o_opid, + authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 ); + rc = LDAP_SUCCESS; +done: + ber_free( ber, 1 ); + return rc; +} + +int init_module(int argc, char *argv[]) { + return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05, + SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops, + proxyOld_parse, NULL ); +} diff --git a/contrib/slapd-modules/samba4/Makefile b/contrib/slapd-modules/samba4/Makefile new file mode 100644 index 0000000..6704ce7 --- /dev/null +++ b/contrib/slapd-modules/samba4/Makefile @@ -0,0 +1,68 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_RDNVAL=SLAPD_MOD_DYNAMIC \ + -DSLAPD_OVER_PGUID=SLAPD_MOD_DYNAMIC \ + -DSLAPD_OVER_VERNUM=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = pguid.la rdnval.la vernum.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pguid.la: pguid.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +rdnval.la: rdnval.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +vernum.la: vernum.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/samba4/README b/contrib/slapd-modules/samba4/README new file mode 100644 index 0000000..b68034b --- /dev/null +++ b/contrib/slapd-modules/samba4/README @@ -0,0 +1,72 @@ +# $OpenLDAP$ + +This directory contains slapd overlays specific to samba4 LDAP backend: + + - pguid (not used) + - rdnval (under evaluation) + - vernum (under evaluation) + + + - PGUID + +This overlay maintains the operational attribute "parentUUID". It contains +the entryUUID of the parent entry. This overlay is not being considered +right now. + + + - RDNVAL + +This overlay maintains the operational attribute "rdnValue". It contains +the value of the entry's RDN. This attribute is defined by the overlay +itself as + + ( 1.3.6.1.4.1.4203.666.1.58 + NAME 'rdnValue' + DESC 'the value of the naming attributes' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + EQUALITY caseIgnoreMatch + USAGE dSAOperation + NO-USER-MODIFICATION ) + +under OpenLDAP's development OID arc. This OID is temporary. + +To use the overlay, add: + + moduleload <path to>rdnval.so + ... + + database <whatever> + ... + overlay rdnval + +to your slapd configuration file. An instance is required for each database +that needs to maintain this attribute. + + + - VERNUM + +This overlay increments a counter any time an attribute is modified. +It is intended to increment the counter 'msDS-KeyVersionNumber' when +the attribute 'unicodePwd' is modified. + + +These overlays are only set up to be built as a dynamically loaded modules. +On most platforms, in order for the modules to be usable, all of the +library dependencies must also be available as shared libraries. + +If you need to build the overlays statically, you will have to move them +into the slapd/overlays directory and edit the Makefile and overlays.c +to reference them. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. +Copyright 2009-2021 The OpenLDAP Foundation. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/samba4/pguid.c b/contrib/slapd-modules/samba4/pguid.c new file mode 100644 index 0000000..ae7d71e --- /dev/null +++ b/contrib/slapd-modules/samba4/pguid.c @@ -0,0 +1,460 @@ +/* pguid.c - Parent GUID value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_PGUID + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (parentUUID) that contains the value + * of the entryUUID of the parent entry (used by Samba4) + */ + +static AttributeDescription *ad_parentUUID; + +static slap_overinst pguid; + +static int +pguid_op_add( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + struct berval pdn, pndn; + Entry *e = NULL; + Attribute *a; + int rc; + + /* don't care about suffix entry */ + if ( dn_match( &op->o_req_ndn, &op->o_bd->be_nsuffix[0] ) ) { + return SLAP_CB_CONTINUE; + } + + dnParent( &op->o_req_dn, &pdn ); + dnParent( &op->o_req_ndn, &pndn ); + + rc = overlay_entry_get_ov( op, &pndn, NULL, slap_schema.si_ad_entryUUID, 0, &e, on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_add: unable to get parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + return SLAP_CB_CONTINUE; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_add: unable to find entryUUID of parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + + } else { + assert( a->a_numvals == 1 ); + + if ( op->ora_e != NULL ) { + attr_merge_one( op->ora_e, ad_parentUUID, &a->a_vals[0], a->a_nvals == a->a_vals ? NULL : &a->a_nvals[0] ); + + } else { + Modifications *ml; + Modifications *mod; + + assert( op->ora_modlist != NULL ); + + for ( ml = op->ora_modlist; ml != NULL; ml = ml->sml_next ) { + if ( ml->sml_mod.sm_desc == slap_schema.si_ad_entryUUID ) { + break; + } + } + + if ( ml == NULL ) { + ml = op->ora_modlist; + } + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_ADD; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + + ber_dupbv( &mod->sml_values[0], &a->a_vals[0] ); + BER_BVZERO( &mod->sml_values[1] ); + + mod->sml_next = ml->sml_next; + ml->sml_next = mod; + } + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, on ); + } + + return SLAP_CB_CONTINUE; +} + +static int +pguid_op_rename( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + Entry *e = NULL; + Attribute *a; + int rc; + + if ( op->orr_nnewSup == NULL ) { + return SLAP_CB_CONTINUE; + } + + rc = overlay_entry_get_ov( op, op->orr_nnewSup, NULL, slap_schema.si_ad_entryUUID, 0, &e, on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_rename: unable to get newSuperior entry DN=\"%s\" (%d)\n", + op->o_log_prefix, op->orr_newSup->bv_val, rc ); + return SLAP_CB_CONTINUE; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_op_rename: unable to find entryUUID of newSuperior entry DN=\"%s\" (%d)\n", + op->o_log_prefix, op->orr_newSup->bv_val, rc ); + + } else { + Modifications *mod; + + assert( a->a_numvals == 1 ); + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + + ber_dupbv( &mod->sml_values[0], &a->a_vals[0] ); + BER_BVZERO( &mod->sml_values[1] ); + + mod->sml_next = op->orr_modlist; + op->orr_modlist = mod; + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, on ); + } + + return SLAP_CB_CONTINUE; +} + +static int +pguid_db_init( + BackendDB *be, + ConfigReply *cr) +{ + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: pguid cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + return 0; +} + +typedef struct pguid_mod_t { + struct berval ndn; + struct berval pguid; + struct pguid_mod_t *next; +} pguid_mod_t; + +typedef struct { + slap_overinst *on; + pguid_mod_t *mods; +} pguid_repair_cb_t; + +static int +pguid_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + pguid_repair_cb_t *pcb = op->o_callback->sc_private; + Entry *e = NULL; + Attribute *a; + struct berval pdn, pndn; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + dnParent( &rs->sr_entry->e_name, &pdn ); + dnParent( &rs->sr_entry->e_nname, &pndn ); + + rc = overlay_entry_get_ov( op, &pndn, NULL, slap_schema.si_ad_entryUUID, 0, &e, pcb->on ); + if ( rc != LDAP_SUCCESS || e == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair_cb: unable to get parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + return 0; + } + + a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID ); + if ( a == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair_cb: unable to find entryUUID of parent entry DN=\"%s\" (%d)\n", + op->o_log_prefix, pdn.bv_val, rc ); + + } else { + ber_len_t len; + pguid_mod_t *mod; + + assert( a->a_numvals == 1 ); + + len = sizeof( pguid_mod_t ) + rs->sr_entry->e_nname.bv_len + 1 + a->a_vals[0].bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + mod->pguid.bv_len = a->a_vals[0].bv_len; + mod->pguid.bv_val = (char *)&mod->ndn.bv_val[mod->ndn.bv_len + 1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + lutil_strncopy( mod->pguid.bv_val, a->a_vals[0].bv_val, a->a_vals[0].bv_len ); + + mod->next = pcb->mods; + pcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: pguid_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + } + + if ( e != NULL ) { + (void)overlay_entry_release_ov( op, e, 0, pcb->on ); + } + + return 0; +} + +static int +pguid_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + slap_callback sc = { 0 }; + pguid_repair_cb_t pcb = { 0 }; + SlapReply rs = { REP_RESULT }; + pguid_mod_t *pmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBORDINATE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_parentUUID->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(!(%s=*))", ad_parentUUID->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = pguid_repair_cb; + sc.sc_private = &pcb; + pcb.on = on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( pmod = pcb.mods; pmod != NULL; ) { + pguid_mod_t *pnext; + + Modifications *mod; + SlapReply rs2 = { REP_RESULT }; + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_parentUUID; + mod->sml_type = ad_parentUUID->ad_cname; + mod->sml_values = ch_malloc( sizeof( struct berval ) * 2 ); + mod->sml_nvalues = NULL; + mod->sml_numvals = 1; + mod->sml_next = NULL; + + ber_dupbv( &mod->sml_values[0], &pmod->pguid ); + BER_BVZERO( &mod->sml_values[1] ); + + op->o_req_dn = pmod->ndn; + op->o_req_ndn = pmod->ndn; + + op->orm_modlist = mod; + op->o_bd->be_modify( op, &rs2 ); + slap_mods_free( op->orm_modlist, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: pguid_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, pmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: pguid_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, pmod->ndn.bv_val, rs2.sr_err ); + } + + pnext = pmod->next; + op->o_tmpfree( pmod, op->o_tmpmemctx ); + pmod = pnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "pguid: repaired=%d\n", nrepaired ); + + return rs.sr_err; +} + +/* search all entries without parentUUID; "repair" them */ +static int +pguid_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "pguid incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + pguid_repair( be ); + + return 0; +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.3.6.1.4.1.4203.666.1.59 " + "NAME 'parentUUID' " + "DESC 'the value of the entryUUID of the parent' " + "EQUALITY UUIDMatch " + "ORDERING UUIDOrderingMatch " + "SYNTAX 1.3.6.1.1.16.1 " + "USAGE dSAOperation " + "SINGLE-VALUE " + "NO-USER-MODIFICATION " + ")", + &ad_parentUUID }, + { NULL } +}; + +int +pguid_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "pguid_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + pguid.on_bi.bi_type = "pguid"; + + pguid.on_bi.bi_op_add = pguid_op_add; + pguid.on_bi.bi_op_modrdn = pguid_op_rename; + + pguid.on_bi.bi_db_init = pguid_db_init; + pguid.on_bi.bi_db_open = pguid_db_open; + + return overlay_register( &pguid ); +} + +#if SLAPD_OVER_PGUID == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return pguid_initialize(); +} +#endif /* SLAPD_OVER_PGUID == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_PGUID */ diff --git a/contrib/slapd-modules/samba4/rdnval.c b/contrib/slapd-modules/samba4/rdnval.c new file mode 100644 index 0000000..95b2d4f --- /dev/null +++ b/contrib/slapd-modules/samba4/rdnval.c @@ -0,0 +1,658 @@ +/* rdnval.c - RDN value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_RDNVAL + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (rdnValue) that contains the values of each AVA + * that builds up the RDN of an entry. This is required for interoperation + * with Samba4. It mimics the "name" attribute provided by Active Directory. + * The naming attributes must be directoryString-valued, or compatible. + * For example, IA5String values are cast into directoryString unless + * consisting of the empty string (""). + */ + +static AttributeDescription *ad_rdnValue; +static Syntax *syn_IA5String; + +static slap_overinst rdnval; + +static int +rdnval_is_valid( AttributeDescription *desc, struct berval *value ) +{ + if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) { + return 1; + } + + if ( desc->ad_type->sat_syntax == syn_IA5String + && !BER_BVISEMPTY( value ) ) + { + return 1; + } + + return 0; +} + +static int +rdnval_unique_check_cb( Operation *op, SlapReply *rs ) +{ + if ( rs->sr_type == REP_SEARCH ) { + int *p = (int *)op->o_callback->sc_private; + (*p)++; + } + + return 0; +} + +static int +rdnval_unique_check( Operation *op, BerVarray vals ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + BackendDB db = *op->o_bd; + Operation op2 = *op; + SlapReply rs2 = { 0 }; + int i; + BerVarray fvals; + char *ptr; + int gotit = 0; + slap_callback cb = { 0 }; + + /* short-circuit attempts to add suffix entry */ + if ( op->o_tag == LDAP_REQ_ADD + && be_issuffix( op->o_bd, &op->o_req_ndn ) ) + { + return LDAP_SUCCESS; + } + + op2.o_bd = &db; + op2.o_bd->bd_info = (BackendInfo *)on->on_info; + op2.o_tag = LDAP_REQ_SEARCH; + op2.o_dn = op->o_bd->be_rootdn; + op2.o_ndn = op->o_bd->be_rootndn; + op2.o_callback = &cb; + cb.sc_response = rdnval_unique_check_cb; + cb.sc_private = (void *)&gotit; + + dnParent( &op->o_req_ndn, &op2.o_req_dn ); + op2.o_req_ndn = op2.o_req_dn; + + op2.ors_limit = NULL; + op2.ors_slimit = 1; + op2.ors_tlimit = SLAP_NO_LIMIT; + op2.ors_attrs = slap_anlist_no_attrs; + op2.ors_attrsonly = 1; + op2.ors_deref = LDAP_DEREF_NEVER; + op2.ors_scope = LDAP_SCOPE_ONELEVEL; + + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) + /* just count */ ; + + fvals = op->o_tmpcalloc( sizeof( struct berval ), i + 1, + op->o_tmpmemctx ); + + op2.ors_filterstr.bv_len = 0; + if ( i > 1 ) { + op2.ors_filterstr.bv_len = STRLENOF( "(&)" ); + } + + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + ldap_bv2escaped_filter_value_x( &vals[ i ], &fvals[ i ], + 1, op->o_tmpmemctx ); + op2.ors_filterstr.bv_len += ad_rdnValue->ad_cname.bv_len + + fvals[ i ].bv_len + STRLENOF( "(=)" ); + } + + op2.ors_filterstr.bv_val = op->o_tmpalloc( op2.ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + + ptr = op2.ors_filterstr.bv_val; + if ( i > 1 ) { + ptr = lutil_strcopy( ptr, "(&" ); + } + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + *ptr++ = '('; + ptr = lutil_strncopy( ptr, ad_rdnValue->ad_cname.bv_val, ad_rdnValue->ad_cname.bv_len ); + *ptr++ = '='; + ptr = lutil_strncopy( ptr, fvals[ i ].bv_val, fvals[ i ].bv_len ); + *ptr++ = ')'; + } + + if ( i > 1 ) { + *ptr++ = ')'; + } + *ptr = '\0'; + + assert( ptr == op2.ors_filterstr.bv_val + op2.ors_filterstr.bv_len ); + op2.ors_filter = str2filter_x( op, op2.ors_filterstr.bv_val ); + assert( op2.ors_filter != NULL ); + + (void)op2.o_bd->be_search( &op2, &rs2 ); + + filter_free_x( op, op2.ors_filter, 1 ); + op->o_tmpfree( op2.ors_filterstr.bv_val, op->o_tmpmemctx ); + for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) { + if ( vals[ i ].bv_val != fvals[ i ].bv_val ) { + op->o_tmpfree( fvals[ i ].bv_val, op->o_tmpmemctx ); + } + } + op->o_tmpfree( fvals, op->o_tmpmemctx ); + + if ( rs2.sr_err != LDAP_SUCCESS || gotit > 0 ) { + return LDAP_CONSTRAINT_VIOLATION; + } + + return LDAP_SUCCESS; +} + +static int +rdnval_rdn2vals( + Operation *op, + SlapReply *rs, + struct berval *dn, + struct berval *ndn, + BerVarray *valsp, + BerVarray *nvalsp, + int *numvalsp ) +{ + LDAPRDN rdn = NULL, nrdn = NULL; + int nAVA, i; + + assert( *valsp == NULL ); + assert( *nvalsp == NULL ); + + *numvalsp = 0; + + if ( ldap_bv2rdn_x( dn, &rdn, (char **)&rs->sr_text, + LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) + { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: can't figure out " + "type(s)/value(s) of rdn DN=\"%s\"\n", + op->o_log_prefix, dn->bv_val, 0 ); + rs->sr_err = LDAP_INVALID_DN_SYNTAX; + rs->sr_text = "unknown type(s) used in RDN"; + + goto done; + } + + if ( ldap_bv2rdn_x( ndn, &nrdn, + (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) + { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: can't figure out " + "type(s)/value(s) of normalized rdn DN=\"%s\"\n", + op->o_log_prefix, ndn->bv_val, 0 ); + rs->sr_err = LDAP_INVALID_DN_SYNTAX; + rs->sr_text = "unknown type(s) used in RDN"; + + goto done; + } + + for ( nAVA = 0; rdn[ nAVA ]; nAVA++ ) + /* count'em */ ; + + /* NOTE: we assume rdn and nrdn contain the same AVAs! */ + + *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); + *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 ); + + /* Add new attribute values to the entry */ + for ( i = 0; rdn[ i ]; i++ ) { + AttributeDescription *desc = NULL; + + rs->sr_err = slap_bv2ad( &rdn[ i ]->la_attr, + &desc, &rs->sr_text ); + + if ( rs->sr_err != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: %s: %s\n", + op->o_log_prefix, + rs->sr_text, + rdn[ i ]->la_attr.bv_val ); + goto done; + } + + if ( !rdnval_is_valid( desc, &rdn[ i ]->la_value ) ) { + Debug( LDAP_DEBUG_TRACE, + "%s rdnval: syntax of naming attribute '%s' " + "not compatible with directoryString", + op->o_log_prefix, rdn[ i ]->la_attr.bv_val, 0 ); + continue; + } + + if ( value_find_ex( desc, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + *nvalsp, + &nrdn[ i ]->la_value, + op->o_tmpmemctx ) + == LDAP_NO_SUCH_ATTRIBUTE ) + { + ber_dupbv( &(*valsp)[ *numvalsp ], &rdn[ i ]->la_value ); + ber_dupbv( &(*nvalsp)[ *numvalsp ], &nrdn[ i ]->la_value ); + + (*numvalsp)++; + } + } + + if ( rdnval_unique_check( op, *valsp ) != LDAP_SUCCESS ) { + rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + rs->sr_text = "rdnValue not unique within siblings"; + goto done; + } + +done:; + if ( rdn != NULL ) { + ldap_rdnfree_x( rdn, op->o_tmpmemctx ); + } + + if ( nrdn != NULL ) { + ldap_rdnfree_x( nrdn, op->o_tmpmemctx ); + } + + if ( rs->sr_err != LDAP_SUCCESS ) { + if ( *valsp != NULL ) { + ber_bvarray_free( *valsp ); + ber_bvarray_free( *nvalsp ); + *valsp = NULL; + *nvalsp = NULL; + *numvalsp = 0; + } + } + + return rs->sr_err; +} + +static int +rdnval_op_add( Operation *op, SlapReply *rs ) +{ + Attribute *a, **ap; + int numvals = 0; + BerVarray vals = NULL, nvals = NULL; + int rc; + + /* NOTE: should we accept an entry still in mods format? */ + assert( op->ora_e != NULL ); + + if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) { + return SLAP_CB_CONTINUE; + } + + a = attr_find( op->ora_e->e_attrs, ad_rdnValue ); + if ( a != NULL ) { + /* TODO: check consistency? */ + return SLAP_CB_CONTINUE; + } + + rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname, + &vals, &nvals, &numvals ); + if ( rc != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + } + + a = attr_alloc( ad_rdnValue ); + + a->a_vals = vals; + a->a_nvals = nvals; + a->a_numvals = numvals; + + for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next ) + /* goto tail */ ; + + *ap = a; + + return SLAP_CB_CONTINUE; +} + +static int +rdnval_op_rename( Operation *op, SlapReply *rs ) +{ + Modifications *ml, **mlp; + int numvals = 0; + BerVarray vals = NULL, nvals = NULL; + struct berval old; + int rc; + + dnRdn( &op->o_req_ndn, &old ); + if ( dn_match( &old, &op->orr_nnewrdn ) ) { + return SLAP_CB_CONTINUE; + } + + rc = rdnval_rdn2vals( op, rs, &op->orr_newrdn, &op->orr_nnewrdn, + &vals, &nvals, &numvals ); + if ( rc != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + } + + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = vals; + ml->sml_nvalues = nvals; + + ml->sml_numvals = numvals; + + ml->sml_op = LDAP_MOD_REPLACE; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = ad_rdnValue; + ml->sml_type = ad_rdnValue->ad_cname; + + for ( mlp = &op->orr_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next ) + /* goto tail */ ; + + *mlp = ml; + + return SLAP_CB_CONTINUE; +} + +static int +rdnval_db_init( + BackendDB *be, + ConfigReply *cr) +{ + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: rdnval cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + return 0; +} + +typedef struct rdnval_mod_t { + struct berval ndn; + BerVarray vals; + BerVarray nvals; + int numvals; + struct rdnval_mod_t *next; +} rdnval_mod_t; + +typedef struct { + BackendDB *bd; + rdnval_mod_t *mods; +} rdnval_repair_cb_t; + +static int +rdnval_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + rdnval_repair_cb_t *rcb = op->o_callback->sc_private; + rdnval_mod_t *mod; + BerVarray vals = NULL, nvals = NULL; + int numvals = 0; + ber_len_t len; + BackendDB *save_bd = op->o_bd; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + op->o_bd = rcb->bd; + rc = rdnval_rdn2vals( op, rs, &rs->sr_entry->e_name, &rs->sr_entry->e_nname, + &vals, &nvals, &numvals ); + op->o_bd = save_bd; + if ( rc != LDAP_SUCCESS ) { + return 0; + } + + len = sizeof( rdnval_mod_t ) + rs->sr_entry->e_nname.bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + mod->vals = vals; + mod->nvals = nvals; + mod->numvals = numvals; + + mod->next = rcb->mods; + rcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + + return 0; +} + +static int +rdnval_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + BackendDB db; + slap_callback sc = { 0 }; + rdnval_repair_cb_t rcb = { 0 }; + SlapReply rs = { REP_RESULT }; + rdnval_mod_t *rmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + assert( op->o_bd != NULL ); + assert( op->o_bd->be_nsuffix != NULL ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBTREE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(!(=*))" ) + ad_rdnValue->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(!(%s=*))", ad_rdnValue->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = rdnval_repair_cb; + sc.sc_private = &rcb; + rcb.bd = &db; + db = *be; + db.bd_info = (BackendInfo *)on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( rmod = rcb.mods; rmod != NULL; ) { + rdnval_mod_t *rnext; + + Modifications *mod; + SlapReply rs2 = { REP_RESULT }; + + mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_flags = SLAP_MOD_INTERNAL; + mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_desc = ad_rdnValue; + mod->sml_type = ad_rdnValue->ad_cname; + mod->sml_values = rmod->vals; + mod->sml_nvalues = rmod->nvals; + mod->sml_numvals = rmod->numvals; + mod->sml_next = NULL; + + op->o_req_dn = rmod->ndn; + op->o_req_ndn = rmod->ndn; + + op->orm_modlist = mod; + + op->o_bd->be_modify( op, &rs2 ); + + slap_mods_free( op->orm_modlist, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: rdnval_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, rmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: rdnval_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err ); + } + + rnext = rmod->next; + op->o_tmpfree( rmod, op->o_tmpmemctx ); + rmod = rnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "rdnval: repaired=%d\n", nrepaired ); + + return 0; +} + +/* search all entries without parentUUID; "repair" them */ +static int +rdnval_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "rdnval incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + return rdnval_repair( be ); +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.3.6.1.4.1.4203.666.1.58 " + "NAME 'rdnValue' " + "DESC 'the value of the naming attributes' " + "SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' " + "EQUALITY caseIgnoreMatch " + "USAGE dSAOperation " + "NO-USER-MODIFICATION " + ")", + &ad_rdnValue }, + { NULL } +}; + +int +rdnval_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "rdnval_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + syn_IA5String = syn_find( "1.3.6.1.4.1.1466.115.121.1.26" ); + if ( syn_IA5String == NULL ) { + Debug( LDAP_DEBUG_ANY, + "rdnval_initialize: unable to find syntax '1.3.6.1.4.1.1466.115.121.1.26' (IA5String)\n", + 0, 0, 0 ); + return LDAP_OTHER; + } + + rdnval.on_bi.bi_type = "rdnval"; + + rdnval.on_bi.bi_op_add = rdnval_op_add; + rdnval.on_bi.bi_op_modrdn = rdnval_op_rename; + + rdnval.on_bi.bi_db_init = rdnval_db_init; + rdnval.on_bi.bi_db_open = rdnval_db_open; + + return overlay_register( &rdnval ); +} + +#if SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return rdnval_initialize(); +} +#endif /* SLAPD_OVER_RDNVAL == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_RDNVAL */ diff --git a/contrib/slapd-modules/samba4/vernum.c b/contrib/slapd-modules/samba4/vernum.c new file mode 100644 index 0000000..6035d86 --- /dev/null +++ b/contrib/slapd-modules/samba4/vernum.c @@ -0,0 +1,459 @@ +/* vernum.c - RDN value overlay */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * Portions Copyright 2008 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati + * for inclusion in OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_VERNUM + +#include <stdio.h> + +#include "ac/string.h" +#include "ac/socket.h" + +#include "slap.h" +#include "config.h" + +#include "lutil.h" + +/* + * Maintain an attribute (e.g. msDS-KeyVersionNumber) that consists + * in a counter of modifications of another attribute (e.g. unicodePwd). + */ + +typedef struct vernum_t { + AttributeDescription *vn_attr; + AttributeDescription *vn_vernum; +} vernum_t; + +static AttributeDescription *ad_msDS_KeyVersionNumber; + +static struct berval val_init = BER_BVC( "0" ); +static slap_overinst vernum; + +static int +vernum_op_add( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + Attribute *a, **ap; + int rc; + + /* NOTE: should we accept an entry still in mods format? */ + assert( op->ora_e != NULL ); + + if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) { + return SLAP_CB_CONTINUE; + } + + a = attr_find( op->ora_e->e_attrs, vn->vn_attr ); + if ( a == NULL ) { + return SLAP_CB_CONTINUE; + } + + if ( attr_find( op->ora_e->e_attrs, vn->vn_vernum ) != NULL ) { + /* already present - leave it alone */ + return SLAP_CB_CONTINUE; + } + + a = attr_alloc( vn->vn_vernum ); + + value_add_one( &a->a_vals, &val_init ); + a->a_nvals = a->a_vals; + a->a_numvals = 1; + + for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next ) + /* goto tail */ ; + + *ap = a; + + return SLAP_CB_CONTINUE; +} + +static int +vernum_op_modify( Operation *op, SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + Modifications *ml, **mlp; + struct berval val = BER_BVC( "1" ); + int rc; + unsigned got = 0; + + for ( ml = op->orm_modlist; ml != NULL; ml = ml->sml_next ) { + if ( ml->sml_desc == vn->vn_vernum ) { + /* already present - leave it alone + * (or should we increment it anyway?) */ + return SLAP_CB_CONTINUE; + } + + if ( ml->sml_desc == vn->vn_attr ) { + got = 1; + } + } + + if ( !got ) { + return SLAP_CB_CONTINUE; + } + + for ( mlp = &op->orm_modlist; *mlp != NULL; mlp = &(*mlp)->sml_next ) + /* goto tail */ ; + + /* ITS#6561 */ +#ifdef SLAP_MOD_ADD_IF_NOT_PRESENT + /* the initial value is only added if the vernum attr is not present */ + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val_init ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; + ml->sml_op = SLAP_MOD_ADD_IF_NOT_PRESENT; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = vn->vn_vernum; + ml->sml_type = vn->vn_vernum->ad_cname; + + *mlp = ml; + mlp = &ml->sml_next; +#endif /* SLAP_MOD_ADD_IF_NOT_PRESENT */ + + /* this increments by 1 the vernum attr */ + ml = SLAP_CALLOC( sizeof( Modifications ), 1 ); + ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 ); + value_add_one( &ml->sml_values, &val ); + ml->sml_nvalues = NULL; + ml->sml_numvals = 1; + ml->sml_op = LDAP_MOD_INCREMENT; + ml->sml_flags = SLAP_MOD_INTERNAL; + ml->sml_desc = vn->vn_vernum; + ml->sml_type = vn->vn_vernum->ad_cname; + + *mlp = ml; + + return SLAP_CB_CONTINUE; +} + +static int +vernum_db_init( + BackendDB *be, + ConfigReply *cr) +{ + slap_overinst *on = (slap_overinst *) be->bd_info; + vernum_t *vn = NULL; + + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: vernum cannot be used as global overlay.\n" ); + return 1; + } + + if ( be->be_nsuffix == NULL ) { + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: database must have suffix\n" ); + return 1; + } + + if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum_db_init: missing rootdn for database DN=\"%s\", YMMV\n", + be->be_suffix[ 0 ].bv_val ); + } + + vn = (vernum_t *)ch_calloc( 1, sizeof( vernum_t ) ); + + on->on_bi.bi_private = (void *)vn; + + return 0; +} + +typedef struct vernum_mod_t { + struct berval ndn; + struct vernum_mod_t *next; +} vernum_mod_t; + +typedef struct { + BackendDB *bd; + vernum_mod_t *mods; +} vernum_repair_cb_t; + +static int +vernum_repair_cb( Operation *op, SlapReply *rs ) +{ + int rc; + vernum_repair_cb_t *rcb = op->o_callback->sc_private; + vernum_mod_t *mod; + ber_len_t len; + BackendDB *save_bd = op->o_bd; + + switch ( rs->sr_type ) { + case REP_SEARCH: + break; + + case REP_SEARCHREF: + case REP_RESULT: + return rs->sr_err; + + default: + assert( 0 ); + } + + assert( rs->sr_entry != NULL ); + + len = sizeof( vernum_mod_t ) + rs->sr_entry->e_nname.bv_len + 1; + mod = op->o_tmpalloc( len, op->o_tmpmemctx ); + mod->ndn.bv_len = rs->sr_entry->e_nname.bv_len; + mod->ndn.bv_val = (char *)&mod[1]; + lutil_strncopy( mod->ndn.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + + mod->next = rcb->mods; + rcb->mods = mod; + + Debug( LDAP_DEBUG_TRACE, "%s: vernum_repair_cb: scheduling entry DN=\"%s\" for repair\n", + op->o_log_prefix, rs->sr_entry->e_name.bv_val, 0 ); + + return 0; +} + +static int +vernum_repair( BackendDB *be ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + void *ctx = ldap_pvt_thread_pool_context(); + Connection conn = { 0 }; + OperationBuffer opbuf; + Operation *op; + BackendDB db; + slap_callback sc = { 0 }; + vernum_repair_cb_t rcb = { 0 }; + SlapReply rs = { REP_RESULT }; + vernum_mod_t *rmod; + int nrepaired = 0; + + connection_fake_init2( &conn, &opbuf, ctx, 0 ); + op = &opbuf.ob_op; + + op->o_tag = LDAP_REQ_SEARCH; + memset( &op->oq_search, 0, sizeof( op->oq_search ) ); + + assert( !BER_BVISNULL( &be->be_nsuffix[ 0 ] ) ); + + op->o_bd = select_backend( &be->be_nsuffix[ 0 ], 0 ); + assert( op->o_bd != NULL ); + assert( op->o_bd->be_nsuffix != NULL ); + + op->o_req_dn = op->o_bd->be_suffix[ 0 ]; + op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ]; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + + op->ors_scope = LDAP_SCOPE_SUBTREE; + op->ors_tlimit = SLAP_NO_LIMIT; + op->ors_slimit = SLAP_NO_LIMIT; + op->ors_attrs = slap_anlist_no_attrs; + + op->ors_filterstr.bv_len = STRLENOF( "(&(=*)(!(=*)))" ) + + vn->vn_attr->ad_cname.bv_len + + vn->vn_vernum->ad_cname.bv_len; + op->ors_filterstr.bv_val = op->o_tmpalloc( op->ors_filterstr.bv_len + 1, op->o_tmpmemctx ); + snprintf( op->ors_filterstr.bv_val, op->ors_filterstr.bv_len + 1, + "(&(%s=*)(!(%s=*)))", + vn->vn_attr->ad_cname.bv_val, + vn->vn_vernum->ad_cname.bv_val ); + + op->ors_filter = str2filter_x( op, op->ors_filterstr.bv_val ); + if ( op->ors_filter == NULL ) { + rs.sr_err = LDAP_OTHER; + goto done_search; + } + + op->o_callback = ≻ + sc.sc_response = vernum_repair_cb; + sc.sc_private = &rcb; + rcb.bd = &db; + db = *be; + db.bd_info = (BackendInfo *)on; + + (void)op->o_bd->bd_info->bi_op_search( op, &rs ); + + op->o_tag = LDAP_REQ_MODIFY; + sc.sc_response = slap_null_cb; + sc.sc_private = NULL; + memset( &op->oq_modify, 0, sizeof( req_modify_s ) ); + + for ( rmod = rcb.mods; rmod != NULL; ) { + vernum_mod_t *rnext; + Modifications mod; + struct berval vals[2] = { BER_BVNULL }; + SlapReply rs2 = { REP_RESULT }; + + mod.sml_flags = SLAP_MOD_INTERNAL; + mod.sml_op = LDAP_MOD_REPLACE; + mod.sml_desc = vn->vn_vernum; + mod.sml_type = vn->vn_vernum->ad_cname; + mod.sml_values = vals; + mod.sml_values[0] = val_init; + mod.sml_nvalues = NULL; + mod.sml_numvals = 1; + mod.sml_next = NULL; + + op->o_req_dn = rmod->ndn; + op->o_req_ndn = rmod->ndn; + + op->orm_modlist = &mod; + + op->o_bd->be_modify( op, &rs2 ); + + slap_mods_free( op->orm_modlist->sml_next, 1 ); + if ( rs2.sr_err == LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "%s: vernum_repair: entry DN=\"%s\" repaired\n", + op->o_log_prefix, rmod->ndn.bv_val, 0 ); + nrepaired++; + + } else { + Debug( LDAP_DEBUG_ANY, "%s: vernum_repair: entry DN=\"%s\" repair failed (%d)\n", + op->o_log_prefix, rmod->ndn.bv_val, rs2.sr_err ); + } + + rnext = rmod->next; + op->o_tmpfree( rmod, op->o_tmpmemctx ); + rmod = rnext; + } + +done_search:; + op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + filter_free_x( op, op->ors_filter, 1 ); + + Log1( LDAP_DEBUG_STATS, LDAP_LEVEL_INFO, + "vernum: repaired=%d\n", nrepaired ); + + return 0; +} + +static int +vernum_db_open( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + if ( SLAP_SINGLE_SHADOW( be ) ) { + Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, + "vernum incompatible with shadow database \"%s\".\n", + be->be_suffix[ 0 ].bv_val ); + return 1; + } + + /* default: unicodePwd & msDS-KeyVersionNumber */ + if ( vn->vn_attr == NULL ) { + const char *text = NULL; + int rc; + + rc = slap_str2ad( "unicodePwd", &vn->vn_attr, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "vernum: unable to find attribute 'unicodePwd' (%d: %s)\n", + rc, text, 0 ); + return 1; + } + + vn->vn_vernum = ad_msDS_KeyVersionNumber; + } + + return vernum_repair( be ); +} + +static int +vernum_db_destroy( + BackendDB *be, + ConfigReply *cr ) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + vernum_t *vn = (vernum_t *)on->on_bi.bi_private; + + if ( vn ) { + ch_free( vn ); + on->on_bi.bi_private = NULL; + } + + return 0; +} + +static struct { + char *desc; + AttributeDescription **adp; +} as[] = { + { "( 1.2.840.113556.1.4.1782 " + "NAME 'msDS-KeyVersionNumber' " + "DESC 'in the original specification the syntax is 2.5.5.9' " + "SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' " + "EQUALITY integerMatch " + "SINGLE-VALUE " + "USAGE dSAOperation " + "NO-USER-MODIFICATION " + ")", + &ad_msDS_KeyVersionNumber }, + { NULL } +}; + +int +vernum_initialize(void) +{ + int code, i; + + for ( i = 0; as[ i ].desc != NULL; i++ ) { + code = register_at( as[ i ].desc, as[ i ].adp, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, + "vernum_initialize: register_at #%d failed\n", + i, 0, 0 ); + return code; + } + + /* Allow Manager to set these as needed */ + if ( is_at_no_user_mod( (*as[ i ].adp)->ad_type ) ) { + (*as[ i ].adp)->ad_type->sat_flags |= + SLAP_AT_MANAGEABLE; + } + } + + vernum.on_bi.bi_type = "vernum"; + + vernum.on_bi.bi_op_add = vernum_op_add; + vernum.on_bi.bi_op_modify = vernum_op_modify; + + vernum.on_bi.bi_db_init = vernum_db_init; + vernum.on_bi.bi_db_open = vernum_db_open; + vernum.on_bi.bi_db_destroy = vernum_db_destroy; + + return overlay_register( &vernum ); +} + +#if SLAPD_OVER_VERNUM == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return vernum_initialize(); +} +#endif /* SLAPD_OVER_VERNUM == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_OVER_VERNUM */ diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile new file mode 100644 index 0000000..7a60bc5 --- /dev/null +++ b/contrib/slapd-modules/smbk5pwd/Makefile @@ -0,0 +1,65 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 1998-2021 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +SSL_INC = +SSL_LIB = -lcrypto + +HEIMDAL_INC = -I/usr/heimdal/include +HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +# Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. +DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW +INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) +LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) + +PROGRAMS = smbk5pwd.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +smbk5pwd.la: smbk5pwd.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README new file mode 100644 index 0000000..ecc7cc6 --- /dev/null +++ b/contrib/slapd-modules/smbk5pwd/README @@ -0,0 +1,94 @@ +This directory contains a slapd overlay, smbk5pwd, that extends the +PasswordModify Extended Operation to update Kerberos keys and Samba +password hashes for an LDAP user. + +The Kerberos support is written for Heimdal using its hdb-ldap backend. +If a PasswordModify is performed on an entry that has the krb5KDCEntry +objectclass, then the krb5Key and krb5KeyVersionNumber will be updated +using the new password in the PasswordModify request. Additionally, a +new "{K5KEY}" password hash mechanism is provided. For krb5KDCEntries that +have this hash specifier in their userPassword attribute, Simple Binds +will be checked against the Kerberos keys of the Entry. No data is +needed after the "{K5KEY}" hash specifier in the userPassword, it is +looked up from the Entry directly. + +The Samba support is written using the Samba 3.0 LDAP schema. If a +PasswordModify is performed on an entry that has the sambaSamAccount +objectclass, then the sambaLMPassword, sambaNTPassword, and sambaPwdLastSet +attributes will be updated accordingly. + +To use the overlay, add: + + include <path to>/krb5-kdc.schema + include <path to>/samba.schema + + moduleload <path to>smbk5pwd.so + ... + + database bdb + ... + overlay smbk5pwd + +to your slapd configuration file. (You should obtain the necessary schema +files from the Heimdal and/or Samba distributions. At this time, there +are several known errors in these schema files that you will have to +correct before they will load in slapd. As of Samba 3.0 the schema looks +fine as shipped.) + +All modules compiled in (i.e. krb5 and samba) are enabled; the statement + + smbk5pwd-enable <module> + +can be used to enable only the desired one(s); legal values for <module> +are "krb5", "samba" and "shadow", if they are respectively enabled by defining +DO_KRB5, DO_SAMBA and DO_SHADOW. + +The samba module also supports the + + smbk5pwd-must-change <seconds> + +which sets the "sambaPwdMustChange" attribute accordingly to force passwd +expiry. A value of 0 disables this feature. + +The overlay now supports table-driven configuration, and thus can be run-time +loaded and configured via back-config. The layout of the entry is + + # {0}smbk5pwd, {1}bdb, config + dn: olcOverlay={0}smbk5pwd,olcDatabase={1}bdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcSmbK5PwdConfig + olcOverlay: {0}smbk5pwd + olcSmbK5PwdEnable: krb5 + olcSmbK5PwdEnable: samba + olcSmbK5PwdMustChange: 2592000 + +which enables both krb5 and samba modules with a password expiry time +of 30 days. + +The provided Makefile builds both Kerberos and Samba support by default. +You must edit the Makefile to insure that the correct include and library +paths are used. You can change the DEFS macro if you only want one or the +other of Kerberos or Samba support. + +This overlay is only set up to be built as a dynamically loaded module. +On most platforms, in order for the module to be usable, all of the +library dependencies must also be available as shared libraries. + +If you need to build the overlay statically, you will have to move it into the +slapd/overlays directory and edit the Makefile and overlays.c to reference +it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC, +and add the relevant libraries to the main slapd link command. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. +Copyright 2004-2021 The OpenLDAP Foundation. +Portions Copyright 2004-2005 Howard Chu, Symas Corp. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c new file mode 100644 index 0000000..deee870 --- /dev/null +++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c @@ -0,0 +1,1177 @@ +/* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * Portions Copyright 2004-2005 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * Support for table-driven configuration added by Pierangelo Masarati. + * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre. + * Support for shadowLastChange added by SATOH Fumiyasu @ OSS Technology, Inc. + */ + +#include <portable.h> + +#ifndef SLAPD_OVER_SMBK5PWD +#define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC +#endif + +#ifdef SLAPD_OVER_SMBK5PWD + +#include <slap.h> +#include <ac/errno.h> +#include <ac/string.h> + +#include "config.h" + +#ifdef DO_KRB5 +#include <lber.h> +#include <lber_pvt.h> +#include <lutil.h> + +/* make ASN1_MALLOC_ENCODE use our allocator */ +#define malloc ch_malloc + +#include <krb5.h> +#include <kadm5/admin.h> +#include <hdb.h> + +#ifndef HDB_INTERFACE_VERSION +#define HDB_MASTER_KEY_SET master_key_set +#else +#define HDB_MASTER_KEY_SET hdb_master_key_set +#endif + +static krb5_context context; +static void *kadm_context; +static kadm5_config_params conf; +static HDB *db; + +static AttributeDescription *ad_krb5Key; +static AttributeDescription *ad_krb5KeyVersionNumber; +static AttributeDescription *ad_krb5PrincipalName; +static AttributeDescription *ad_krb5ValidEnd; +static ObjectClass *oc_krb5KDCEntry; +#endif + +#ifdef DO_SAMBA +#ifdef HAVE_GNUTLS +#include <nettle/des.h> +#include <nettle/md4.h> +typedef unsigned char DES_cblock[8]; +#elif HAVE_OPENSSL +#include <openssl/des.h> +#include <openssl/md4.h> +#else +#error Unsupported crypto backend. +#endif +#include "ldap_utf8.h" + +static AttributeDescription *ad_sambaLMPassword; +static AttributeDescription *ad_sambaNTPassword; +static AttributeDescription *ad_sambaPwdLastSet; +static AttributeDescription *ad_sambaPwdMustChange; +static AttributeDescription *ad_sambaPwdCanChange; +static ObjectClass *oc_sambaSamAccount; +#endif + +#ifdef DO_SHADOW +static AttributeDescription *ad_shadowLastChange; +static ObjectClass *oc_shadowAccount; +#endif + +/* Per-instance configuration information */ +typedef struct smbk5pwd_t { + unsigned mode; +#define SMBK5PWD_F_KRB5 (0x1U) +#define SMBK5PWD_F_SAMBA (0x2U) +#define SMBK5PWD_F_SHADOW (0x4U) + +#define SMBK5PWD_DO_KRB5(pi) ((pi)->mode & SMBK5PWD_F_KRB5) +#define SMBK5PWD_DO_SAMBA(pi) ((pi)->mode & SMBK5PWD_F_SAMBA) +#define SMBK5PWD_DO_SHADOW(pi) ((pi)->mode & SMBK5PWD_F_SHADOW) + +#ifdef DO_KRB5 + /* nothing yet */ +#endif + +#ifdef DO_SAMBA + /* How many seconds before forcing a password change? */ + time_t smb_must_change; + /* How many seconds after allowing a password change? */ + time_t smb_can_change; +#endif + +#ifdef DO_SHADOW + /* nothing yet */ +#endif +} smbk5pwd_t; + +static const unsigned SMBK5PWD_F_ALL = + 0 +#ifdef DO_KRB5 + | SMBK5PWD_F_KRB5 +#endif +#ifdef DO_SAMBA + | SMBK5PWD_F_SAMBA +#endif +#ifdef DO_SHADOW + | SMBK5PWD_F_SHADOW +#endif +; + +static int smbk5pwd_modules_init( smbk5pwd_t *pi ); + +#ifdef DO_SAMBA +static const char hex[] = "0123456789abcdef"; + +/* From liblutil/passwd.c... */ +static void lmPasswd_to_key( + const char *lmPasswd, + DES_cblock *key) +{ + const unsigned char *lpw = (const unsigned char *)lmPasswd; + unsigned char *k = (unsigned char *)key; + + /* make room for parity bits */ + k[0] = lpw[0]; + k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1); + k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2); + k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3); + k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4); + k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5); + k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6); + k[7] = ((lpw[6]&0x7F)<<1); + +#ifdef HAVE_OPENSSL + DES_set_odd_parity( key ); +#endif +} + +#define MAX_PWLEN 256 +#define HASHLEN 16 + +static void hexify( + const char in[HASHLEN], + struct berval *out +) +{ + int i; + char *a; + unsigned char *b; + + out->bv_val = ch_malloc(HASHLEN*2 + 1); + out->bv_len = HASHLEN*2; + + a = out->bv_val; + b = (unsigned char *)in; + for (i=0; i<HASHLEN; i++) { + *a++ = hex[*b >> 4]; + *a++ = hex[*b++ & 0x0f]; + } + *a++ = '\0'; +} + +static void lmhash( + struct berval *passwd, + struct berval *hash +) +{ + char UcasePassword[15]; + DES_cblock key; + DES_cblock StdText = "KGS!@#$%"; + DES_cblock hbuf[2]; +#ifdef HAVE_OPENSSL + DES_key_schedule schedule; +#elif defined(HAVE_GNUTLS) + struct des_ctx ctx; +#endif + + strncpy( UcasePassword, passwd->bv_val, 14 ); + UcasePassword[14] = '\0'; + ldap_pvt_str2upper( UcasePassword ); + + lmPasswd_to_key( UcasePassword, &key ); +#ifdef HAVE_GNUTLS + des_set_key( &ctx, key ); + des_encrypt( &ctx, sizeof(key), hbuf[0], StdText ); + + lmPasswd_to_key( &UcasePassword[7], &key ); + des_set_key( &ctx, key ); + des_encrypt( &ctx, sizeof(key), hbuf[1], StdText ); +#elif defined(HAVE_OPENSSL) + DES_set_key_unchecked( &key, &schedule ); + DES_ecb_encrypt( &StdText, &hbuf[0], &schedule , DES_ENCRYPT ); + + lmPasswd_to_key( &UcasePassword[7], &key ); + DES_set_key_unchecked( &key, &schedule ); + DES_ecb_encrypt( &StdText, &hbuf[1], &schedule , DES_ENCRYPT ); +#endif + + hexify( (char *)hbuf, hash ); +} + +static void nthash( + struct berval *passwd, + struct berval *hash +) +{ + /* Windows currently only allows 14 character passwords, but + * may support up to 256 in the future. We assume this means + * 256 UCS2 characters, not 256 bytes... + */ + char hbuf[HASHLEN]; +#ifdef HAVE_OPENSSL + MD4_CTX ctx; +#elif defined(HAVE_GNUTLS) + struct md4_ctx ctx; +#endif + + if (passwd->bv_len > MAX_PWLEN*2) + passwd->bv_len = MAX_PWLEN*2; + +#ifdef HAVE_OPENSSL + MD4_Init( &ctx ); + MD4_Update( &ctx, passwd->bv_val, passwd->bv_len ); + MD4_Final( (unsigned char *)hbuf, &ctx ); +#elif defined(HAVE_GNUTLS) + md4_init( &ctx ); + md4_update( &ctx, passwd->bv_len, (unsigned char *)passwd->bv_val ); + md4_digest( &ctx, sizeof(hbuf), (unsigned char *)hbuf ); +#endif + + hexify( hbuf, hash ); +} +#endif /* DO_SAMBA */ + +#ifdef DO_KRB5 + +static int smbk5pwd_op_cleanup( + Operation *op, + SlapReply *rs ) +{ + slap_callback *cb; + + /* clear out the current key */ + ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, + NULL, 0, NULL, NULL ); + + /* free the callback */ + cb = op->o_callback; + op->o_callback = cb->sc_next; + op->o_tmpfree( cb, op->o_tmpmemctx ); + return 0; +} + +static int smbk5pwd_op_bind( + Operation *op, + SlapReply *rs ) +{ + /* If this is a simple Bind, stash the Op pointer so our chk + * function can find it. Set a cleanup callback to clear it + * out when the Bind completes. + */ + if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) { + slap_callback *cb; + ldap_pvt_thread_pool_setkey( op->o_threadctx, + smbk5pwd_op_cleanup, op, 0, NULL, NULL ); + cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx ); + cb->sc_cleanup = smbk5pwd_op_cleanup; + cb->sc_next = op->o_callback; + op->o_callback = cb; + } + return SLAP_CB_CONTINUE; +} + +static LUTIL_PASSWD_CHK_FUNC k5key_chk; +static LUTIL_PASSWD_HASH_FUNC k5key_hash; +static const struct berval k5key_scheme = BER_BVC("{K5KEY}"); + +/* This password scheme stores no data in the userPassword attribute + * other than the scheme name. It assumes the invoking entry is a + * krb5KDCentry and compares the passed-in credentials against the + * krb5Key attribute. The krb5Key may be multi-valued, but they are + * simply multiple keytypes generated from the same input string, so + * only the first value needs to be compared here. + * + * Since the lutil_passwd API doesn't pass the Entry object in, we + * have to fetch it ourselves in order to get access to the other + * attributes. We accomplish this with the help of the overlay's Bind + * function, which stores the current Operation pointer in thread-specific + * storage so we can retrieve it here. The Operation provides all + * the necessary context for us to get Entry from the database. + */ +static int k5key_chk( + const struct berval *sc, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + void *ctx, *op_tmp; + Operation *op; + int rc; + Entry *e; + Attribute *a; + krb5_error_code ret; + krb5_keyblock key; + krb5_salt salt; + hdb_entry ent; + + /* Find our thread context, find our Operation */ + ctx = ldap_pvt_thread_pool_context(); + + if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL ) + || !op_tmp ) + return LUTIL_PASSWD_ERR; + op = op_tmp; + + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); + if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR; + + rc = LUTIL_PASSWD_ERR; + do { + size_t l; + Key ekey = {0}; + + a = attr_find( e->e_attrs, ad_krb5PrincipalName ); + if (!a ) break; + + memset( &ent, 0, sizeof(ent) ); + ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal); + if ( ret ) break; + + a = attr_find( e->e_attrs, ad_krb5ValidEnd ); + if (a) { + struct lutil_tm tm; + struct lutil_timet tt; + if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 && + lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) { + /* Account is expired */ + rc = LUTIL_PASSWD_ERR; + break; + } + } + + krb5_get_pw_salt( context, ent.principal, &salt ); + krb5_free_principal( context, ent.principal ); + + a = attr_find( e->e_attrs, ad_krb5Key ); + if ( !a ) break; + + ent.keys.len = 1; + ent.keys.val = &ekey; + decode_Key((unsigned char *) a->a_vals[0].bv_val, + (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l); + if ( db->HDB_MASTER_KEY_SET ) + hdb_unseal_keys( context, db, &ent ); + + krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val, + salt, &key ); + + krb5_free_salt( context, salt ); + + if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data, + key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK; + + krb5_free_keyblock_contents( context, &key ); + krb5_free_keyblock_contents( context, &ekey.key ); + + } while(0); + be_entry_release_r( op, e ); + return rc; +} + +static int k5key_hash( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + ber_dupbv( hash, (struct berval *)&k5key_scheme ); + return LUTIL_PASSWD_OK; +} +#endif /* DO_KRB5 */ + +static int smbk5pwd_exop_passwd( + Operation *op, + SlapReply *rs ) +{ + int rc; + req_pwdexop_s *qpw = &op->oq_pwdexop; + Entry *e; + Modifications *ml; + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + smbk5pwd_t *pi = on->on_bi.bi_private; + char term; + + /* Not the operation we expected, pass it on... */ + if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) { + return SLAP_CB_CONTINUE; + } + + op->o_bd->bd_info = (BackendInfo *)on->on_info; + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); + if ( rc != LDAP_SUCCESS ) return rc; + + term = qpw->rs_new.bv_val[qpw->rs_new.bv_len]; + qpw->rs_new.bv_val[qpw->rs_new.bv_len] = '\0'; + +#ifdef DO_KRB5 + /* Kerberos stuff */ + do { + krb5_error_code ret; + hdb_entry ent; + struct berval *keys; + size_t nkeys; + int kvno, i; + Attribute *a; + + if ( !SMBK5PWD_DO_KRB5( pi ) ) break; + + if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break; + + a = attr_find( e->e_attrs, ad_krb5PrincipalName ); + if ( !a ) break; + + memset( &ent, 0, sizeof(ent) ); + ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal); + if ( ret ) break; + + a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber ); + kvno = 0; + if ( a ) { + if ( lutil_atoi( &kvno, a->a_vals[0].bv_val ) != 0 ) { + Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " + "dn=\"%s\" unable to parse krb5KeyVersionNumber=\"%s\"\n", + op->o_log_prefix, e->e_name.bv_val, a->a_vals[0].bv_val ); + } + + } else { + /* shouldn't happen, this is a required attr */ + Debug( LDAP_DEBUG_ANY, "%s smbk5pwd EXOP: " + "dn=\"%s\" missing krb5KeyVersionNumber\n", + op->o_log_prefix, e->e_name.bv_val, 0 ); + } + + ret = hdb_generate_key_set_password(context, ent.principal, + qpw->rs_new.bv_val, &ent.keys.val, &nkeys); + ent.keys.len = nkeys; + hdb_seal_keys(context, db, &ent); + krb5_free_principal( context, ent.principal ); + + keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval)); + + for (i = 0; i < ent.keys.len; i++) { + unsigned char *buf; + size_t len; + + ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret); + if (ret != 0) + break; + + keys[i].bv_val = (char *)buf; + keys[i].bv_len = len; + } + BER_BVZERO( &keys[i] ); + + hdb_free_keys(context, ent.keys.len, ent.keys.val); + + if ( i != ent.keys.len ) { + ber_bvarray_free( keys ); + break; + } + + ml = ch_malloc(sizeof(Modifications)); + if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next; + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + ml->sml_desc = ad_krb5Key; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = i; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + ml->sml_desc = ad_krb5KeyVersionNumber; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = ch_malloc( 2 * sizeof(struct berval)); + ml->sml_values[0].bv_val = ch_malloc( 64 ); + ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val, + "%d", kvno+1 ); + BER_BVZERO( &ml->sml_values[1] ); + ml->sml_nvalues = NULL; + } while ( 0 ); +#endif /* DO_KRB5 */ + +#ifdef DO_SAMBA + /* Samba stuff */ + if ( SMBK5PWD_DO_SAMBA( pi ) && is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) { + struct berval *keys; + ber_len_t j,l; + wchar_t *wcs, wc; + char *c, *d; + struct berval pwd; + + /* Expand incoming UTF8 string to UCS4 */ + l = ldap_utf8_chars(qpw->rs_new.bv_val); + wcs = ch_malloc((l+1) * sizeof(wchar_t)); + + ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l ); + + /* Truncate UCS4 to UCS2 */ + c = (char *)wcs; + for (j=0; j<l; j++) { + wc = wcs[j]; + *c++ = wc & 0xff; + *c++ = (wc >> 8) & 0xff; + } + *c++ = 0; + pwd.bv_val = (char *)wcs; + pwd.bv_len = l * 2; + + ml = ch_malloc(sizeof(Modifications)); + if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next; + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + BER_BVZERO( &keys[1] ); + nthash( &pwd, keys ); + + ml->sml_desc = ad_sambaNTPassword; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + + /* Truncate UCS2 to 8-bit ASCII */ + c = pwd.bv_val+1; + d = pwd.bv_val+2; + for (j=1; j<l; j++) { + *c++ = *d++; + d++; + } + pwd.bv_len /= 2; + pwd.bv_val[pwd.bv_len] = '\0'; + + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + BER_BVZERO( &keys[1] ); + lmhash( &pwd, keys ); + + ml->sml_desc = ad_sambaLMPassword; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + + ch_free(wcs); + + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); + keys[0].bv_len = snprintf(keys[0].bv_val, + LDAP_PVT_INTTYPE_CHARS(long), + "%ld", slap_get_time()); + BER_BVZERO( &keys[1] ); + + ml->sml_desc = ad_sambaPwdLastSet; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + + if (pi->smb_must_change) + { + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); + keys[0].bv_len = snprintf(keys[0].bv_val, + LDAP_PVT_INTTYPE_CHARS(long), + "%ld", slap_get_time() + pi->smb_must_change); + BER_BVZERO( &keys[1] ); + + ml->sml_desc = ad_sambaPwdMustChange; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + } + + if (pi->smb_can_change) + { + ml = ch_malloc(sizeof(Modifications)); + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( 2 * sizeof(struct berval) ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); + keys[0].bv_len = snprintf(keys[0].bv_val, + LDAP_PVT_INTTYPE_CHARS(long), + "%ld", slap_get_time() + pi->smb_can_change); + BER_BVZERO( &keys[1] ); + + ml->sml_desc = ad_sambaPwdCanChange; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + } + } +#endif /* DO_SAMBA */ + +#ifdef DO_SHADOW + /* shadow stuff */ + if ( SMBK5PWD_DO_SHADOW( pi ) && is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { + struct berval *keys; + + ml = ch_malloc(sizeof(Modifications)); + if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next; + ml->sml_next = qpw->rs_mods; + qpw->rs_mods = ml; + + keys = ch_malloc( sizeof(struct berval) * 2); + BER_BVZERO( &keys[1] ); + keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) ); + keys[0].bv_len = snprintf(keys[0].bv_val, + LDAP_PVT_INTTYPE_CHARS(long), + "%ld", (long)(slap_get_time() / (60 * 60 * 24))); + + ml->sml_desc = ad_shadowLastChange; + ml->sml_op = LDAP_MOD_REPLACE; +#ifdef SLAP_MOD_INTERNAL + ml->sml_flags = SLAP_MOD_INTERNAL; +#endif + ml->sml_numvals = 1; + ml->sml_values = keys; + ml->sml_nvalues = NULL; + } +#endif /* DO_SHADOW */ + + be_entry_release_r( op, e ); + qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term; + + return SLAP_CB_CONTINUE; +} + +static slap_overinst smbk5pwd; + +/* back-config stuff */ +enum { + PC_SMB_MUST_CHANGE = 1, + PC_SMB_CAN_CHANGE, + PC_SMB_ENABLE +}; + +static ConfigDriver smbk5pwd_cf_func; + +/* + * NOTE: uses OID arcs OLcfgCtAt:1 and OLcfgCtOc:1 + */ + +static ConfigTable smbk5pwd_cfats[] = { + { "smbk5pwd-enable", "arg", + 2, 0, 0, ARG_MAGIC|PC_SMB_ENABLE, smbk5pwd_cf_func, + "( OLcfgCtAt:1.1 NAME 'olcSmbK5PwdEnable' " + "DESC 'Modules to be enabled' " + "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "smbk5pwd-must-change", "time", + 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_MUST_CHANGE, smbk5pwd_cf_func, + "( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' " + "DESC 'Credentials validity interval' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + { "smbk5pwd-can-change", "time", + 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func, + "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' " + "DESC 'Credentials minimum validity interval' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, + + { NULL, NULL, 0, 0, 0, ARG_IGNORED } +}; + +static ConfigOCs smbk5pwd_cfocs[] = { + { "( OLcfgCtOc:1.1 " + "NAME 'olcSmbK5PwdConfig' " + "DESC 'smbk5pwd overlay configuration' " + "SUP olcOverlayConfig " + "MAY ( " + "olcSmbK5PwdEnable " + "$ olcSmbK5PwdMustChange " + "$ olcSmbK5PwdCanChange " + ") )", Cft_Overlay, smbk5pwd_cfats }, + + { NULL, 0, NULL } +}; + +/* + * add here other functionalities; handle their initialization + * as appropriate in smbk5pwd_modules_init(). + */ +static slap_verbmasks smbk5pwd_modules[] = { + { BER_BVC( "krb5" ), SMBK5PWD_F_KRB5 }, + { BER_BVC( "samba" ), SMBK5PWD_F_SAMBA }, + { BER_BVC( "shadow" ), SMBK5PWD_F_SHADOW }, + { BER_BVNULL, -1 } +}; + +static int +smbk5pwd_cf_func( ConfigArgs *c ) +{ + slap_overinst *on = (slap_overinst *)c->bi; + + int rc = 0; + smbk5pwd_t *pi = on->on_bi.bi_private; + + if ( c->op == SLAP_CONFIG_EMIT ) { + switch( c->type ) { + case PC_SMB_MUST_CHANGE: +#ifdef DO_SAMBA + c->value_int = pi->smb_must_change; +#else /* ! DO_SAMBA */ + c->value_int = 0; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_CAN_CHANGE: +#ifdef DO_SAMBA + c->value_int = pi->smb_can_change; +#else /* ! DO_SAMBA */ + c->value_int = 0; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_ENABLE: + c->rvalue_vals = NULL; + if ( pi->mode ) { + mask_to_verbs( smbk5pwd_modules, pi->mode, &c->rvalue_vals ); + if ( c->rvalue_vals == NULL ) { + rc = 1; + } + } + break; + + default: + assert( 0 ); + rc = 1; + } + return rc; + + } else if ( c->op == LDAP_MOD_DELETE ) { + switch( c->type ) { + case PC_SMB_MUST_CHANGE: + break; + + case PC_SMB_CAN_CHANGE: + break; + + case PC_SMB_ENABLE: + if ( !c->line ) { + pi->mode = 0; + + } else { + int i; + + i = verb_to_mask( c->line, smbk5pwd_modules ); + pi->mode &= ~smbk5pwd_modules[i].mask; + } + break; + + default: + assert( 0 ); + rc = 1; + } + return rc; + } + + switch( c->type ) { + case PC_SMB_MUST_CHANGE: +#ifdef DO_SAMBA + if ( c->value_int < 0 ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> invalid negative value \"%d\".", + c->log, c->argv[ 0 ], 0 ); + return 1; + } + pi->smb_must_change = c->value_int; +#else /* ! DO_SAMBA */ + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> only meaningful " + "when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], 0 ); + return 1; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_CAN_CHANGE: +#ifdef DO_SAMBA + if ( c->value_int < 0 ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> invalid negative value \"%d\".", + c->log, c->argv[ 0 ], 0 ); + return 1; + } + pi->smb_can_change = c->value_int; +#else /* ! DO_SAMBA */ + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> only meaningful " + "when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], 0 ); + return 1; +#endif /* ! DO_SAMBA */ + break; + + case PC_SMB_ENABLE: { + slap_mask_t mode = pi->mode, m = 0; + + rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m ); + if ( rc > 0 ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> unknown module \"%s\".\n", + c->log, c->argv[ 0 ], c->argv[ rc ] ); + return 1; + } + + /* we can hijack the smbk5pwd_t structure because + * from within the configuration, this is the only + * active thread. */ + pi->mode |= m; + +#ifndef DO_KRB5 + if ( SMBK5PWD_DO_KRB5( pi ) ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> module \"%s\" only allowed when compiled with -DDO_KRB5.\n", + c->log, c->argv[ 0 ], c->argv[ rc ] ); + pi->mode = mode; + return 1; + } +#endif /* ! DO_KRB5 */ + +#ifndef DO_SAMBA + if ( SMBK5PWD_DO_SAMBA( pi ) ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> module \"%s\" only allowed when compiled with -DDO_SAMBA.\n", + c->log, c->argv[ 0 ], c->argv[ rc ] ); + pi->mode = mode; + return 1; + } +#endif /* ! DO_SAMBA */ + +#ifndef DO_SHADOW + if ( SMBK5PWD_DO_SHADOW( pi ) ) { + Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: " + "<%s> module \"%s\" only allowed when compiled with -DDO_SHADOW.\n", + c->log, c->argv[ 0 ], c->argv[ rc ] ); + pi->mode = mode; + return 1; + } +#endif /* ! DO_SHADOW */ + + /* Re-initialize the module, because + * the configuration might have changed */ + rc = smbk5pwd_modules_init( pi ); + if ( rc ) { + pi->mode = mode; + return 1; + } + + } break; + + default: + assert( 0 ); + return 1; + } + return rc; +} + +static int +smbk5pwd_modules_init( smbk5pwd_t *pi ) +{ + static struct { + const char *name; + AttributeDescription **adp; + } +#ifdef DO_KRB5 + krb5_ad[] = { + { "krb5Key", &ad_krb5Key }, + { "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber }, + { "krb5PrincipalName", &ad_krb5PrincipalName }, + { "krb5ValidEnd", &ad_krb5ValidEnd }, + { NULL } + }, +#endif /* DO_KRB5 */ +#ifdef DO_SAMBA + samba_ad[] = { + { "sambaLMPassword", &ad_sambaLMPassword }, + { "sambaNTPassword", &ad_sambaNTPassword }, + { "sambaPwdLastSet", &ad_sambaPwdLastSet }, + { "sambaPwdMustChange", &ad_sambaPwdMustChange }, + { "sambaPwdCanChange", &ad_sambaPwdCanChange }, + { NULL } + }, +#endif /* DO_SAMBA */ +#ifdef DO_SHADOW + shadow_ad[] = { + { "shadowLastChange", &ad_shadowLastChange }, + { NULL } + }, +#endif /* DO_SHADOW */ + dummy_ad; + + /* this is to silence the unused var warning */ + (void) dummy_ad; + +#ifdef DO_KRB5 + if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) { + krb5_error_code ret; + extern HDB *_kadm5_s_get_db(void *); + + int i, rc; + + /* Make sure all of our necessary schema items are loaded */ + oc_krb5KDCEntry = oc_find( "krb5KDCEntry" ); + if ( !oc_krb5KDCEntry ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"krb5KDCEntry\" objectClass.\n", + 0, 0, 0 ); + return -1; + } + + for ( i = 0; krb5_ad[ i ].name != NULL; i++ ) { + const char *text; + + *(krb5_ad[ i ].adp) = NULL; + + rc = slap_str2ad( krb5_ad[ i ].name, krb5_ad[ i ].adp, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"%s\" attributeType: %s (%d).\n", + krb5_ad[ i ].name, text, rc ); + oc_krb5KDCEntry = NULL; + return rc; + } + } + + /* Initialize Kerberos context */ + ret = krb5_init_context(&context); + if (ret) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to initialize krb5 context (%d).\n", + ret, 0, 0 ); + oc_krb5KDCEntry = NULL; + return -1; + } + + ret = kadm5_s_init_with_password_ctx( context, + KADM5_ADMIN_SERVICE, + NULL, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, &kadm_context ); + if (ret) { + char *err_str, *err_msg = "<unknown error>"; + err_str = krb5_get_error_string( context ); + if (!err_str) + err_msg = (char *)krb5_get_err_text( context, ret ); + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to initialize krb5 admin context: %s (%d).\n", + err_str ? err_str : err_msg, ret, 0 ); + if (err_str) + krb5_free_error_string( context, err_str ); + krb5_free_context( context ); + oc_krb5KDCEntry = NULL; + return -1; + } + + db = _kadm5_s_get_db( kadm_context ); + } +#endif /* DO_KRB5 */ + +#ifdef DO_SAMBA + if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) { + int i, rc; + + oc_sambaSamAccount = oc_find( "sambaSamAccount" ); + if ( !oc_sambaSamAccount ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"sambaSamAccount\" objectClass.\n", + 0, 0, 0 ); + return -1; + } + + for ( i = 0; samba_ad[ i ].name != NULL; i++ ) { + const char *text; + + *(samba_ad[ i ].adp) = NULL; + + rc = slap_str2ad( samba_ad[ i ].name, samba_ad[ i ].adp, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"%s\" attributeType: %s (%d).\n", + samba_ad[ i ].name, text, rc ); + oc_sambaSamAccount = NULL; + return rc; + } + } + } +#endif /* DO_SAMBA */ + +#ifdef DO_SHADOW + if ( SMBK5PWD_DO_SHADOW( pi ) && oc_shadowAccount == NULL ) { + int i, rc; + + oc_shadowAccount = oc_find( "shadowAccount" ); + if ( !oc_shadowAccount ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"shadowAccount\" objectClass.\n", + 0, 0, 0 ); + return -1; + } + + for ( i = 0; shadow_ad[ i ].name != NULL; i++ ) { + const char *text; + + *(shadow_ad[ i ].adp) = NULL; + + rc = slap_str2ad( shadow_ad[ i ].name, shadow_ad[ i ].adp, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "smbk5pwd: " + "unable to find \"%s\" attributeType: %s (%d).\n", + shadow_ad[ i ].name, text, rc ); + oc_shadowAccount = NULL; + return rc; + } + } + } +#endif /* DO_SHADOW */ + + return 0; +} + +static int +smbk5pwd_db_init(BackendDB *be, ConfigReply *cr) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi; + + pi = ch_calloc( 1, sizeof( smbk5pwd_t ) ); + if ( pi == NULL ) { + return 1; + } + on->on_bi.bi_private = (void *)pi; + + return 0; +} + +static int +smbk5pwd_db_open(BackendDB *be, ConfigReply *cr) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; + + int rc; + + if ( pi->mode == 0 ) { + pi->mode = SMBK5PWD_F_ALL; + } + + rc = smbk5pwd_modules_init( pi ); + if ( rc ) { + return rc; + } + + return 0; +} + +static int +smbk5pwd_db_destroy(BackendDB *be, ConfigReply *cr) +{ + slap_overinst *on = (slap_overinst *)be->bd_info; + smbk5pwd_t *pi = (smbk5pwd_t *)on->on_bi.bi_private; + + if ( pi ) { + ch_free( pi ); + } + + return 0; +} + +int +smbk5pwd_initialize(void) +{ + int rc; + + smbk5pwd.on_bi.bi_type = "smbk5pwd"; + + smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init; + smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open; + smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy; + + smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd; + +#ifdef DO_KRB5 + smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind; + + lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash ); +#endif + + smbk5pwd.on_bi.bi_cf_ocs = smbk5pwd_cfocs; + + rc = config_register_schema( smbk5pwd_cfats, smbk5pwd_cfocs ); + if ( rc ) { + return rc; + } + + return overlay_register( &smbk5pwd ); +} + +#if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC +int init_module(int argc, char *argv[]) { + return smbk5pwd_initialize(); +} +#endif + +#endif /* defined(SLAPD_OVER_SMBK5PWD) */ diff --git a/contrib/slapd-modules/trace/Makefile b/contrib/slapd-modules/trace/Makefile new file mode 100644 index 0000000..2c36ae7 --- /dev/null +++ b/contrib/slapd-modules/trace/Makefile @@ -0,0 +1,46 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 -Wall +DEFS = -DSLAPD_OVER_TRACE=SLAPD_MOD_DYNAMIC +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = trace.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +trace.la: trace.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/trace/trace.c b/contrib/slapd-modules/trace/trace.c new file mode 100644 index 0000000..6e4e2f7 --- /dev/null +++ b/contrib/slapd-modules/trace/trace.c @@ -0,0 +1,255 @@ +/* trace.c - traces overlay invocation */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2006-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion in + * OpenLDAP Software. + */ + +#include "portable.h" + +#ifdef SLAPD_OVER_TRACE + +#include <stdio.h> + +#include <ac/string.h> +#include <ac/socket.h> + +#include "slap.h" +#include "lutil.h" + +static int +trace_op2str( Operation *op, char **op_strp ) +{ + switch ( op->o_tag ) { + case LDAP_REQ_BIND: + *op_strp = "BIND"; + break; + + case LDAP_REQ_UNBIND: + *op_strp = "UNBIND"; + break; + + case LDAP_REQ_SEARCH: + *op_strp = "SEARCH"; + break; + + case LDAP_REQ_MODIFY: + *op_strp = "MODIFY"; + break; + + case LDAP_REQ_ADD: + *op_strp = "ADD"; + break; + + case LDAP_REQ_DELETE: + *op_strp = "DELETE"; + break; + + case LDAP_REQ_MODRDN: + *op_strp = "MODRDN"; + break; + + case LDAP_REQ_COMPARE: + *op_strp = "COMPARE"; + break; + + case LDAP_REQ_ABANDON: + *op_strp = "ABANDON"; + break; + + case LDAP_REQ_EXTENDED: + *op_strp = "EXTENDED"; + break; + + default: + assert( 0 ); + } + + return 0; +} + +static int +trace_op_func( Operation *op, SlapReply *rs ) +{ + char *op_str = NULL; + + (void)trace_op2str( op, &op_str ); + + switch ( op->o_tag ) { + case LDAP_REQ_EXTENDED: + Log3( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=EXTENDED dn=\"%s\" reqoid=%s\n", + op->o_log_prefix, + BER_BVISNULL( &op->o_req_ndn ) ? "(null)" : op->o_req_ndn.bv_val, + BER_BVISNULL( &op->ore_reqoid ) ? "" : op->ore_reqoid.bv_val ); + break; + + default: + Log3( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=%s dn=\"%s\"\n", + op->o_log_prefix, op_str, + BER_BVISNULL( &op->o_req_ndn ) ? "(null)" : op->o_req_ndn.bv_val ); + break; + } + + return SLAP_CB_CONTINUE; +} + +static int +trace_response( Operation *op, SlapReply *rs ) +{ + char *op_str = NULL; + + (void)trace_op2str( op, &op_str ); + + switch ( op->o_tag ) { + case LDAP_REQ_EXTENDED: + Log5( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=EXTENDED RESPONSE dn=\"%s\" reqoid=%s rspoid=%s err=%d\n", + op->o_log_prefix, + BER_BVISNULL( &op->o_req_ndn ) ? "(null)" : op->o_req_ndn.bv_val, + BER_BVISNULL( &op->ore_reqoid ) ? "" : op->ore_reqoid.bv_val, + rs->sr_rspoid == NULL ? "" : rs->sr_rspoid, + rs->sr_err ); + break; + + case LDAP_REQ_SEARCH: + switch ( rs->sr_type ) { + case REP_SEARCH: + Log2( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=SEARCH ENTRY dn=\"%s\"\n", + op->o_log_prefix, + rs->sr_entry->e_name.bv_val ); + goto done; + + case REP_SEARCHREF: + Log2( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=SEARCH REFERENCE ref=\"%s\"\n", + op->o_log_prefix, + rs->sr_ref[ 0 ].bv_val ); + goto done; + + case REP_RESULT: + break; + + default: + assert( 0 ); + } + /* fallthru */ + + default: + Log4( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "%s trace op=%s RESPONSE dn=\"%s\" err=%d\n", + op->o_log_prefix, + op_str, + BER_BVISNULL( &op->o_req_ndn ) ? "(null)" : op->o_req_ndn.bv_val, + rs->sr_err ); + break; + } + +done:; + return SLAP_CB_CONTINUE; +} + +static int +trace_db_init( BackendDB *be, ConfigReply *cr ) +{ + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "trace DB_INIT\n" ); + + return 0; +} + +static int +trace_db_config( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv ) +{ + Log2( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "trace DB_CONFIG argc=%d argv[0]=\"%s\"\n", + argc, argv[ 0 ] ); + + return 0; +} + +static int +trace_db_open( BackendDB *be, ConfigReply *cr ) +{ + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "trace DB_OPEN\n" ); + + return 0; +} + +static int +trace_db_close( BackendDB *be, ConfigReply *cr ) +{ + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "trace DB_CLOSE\n" ); + + return 0; +} + +static int +trace_db_destroy( BackendDB *be, ConfigReply *cr ) +{ + Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_INFO, + "trace DB_DESTROY\n" ); + + return 0; +} + +static slap_overinst trace; + +int +trace_initialize() +{ + trace.on_bi.bi_type = "trace"; + + trace.on_bi.bi_db_init = trace_db_init; + trace.on_bi.bi_db_open = trace_db_open; + trace.on_bi.bi_db_config = trace_db_config; + trace.on_bi.bi_db_close = trace_db_close; + trace.on_bi.bi_db_destroy = trace_db_destroy; + + trace.on_bi.bi_op_add = trace_op_func; + trace.on_bi.bi_op_bind = trace_op_func; + trace.on_bi.bi_op_unbind = trace_op_func; + trace.on_bi.bi_op_compare = trace_op_func; + trace.on_bi.bi_op_delete = trace_op_func; + trace.on_bi.bi_op_modify = trace_op_func; + trace.on_bi.bi_op_modrdn = trace_op_func; + trace.on_bi.bi_op_search = trace_op_func; + trace.on_bi.bi_op_abandon = trace_op_func; + trace.on_bi.bi_extended = trace_op_func; + + trace.on_response = trace_response; + + return overlay_register( &trace ); +} + +#if SLAPD_OVER_TRACE == SLAPD_MOD_DYNAMIC +int +init_module( int argc, char *argv[] ) +{ + return trace_initialize(); +} +#endif /* SLAPD_OVER_TRACE == SLAPD_MOD_DYNAMIC */ + +#endif /* defined(SLAPD_OVER_TRACE) */ |