[thirdparty/squid.git] / helpers / digest_auth / eDirectory / edir_ldapext.cc

/*
 * NDS LDAP helper functions
 * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
 * limited functionality needed to access the plain text password only
 *
 * Original copyright & license follows:
 *
 * Copyright (C) Vince Brimhall			2004-2005
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 *
*/
#include "squid.h"

#include "digest_common.h"

#if _SQUID_MSWIN_            /* Native Windows port and MinGW */

#define snprintf _snprintf
#include <windows.h>
#include <winldap.h>
#include <winber.h>
#ifndef LDAPAPI
#define LDAPAPI __cdecl
#endif
#ifdef LDAP_VERSION3
#ifndef LDAP_OPT_X_TLS
#define LDAP_OPT_X_TLS 0x6000
#endif
#define ber_alloc() ber_alloc_t(0)
#endif /* LDAP_VERSION3 */

#else

#include <lber.h>
#include <ldap.h>

#endif
#include <wchar.h>

#include "edir_ldapext.h"

#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST	"2.16.840.1.113719.1.39.42.100.3"
#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE	"2.16.840.1.113719.1.39.42.100.4"
#define NMASLDAP_SET_PASSWORD_REQUEST		"2.16.840.1.113719.1.39.42.100.11"
#define NMASLDAP_SET_PASSWORD_RESPONSE		"2.16.840.1.113719.1.39.42.100.12"
#define NMASLDAP_GET_PASSWORD_REQUEST		"2.16.840.1.113719.1.39.42.100.13"
#define NMASLDAP_GET_PASSWORD_RESPONSE		"2.16.840.1.113719.1.39.42.100.14"

#define NMAS_LDAP_EXT_VERSION				1

#define SMB_MALLOC_ARRAY(type, nelem)		calloc(sizeof(type), nelem)
#define DEBUG(level, args)

/**********************************************************************
 Take the request BER value and input data items and BER encodes the
 data into the BER value
**********************************************************************/

static int berEncodePasswordData(
    struct berval **requestBV,
    const char    *objectDN,
    const char    *password,
    const char    *password2)
{
    int err = 0, rc=0;
    BerElement *requestBer = NULL;

    const char    * utf8ObjPtr = NULL;
    int     utf8ObjSize = 0;
    const char    * utf8PwdPtr = NULL;
    int     utf8PwdSize = 0;
    const char    * utf8Pwd2Ptr = NULL;
    int     utf8Pwd2Size = 0;


    /* Convert objectDN and tag strings from Unicode to UTF-8 */
    utf8ObjSize = strlen(objectDN)+1;
    utf8ObjPtr = objectDN;

    if (password != NULL) {
        utf8PwdSize = strlen(password)+1;
        utf8PwdPtr = password;
    }

    if (password2 != NULL) {
        utf8Pwd2Size = strlen(password2)+1;
        utf8Pwd2Ptr = password2;
    }

    /* Allocate a BerElement for the request parameters. */
    if ((requestBer = ber_alloc()) == NULL) {
        err = LDAP_ENCODING_ERROR;
        ber_free(requestBer, 1);
        return err;
    }

    if (password != NULL && password2 != NULL) {
        /* BER encode the NMAS Version, the objectDN, and the password */
        rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
    } else if (password != NULL) {
        /* BER encode the NMAS Version, the objectDN, and the password */
        rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
    } else {
        /* BER encode the NMAS Version and the objectDN */
        rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
    }

    if (rc < 0) {
        err = LDAP_ENCODING_ERROR;
    } else {
        err = 0;
        /* Convert the BER we just built to a berval that we'll send with the extended request. */
        if ((ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
            err = LDAP_ENCODING_ERROR;
        }
    }

    if (requestBer) {
        ber_free(requestBer, 1);
    }

    return err;
}

/**********************************************************************
 Take the request BER value and input data items and BER encodes the
 data into the BER value
**********************************************************************/

static int berEncodeLoginData(
    struct berval **requestBV,
    char     *objectDN,
    unsigned int  methodIDLen,
    unsigned int *methodID,
    char     *tag,
    size_t   putDataLen,
    void     *putData)
{
    int err = 0;
    BerElement *requestBer = NULL;

    unsigned int i;
    unsigned int elemCnt = methodIDLen / sizeof(unsigned int);

    char	*utf8ObjPtr=NULL;
    int     utf8ObjSize = 0;

    char    *utf8TagPtr = NULL;
    int     utf8TagSize = 0;

    utf8ObjPtr = objectDN;
    utf8ObjSize = strlen(utf8ObjPtr)+1;

    utf8TagPtr = tag;
    utf8TagSize = strlen(utf8TagPtr)+1;

    /* Allocate a BerElement for the request parameters. */
    if ((requestBer = ber_alloc()) == NULL) {
        err = LDAP_ENCODING_ERROR;
        return err;
    }

    /* BER encode the NMAS Version and the objectDN */
    err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;

    /* BER encode the MethodID Length and value */
    if (!err) {
        err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
    }

    for (i = 0; !err && i < elemCnt; i++) {
        err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
    }

    if (!err) {
        err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
    }

    if (putData) {
        /* BER Encode the the tag and data */
        err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
    } else {
        /* BER Encode the the tag */
        err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
    }

    /* Convert the BER we just built to a berval that we'll send with the extended request. */
    if (!err && (ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
        err = LDAP_ENCODING_ERROR;
    }

    if (requestBer) {
        ber_free(requestBer, 1);
    }

    return err;
}

/**********************************************************************
 Takes the reply BER Value and decodes the NMAS server version and
 return code and if a non null retData buffer was supplied, tries to
 decode the the return data and length
**********************************************************************/

static int berDecodeLoginData(
    struct berval *replyBV,
    int      *serverVersion,
    size_t   *retDataLen,
    void     *retData )
{
    int err = 0;
    BerElement *replyBer = NULL;
    char    *retOctStr = NULL;
    size_t  retOctStrLen = 0;

    if ((replyBer = ber_init(replyBV)) == NULL) {
        err = LDAP_OPERATIONS_ERROR;
    } else if (retData) {
        retOctStrLen = *retDataLen + 1;
        retOctStr = (char*)SMB_MALLOC_ARRAY(char, retOctStrLen);
        if (!retOctStr) {
            err = LDAP_OPERATIONS_ERROR;
        } else if (ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != LBER_ERROR) {
            if (*retDataLen >= retOctStrLen) {
                memcpy(retData, retOctStr, retOctStrLen);
            } else if (!err) {
                err = LDAP_NO_MEMORY;
            }

            *retDataLen = retOctStrLen;
        } else if (!err) {
            err = LDAP_DECODING_ERROR;
        }
    } else {
        if (ber_scanf(replyBer, "{ii}", serverVersion, &err) == LBER_ERROR) {
            if (!err) {
                err = LDAP_DECODING_ERROR;
            }
        }
    }

    if (replyBer) {
        ber_free(replyBer, 1);
    }

    if (retOctStr != NULL) {
        memset(retOctStr, 0, retOctStrLen);
        free(retOctStr);
    }

    return err;
}

/**********************************************************************
 Retrieves data in the login configuration of the specified object
 that is tagged with the specified methodID and tag.
**********************************************************************/

static int getLoginConfig(
    LDAP	 *ld,
    char     *objectDN,
    unsigned int  methodIDLen,
    unsigned int *methodID,
    char     *tag,
    size_t   *dataLen,
    void     *data )
{
    int     err = 0;
    struct  berval *requestBV = NULL;
    char    *replyOID = NULL;
    struct  berval *replyBV = NULL;
    int     serverVersion = 0;

    /* Validate unicode parameters. */
    if ((strlen(objectDN) == 0) || ld == NULL) {
        return LDAP_NO_SUCH_ATTRIBUTE;
    }

    err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
    if (err) {
        ;
    } else if (!err && (err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
                              requestBV, NULL, NULL, &replyOID, &replyBV))) {
        /* Call the ldap_extended_operation (synchronously) */
        ;
    } else if (!replyOID) {
        /* Make sure there is a return OID */
        err = LDAP_NOT_SUPPORTED;
    } else if (strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) {
        /* Is this what we were expecting to get back. */
        err = LDAP_NOT_SUPPORTED;
    } else if (!replyBV) {
        /* Do we have a good returned berval? */

        /* No; returned berval means we experienced a rather drastic error. */
        /* Return operations error. */
        err = LDAP_OPERATIONS_ERROR;
    } else {

        err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);

        if (serverVersion != NMAS_LDAP_EXT_VERSION) {
            err = LDAP_OPERATIONS_ERROR;
        }
    }

    if (replyBV) {
        ber_bvfree(replyBV);
    }

    /* Free the return OID string if one was returned. */
    if (replyOID) {
        ldap_memfree(replyOID);
    }

    /* Free memory allocated while building the request ber and berval. */
    if (requestBV) {
        ber_bvfree(requestBV);
    }

    /* Return the appropriate error/success code. */
    return err;
}

/**********************************************************************
 Attempts to get the Simple Password
**********************************************************************/

static int nmasldap_get_simple_pwd(
    LDAP	 *ld,
    char     *objectDN,
    size_t	 pwdLen,
    char     *pwd )
{
    int err = 0;
    unsigned int methodID = 0;
    unsigned int methodIDLen = sizeof(methodID);
    char    tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
    char    *pwdBuf=NULL;
    size_t  pwdBufLen, bufferLen;

    bufferLen = pwdBufLen = pwdLen+2;
    pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
    if (pwdBuf == NULL) {
        return LDAP_NO_MEMORY;
    }

    err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
    if (err == 0) {
        if (pwdBufLen !=0) {
            pwdBuf[pwdBufLen] = 0;       /* null terminate */

            switch (pwdBuf[0]) {
            case 1:  /* cleartext password  */
                break;
            case 2:  /* SHA1 HASH */
            case 3:  /* MD5_ID */
            case 4:  /* UNIXCrypt_ID */
            case 8:  /* SSHA_ID */
            default: /* Unknown digest */
                err = LDAP_INAPPROPRIATE_AUTH;  /* only return clear text */
                break;
            }

            if (!err) {
                if (pwdLen >= pwdBufLen-1) {
                    memcpy(pwd, &pwdBuf[1], pwdBufLen-1);  /* skip digest tag and include null */
                } else {
                    err = LDAP_NO_MEMORY;
                }
            }
        }
    }

    if (pwdBuf != NULL) {
        memset(pwdBuf, 0, bufferLen);
        free(pwdBuf);
    }

    return err;
}


/**********************************************************************
 Attempts to get the Universal Password
**********************************************************************/

static int nmasldap_get_password(
    LDAP	 *ld,
    char     *objectDN,
    size_t   *pwdSize,	/* in bytes */
    unsigned char     *pwd )
{
    int err = 0;

    struct berval *requestBV = NULL;
    char *replyOID = NULL;
    struct berval *replyBV = NULL;
    int serverVersion;
    char *pwdBuf;
    size_t pwdBufLen, bufferLen;

    /* Validate char parameters. */
    if (objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) {
        return LDAP_NO_SUCH_ATTRIBUTE;
    }

    bufferLen = pwdBufLen = *pwdSize;
    pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen+2);
    if (pwdBuf == NULL) {
        return LDAP_NO_MEMORY;
    }

    err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
    if (err) {
        ;
    } else if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) {
        ; /* Call the ldap_extended_operation (synchronously) */
    } else if (!replyOID) {
        /* Make sure there is a return OID */
        err = LDAP_NOT_SUPPORTED;
    } else if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
        /* Is this what we were expecting to get back. */
        err = LDAP_NOT_SUPPORTED;
    } else if (!replyBV) {
        /* Do we have a good returned berval? */
        /* No; returned berval means we experienced a rather drastic error. */
        /* Return operations error. */
        err = LDAP_OPERATIONS_ERROR;
    } else {
        err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);

        if (serverVersion != NMAS_LDAP_EXT_VERSION) {
            err = LDAP_OPERATIONS_ERROR;

        } else if (!err && pwdBufLen != 0) {
            if (*pwdSize >= pwdBufLen+1 && pwd != NULL) {
                memcpy(pwd, pwdBuf, pwdBufLen);
                pwd[pwdBufLen] = 0; /* add null termination */
            }
            *pwdSize = pwdBufLen; /* does not include null termination */
        }
    }

    if (replyBV) {
        ber_bvfree(replyBV);
    }

    /* Free the return OID string if one was returned. */
    if (replyOID) {
        ldap_memfree(replyOID);
    }

    /* Free memory allocated while building the request ber and berval. */
    if (requestBV) {
        ber_bvfree(requestBV);
    }

    if (pwdBuf != NULL) {
        memset(pwdBuf, 0, bufferLen);
        free(pwdBuf);
    }

    /* Return the appropriate error/success code. */
    return err;
}

/**********************************************************************
 Get the user's password from NDS.
 *********************************************************************/

int nds_get_password(
    LDAP *ld,
    char *object_dn,
    size_t *pwd_len,
    char *pwd )
{
    int rc = -1;

    rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
    if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
        DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
#endif
        DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
    } else {
        DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
    }

    if (rc != LDAP_SUCCESS) {
        rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
        if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
            DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
#endif
            DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
        } else {
            /* We couldn't get the password */
            DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
            return LDAP_INVALID_CREDENTIALS;
        }
    }

    /* We got the password */
    return LDAP_SUCCESS;
}
Commit	Line	Data
26ac0430	1	/*
591c3246	2	* NDS LDAP helper functions
	3	* Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
	4	* limited functionality needed to access the plain text password only
89f77e43	5	*
591c3246	6	* Original copyright & license follows:
89f77e43	7	*
591c3246	8	* Copyright (C) Vince Brimhall 2004-2005
26ac0430	9	*
591c3246	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
	12	* the Free Software Foundation; either version 2 of the License, or
	13	* (at your option) any later version.
26ac0430	14	*
591c3246	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
26ac0430	19	*
591c3246	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26ac0430	23	*
591c3246	24	*/
f7f3304a	25	#include "squid.h"
f971fe39	26
f5a88a5e	27	#include "digest_common.h"
f5a88a5e	28
1191b93b	29	#if _SQUID_MSWIN_ /* Native Windows port and MinGW */
f5a88a5e	30
	31	#define snprintf _snprintf
	32	#include <windows.h>
	33	#include <winldap.h>
	34	#include <winber.h>
	35	#ifndef LDAPAPI
	36	#define LDAPAPI __cdecl
	37	#endif
	38	#ifdef LDAP_VERSION3
	39	#ifndef LDAP_OPT_X_TLS
	40	#define LDAP_OPT_X_TLS 0x6000
	41	#endif
	42	#define ber_alloc() ber_alloc_t(0)
	43	#endif /* LDAP_VERSION3 */
	44
	45	#else
	46
f971fe39	47	#include <lber.h>
f971fe39	48	#include <ldap.h>
f5a88a5e	49
f5a88a5e	50	#endif
591c3246	51	#include <wchar.h>
e9505fad	52
	53	#include "edir_ldapext.h"
	54
591c3246	55	#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
	56	#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
	57	#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
	58	#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
	59	#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
	60	#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
89f77e43	61
591c3246	62	#define NMAS_LDAP_EXT_VERSION 1
89f77e43	63
591c3246	64	#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem)
591c3246	65	#define DEBUG(level, args)
89f77e43	66
591c3246	67	/**********************************************************************
	68	Take the request BER value and input data items and BER encodes the
	69	data into the BER value
	70	**********************************************************************/
89f77e43	71
591c3246	72	static int berEncodePasswordData(
26ac0430 AJ	73	struct berval **requestBV,
	74	const char *objectDN,
	75	const char *password,
	76	const char *password2)
591c3246	77	{
26ac0430 AJ	78	int err = 0, rc=0;
	79	BerElement *requestBer = NULL;
	80
	81	const char * utf8ObjPtr = NULL;
	82	int utf8ObjSize = 0;
	83	const char * utf8PwdPtr = NULL;
	84	int utf8PwdSize = 0;
	85	const char * utf8Pwd2Ptr = NULL;
	86	int utf8Pwd2Size = 0;
	87
	88
	89	/* Convert objectDN and tag strings from Unicode to UTF-8 */
	90	utf8ObjSize = strlen(objectDN)+1;
	91	utf8ObjPtr = objectDN;
	92
	93	if (password != NULL) {
	94	utf8PwdSize = strlen(password)+1;
	95	utf8PwdPtr = password;
	96	}
	97
	98	if (password2 != NULL) {
	99	utf8Pwd2Size = strlen(password2)+1;
	100	utf8Pwd2Ptr = password2;
	101	}
	102
	103	/* Allocate a BerElement for the request parameters. */
	104	if ((requestBer = ber_alloc()) == NULL) {
	105	err = LDAP_ENCODING_ERROR;
56ff4687 AJ	106	ber_free(requestBer, 1);
56ff4687 AJ	107	return err;
26ac0430 AJ	108	}
	109
	110	if (password != NULL && password2 != NULL) {
	111	/* BER encode the NMAS Version, the objectDN, and the password */
	112	rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
	113	} else if (password != NULL) {
	114	/* BER encode the NMAS Version, the objectDN, and the password */
	115	rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
	116	} else {
	117	/* BER encode the NMAS Version and the objectDN */
	118	rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
	119	}
	120
	121	if (rc < 0) {
	122	err = LDAP_ENCODING_ERROR;
26ac0430 AJ	123	} else {
26ac0430 AJ	124	err = 0;
56ff4687 AJ	125	/* Convert the BER we just built to a berval that we'll send with the extended request. */
	126	if ((ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
	127	err = LDAP_ENCODING_ERROR;
	128	}
26ac0430 AJ	129	}
26ac0430 AJ	130
26ac0430 AJ	131	if (requestBer) {
	132	ber_free(requestBer, 1);
	133	}
591c3246	134
26ac0430	135	return err;
591c3246	136	}
	137
	138	/**********************************************************************
	139	Take the request BER value and input data items and BER encodes the
	140	data into the BER value
	141	**********************************************************************/
	142
	143	static int berEncodeLoginData(
26ac0430 AJ	144	struct berval **requestBV,
	145	char *objectDN,
	146	unsigned int methodIDLen,
	147	unsigned int *methodID,
	148	char *tag,
	149	size_t putDataLen,
	150	void *putData)
89f77e43	151	{
26ac0430 AJ	152	int err = 0;
	153	BerElement *requestBer = NULL;
	154
	155	unsigned int i;
	156	unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
	157
	158	char *utf8ObjPtr=NULL;
	159	int utf8ObjSize = 0;
	160
	161	char *utf8TagPtr = NULL;
	162	int utf8TagSize = 0;
	163
	164	utf8ObjPtr = objectDN;
	165	utf8ObjSize = strlen(utf8ObjPtr)+1;
	166
	167	utf8TagPtr = tag;
	168	utf8TagSize = strlen(utf8TagPtr)+1;
	169
	170	/* Allocate a BerElement for the request parameters. */
	171	if ((requestBer = ber_alloc()) == NULL) {
	172	err = LDAP_ENCODING_ERROR;
56ff4687	173	return err;
26ac0430 AJ	174	}
	175
	176	/* BER encode the NMAS Version and the objectDN */
	177	err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;
	178
	179	/* BER encode the MethodID Length and value */
	180	if (!err) {
	181	err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
	182	}
	183
	184	for (i = 0; !err && i < elemCnt; i++) {
	185	err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
	186	}
	187
	188	if (!err) {
	189	err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
	190	}
	191
	192	if (putData) {
	193	/* BER Encode the the tag and data */
	194	err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
	195	} else {
	196	/* BER Encode the the tag */
	197	err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
	198	}
	199
26ac0430	200	/* Convert the BER we just built to a berval that we'll send with the extended request. */
56ff4687	201	if (!err && (ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
26ac0430	202	err = LDAP_ENCODING_ERROR;
26ac0430	203	}
591c3246	204
26ac0430 AJ	205	if (requestBer) {
	206	ber_free(requestBer, 1);
	207	}
591c3246	208
26ac0430	209	return err;
591c3246	210	}
	211
	212	/**********************************************************************
	213	Takes the reply BER Value and decodes the NMAS server version and
	214	return code and if a non null retData buffer was supplied, tries to
	215	decode the the return data and length
	216	**********************************************************************/
	217
	218	static int berDecodeLoginData(
26ac0430 AJ	219	struct berval *replyBV,
	220	int *serverVersion,
	221	size_t *retDataLen,
	222	void *retData )
89f77e43	223	{
26ac0430 AJ	224	int err = 0;
	225	BerElement *replyBer = NULL;
	226	char *retOctStr = NULL;
	227	size_t retOctStrLen = 0;
	228
	229	if ((replyBer = ber_init(replyBV)) == NULL) {
	230	err = LDAP_OPERATIONS_ERROR;
feec68a0	231	} else if (retData) {
26ac0430	232	retOctStrLen = *retDataLen + 1;
56ff4687	233	retOctStr = (char*)SMB_MALLOC_ARRAY(char, retOctStrLen);
26ac0430 AJ	234	if (!retOctStr) {
26ac0430 AJ	235	err = LDAP_OPERATIONS_ERROR;
feec68a0	236	} else if (ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != LBER_ERROR) {
26ac0430 AJ	237	if (*retDataLen >= retOctStrLen) {
	238	memcpy(retData, retOctStr, retOctStrLen);
	239	} else if (!err) {
	240	err = LDAP_NO_MEMORY;
	241	}
	242
	243	*retDataLen = retOctStrLen;
	244	} else if (!err) {
	245	err = LDAP_DECODING_ERROR;
	246	}
	247	} else {
56ff4687	248	if (ber_scanf(replyBer, "{ii}", serverVersion, &err) == LBER_ERROR) {
26ac0430 AJ	249	if (!err) {
	250	err = LDAP_DECODING_ERROR;
	251	}
	252	}
	253	}
591c3246	254
26ac0430 AJ	255	if (replyBer) {
	256	ber_free(replyBer, 1);
	257	}
591c3246	258
26ac0430 AJ	259	if (retOctStr != NULL) {
	260	memset(retOctStr, 0, retOctStrLen);
	261	free(retOctStr);
	262	}
591c3246	263
26ac0430	264	return err;
591c3246	265	}
	266
	267	/**********************************************************************
	268	Retrieves data in the login configuration of the specified object
	269	that is tagged with the specified methodID and tag.
	270	**********************************************************************/
	271
	272	static int getLoginConfig(
26ac0430 AJ	273	LDAP *ld,
	274	char *objectDN,
	275	unsigned int methodIDLen,
	276	unsigned int *methodID,
	277	char *tag,
	278	size_t *dataLen,
	279	void *data )
89f77e43	280	{
26ac0430 AJ	281	int err = 0;
	282	struct berval *requestBV = NULL;
	283	char *replyOID = NULL;
	284	struct berval *replyBV = NULL;
	285	int serverVersion = 0;
	286
	287	/* Validate unicode parameters. */
	288	if ((strlen(objectDN) == 0) \|\| ld == NULL) {
	289	return LDAP_NO_SUCH_ATTRIBUTE;
	290	}
	291
	292	err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
	293	if (err) {
56ff4687 AJ	294	;
56ff4687 AJ	295	} else if (!err && (err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
feec68a0	296	requestBV, NULL, NULL, &replyOID, &replyBV))) {
56ff4687 AJ	297	/* Call the ldap_extended_operation (synchronously) */
	298	;
	299	} else if (!replyOID) {
	300	/* Make sure there is a return OID */
26ac0430	301	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	302	} else if (strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) {
56ff4687 AJ	303	/* Is this what we were expecting to get back. */
26ac0430	304	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	305	} else if (!replyBV) {
56ff4687 AJ	306	/* Do we have a good returned berval? */
26ac0430	307
26ac0430 AJ	308	/* No; returned berval means we experienced a rather drastic error. */
	309	/* Return operations error. */
	310	err = LDAP_OPERATIONS_ERROR;
56ff4687	311	} else {
26ac0430	312
56ff4687	313	err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
26ac0430	314
56ff4687 AJ	315	if (serverVersion != NMAS_LDAP_EXT_VERSION) {
	316	err = LDAP_OPERATIONS_ERROR;
	317	}
26ac0430	318	}
591c3246	319
26ac0430 AJ	320	if (replyBV) {
	321	ber_bvfree(replyBV);
	322	}
	323
	324	/* Free the return OID string if one was returned. */
	325	if (replyOID) {
	326	ldap_memfree(replyOID);
	327	}
	328
	329	/* Free memory allocated while building the request ber and berval. */
	330	if (requestBV) {
	331	ber_bvfree(requestBV);
	332	}
	333
	334	/* Return the appropriate error/success code. */
	335	return err;
591c3246	336	}
	337
	338	/**********************************************************************
	339	Attempts to get the Simple Password
	340	**********************************************************************/
	341
	342	static int nmasldap_get_simple_pwd(
26ac0430 AJ	343	LDAP *ld,
	344	char *objectDN,
	345	size_t pwdLen,
	346	char *pwd )
591c3246	347	{
26ac0430 AJ	348	int err = 0;
	349	unsigned int methodID = 0;
	350	unsigned int methodIDLen = sizeof(methodID);
	351	char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
	352	char *pwdBuf=NULL;
	353	size_t pwdBufLen, bufferLen;
	354
	355	bufferLen = pwdBufLen = pwdLen+2;
56ff4687	356	pwdBuf = (char)SMB_MALLOC_ARRAY(char, pwdBufLen); / digest and null */
26ac0430 AJ	357	if (pwdBuf == NULL) {
	358	return LDAP_NO_MEMORY;
	359	}
	360
	361	err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
	362	if (err == 0) {
	363	if (pwdBufLen !=0) {
	364	pwdBuf[pwdBufLen] = 0; /* null terminate */
	365
	366	switch (pwdBuf[0]) {
	367	case 1: /* cleartext password */
	368	break;
	369	case 2: /* SHA1 HASH */
	370	case 3: /* MD5_ID */
	371	case 4: /* UNIXCrypt_ID */
	372	case 8: /* SSHA_ID */
	373	default: /* Unknown digest */
	374	err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */
	375	break;
	376	}
	377
	378	if (!err) {
	379	if (pwdLen >= pwdBufLen-1) {
	380	memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */
	381	} else {
	382	err = LDAP_NO_MEMORY;
	383	}
	384	}
	385	}
	386	}
	387
	388	if (pwdBuf != NULL) {
	389	memset(pwdBuf, 0, bufferLen);
	390	free(pwdBuf);
	391	}
	392
	393	return err;
591c3246	394	}
	395
	396
	397	/**********************************************************************
	398	Attempts to get the Universal Password
	399	**********************************************************************/
	400
	401	static int nmasldap_get_password(
26ac0430 AJ	402	LDAP *ld,
	403	char *objectDN,
	404	size_t pwdSize, / in bytes */
	405	unsigned char *pwd )
591c3246	406	{
26ac0430 AJ	407	int err = 0;
	408
	409	struct berval *requestBV = NULL;
	410	char *replyOID = NULL;
	411	struct berval *replyBV = NULL;
	412	int serverVersion;
	413	char *pwdBuf;
	414	size_t pwdBufLen, bufferLen;
	415
	416	/* Validate char parameters. */
	417	if (objectDN == NULL \|\| (strlen(objectDN) == 0) \|\| pwdSize == NULL \|\| ld == NULL) {
	418	return LDAP_NO_SUCH_ATTRIBUTE;
	419	}
	420
	421	bufferLen = pwdBufLen = *pwdSize;
56ff4687	422	pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen+2);
26ac0430 AJ	423	if (pwdBuf == NULL) {
	424	return LDAP_NO_MEMORY;
	425	}
	426
	427	err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
	428	if (err) {
56ff4687 AJ	429	;
	430	} else if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) {
	431	; /* Call the ldap_extended_operation (synchronously) */
	432	} else if (!replyOID) {
	433	/* Make sure there is a return OID */
26ac0430	434	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	435	} else if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
56ff4687 AJ	436	/* Is this what we were expecting to get back. */
26ac0430	437	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	438	} else if (!replyBV) {
56ff4687 AJ	439	/* Do we have a good returned berval? */
26ac0430 AJ	440	/* No; returned berval means we experienced a rather drastic error. */
	441	/* Return operations error. */
	442	err = LDAP_OPERATIONS_ERROR;
56ff4687 AJ	443	} else {
56ff4687 AJ	444	err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
26ac0430	445
56ff4687 AJ	446	if (serverVersion != NMAS_LDAP_EXT_VERSION) {
56ff4687 AJ	447	err = LDAP_OPERATIONS_ERROR;
26ac0430	448
56ff4687 AJ	449	} else if (!err && pwdBufLen != 0) {
	450	if (*pwdSize >= pwdBufLen+1 && pwd != NULL) {
	451	memcpy(pwd, pwdBuf, pwdBufLen);
	452	pwd[pwdBufLen] = 0; /* add null termination */
	453	}
	454	pwdSize = pwdBufLen; / does not include null termination */
26ac0430	455	}
26ac0430	456	}
591c3246	457
26ac0430 AJ	458	if (replyBV) {
	459	ber_bvfree(replyBV);
	460	}
	461
	462	/* Free the return OID string if one was returned. */
	463	if (replyOID) {
	464	ldap_memfree(replyOID);
	465	}
	466
	467	/* Free memory allocated while building the request ber and berval. */
	468	if (requestBV) {
	469	ber_bvfree(requestBV);
	470	}
	471
	472	if (pwdBuf != NULL) {
	473	memset(pwdBuf, 0, bufferLen);
	474	free(pwdBuf);
	475	}
	476
	477	/* Return the appropriate error/success code. */
	478	return err;
591c3246	479	}
	480
	481	/**********************************************************************
	482	Get the user's password from NDS.
	483	*********************************************************************/
	484
	485	int nds_get_password(
26ac0430 AJ	486	LDAP *ld,
	487	char *object_dn,
	488	size_t *pwd_len,
	489	char *pwd )
591c3246	490	{
26ac0430	491	int rc = -1;
591c3246	492
26ac0430 AJ	493	rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
26ac0430 AJ	494	if (rc == LDAP_SUCCESS) {
591c3246	495	#ifdef DEBUG_PASSWORD
26ac0430 AJ	496	DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
	497	#endif
	498	DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
	499	} else {
	500	DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
	501	}
	502
	503	if (rc != LDAP_SUCCESS) {
	504	rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
	505	if (rc == LDAP_SUCCESS) {
591c3246	506	#ifdef DEBUG_PASSWORD
26ac0430 AJ	507	DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
	508	#endif
	509	DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
	510	} else {
	511	/* We couldn't get the password */
	512	DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
	513	return LDAP_INVALID_CREDENTIALS;
	514	}
	515	}
	516
	517	/* We got the password */
	518	return LDAP_SUCCESS;
591c3246	519	}
591c3246	520