[thirdparty/squid.git] / src / auth / digest / eDirectory / edir_ldapext.cc

/*
 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * NDS LDAP helper functions
 * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
 * limited functionality needed to access the plain text password only
 *
 * Original copyright & license follows:
 *
 * Copyright (C) Vince Brimhall         2004-2005
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */

#include "squid.h"
#include "auth/digest/eDirectory/digest_common.h"

#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_

#define snprintf _snprintf
#include <windows.h>
#include <winldap.h>
#include <winber.h>
#ifndef LDAPAPI
#define LDAPAPI __cdecl
#endif
#ifdef LDAP_VERSION3
#ifndef LDAP_OPT_X_TLS
#define LDAP_OPT_X_TLS 0x6000
#endif
#define ber_alloc() ber_alloc_t(0)
#endif /* LDAP_VERSION3 */

#else

#include <lber.h>
#include <ldap.h>

#endif
#include <wchar.h>

#include "edir_ldapext.h"

#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST   "2.16.840.1.113719.1.39.42.100.3"
#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE  "2.16.840.1.113719.1.39.42.100.4"
#define NMASLDAP_SET_PASSWORD_REQUEST       "2.16.840.1.113719.1.39.42.100.11"
#define NMASLDAP_SET_PASSWORD_RESPONSE      "2.16.840.1.113719.1.39.42.100.12"
#define NMASLDAP_GET_PASSWORD_REQUEST       "2.16.840.1.113719.1.39.42.100.13"
#define NMASLDAP_GET_PASSWORD_RESPONSE      "2.16.840.1.113719.1.39.42.100.14"

#define NMAS_LDAP_EXT_VERSION               1

#define SMB_MALLOC_ARRAY(type, nelem)       calloc(sizeof(type), nelem)
#define DEBUG(level, args)

/**********************************************************************
 Take the request BER value and input data items and BER encodes the
 data into the BER value
**********************************************************************/

static int berEncodePasswordData(
    struct berval **requestBV,
    const char    *objectDN,
    const char    *password,
    const char    *password2)
{
    int err = 0, rc=0;
    BerElement *requestBer = NULL;

    const char    * utf8ObjPtr = NULL;
    int     utf8ObjSize = 0;
    const char    * utf8PwdPtr = NULL;
    int     utf8PwdSize = 0;
    const char    * utf8Pwd2Ptr = NULL;
    int     utf8Pwd2Size = 0;

    /* Convert objectDN and tag strings from Unicode to UTF-8 */
    utf8ObjSize = strlen(objectDN)+1;
    utf8ObjPtr = objectDN;

    if (password != NULL) {
        utf8PwdSize = strlen(password)+1;
        utf8PwdPtr = password;
    }

    if (password2 != NULL) {
        utf8Pwd2Size = strlen(password2)+1;
        utf8Pwd2Ptr = password2;
    }

    /* Allocate a BerElement for the request parameters. */
    if ((requestBer = ber_alloc()) == NULL) {
        err = LDAP_ENCODING_ERROR;
        ber_free(requestBer, 1);
        return err;
    }

    if (password != NULL && password2 != NULL) {
        /* BER encode the NMAS Version, the objectDN, and the password */
        rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
    } else if (password != NULL) {
        /* BER encode the NMAS Version, the objectDN, and the password */
        rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
    } else {
        /* BER encode the NMAS Version and the objectDN */
        rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
    }

    if (rc < 0) {
        err = LDAP_ENCODING_ERROR;
    } else {
        err = 0;
        /* Convert the BER we just built to a berval that we'll send with the extended request. */
        if ((ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
            err = LDAP_ENCODING_ERROR;
        }
    }

    if (requestBer) {
        ber_free(requestBer, 1);
    }

    return err;
}

/**********************************************************************
 Take the request BER value and input data items and BER encodes the
 data into the BER value
**********************************************************************/

static int berEncodeLoginData(
    struct berval **requestBV,
    char     *objectDN,
    unsigned int  methodIDLen,
    unsigned int *methodID,
    char     *tag,
    size_t   putDataLen,
    void     *putData)
{
    unsigned int elemCnt = methodIDLen / sizeof(unsigned int);

    char    *utf8ObjPtr=NULL;
    int     utf8ObjSize = 0;

    char    *utf8TagPtr = NULL;
    int     utf8TagSize = 0;

    utf8ObjPtr = objectDN;
    utf8ObjSize = strlen(utf8ObjPtr)+1;

    utf8TagPtr = tag;
    utf8TagSize = strlen(utf8TagPtr)+1;

    /* Allocate a BerElement for the request parameters. */
    BerElement *requestBer = ber_alloc();
    if (!requestBer)
        return LDAP_ENCODING_ERROR;

    /* BER encode the NMAS Version and the objectDN */
    if (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) {
        ber_free(requestBer, 1);
        return LDAP_ENCODING_ERROR;
    }

    /* BER encode the MethodID Length and value */
    if (ber_printf(requestBer, "{i{", methodIDLen) < 0) {
        ber_free(requestBer, 1);
        return LDAP_ENCODING_ERROR;
    }

    for (unsigned int i = 0; i < elemCnt; ++i) {
        if (ber_printf(requestBer, "i", methodID[i]) < 0) {
            ber_free(requestBer, 1);
            return LDAP_ENCODING_ERROR;
        }
    }

    if (ber_printf(requestBer, "}}", 0) < 0) {
        ber_free(requestBer, 1);
        return LDAP_ENCODING_ERROR;
    }

    if (putData) {
        /* BER Encode the the tag and data */
        if (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) {
            ber_free(requestBer, 1);
            return LDAP_ENCODING_ERROR;
        }
    } else {
        /* BER Encode the the tag */
        if (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) {
            ber_free(requestBer, 1);
            return LDAP_ENCODING_ERROR;
        }
    }

    /* Convert the BER we just built to a berval that we'll send with the extended request. */
    if (static_cast<ber_tag_t>(ber_flatten(requestBer, requestBV)) == LBER_ERROR) {
        ber_free(requestBer, 1);
        return LDAP_ENCODING_ERROR;
    }

    ber_free(requestBer, 1);
    return 0; /* no error */
}

/**********************************************************************
 Takes the reply BER Value and decodes the NMAS server version and
 return code and if a non null retData buffer was supplied, tries to
 decode the the return data and length
**********************************************************************/

static int berDecodeLoginData(
    struct berval *replyBV,
    int      *serverVersion,
    size_t   *retDataLen,
    void     *retData )
{
    int err = 0;
    BerElement *replyBer = NULL;
    char    *retOctStr = NULL;
    size_t  retOctStrLen = 0;

    if ((replyBer = ber_init(replyBV)) == NULL) {
        err = LDAP_OPERATIONS_ERROR;
    } else if (retData) {
        retOctStrLen = *retDataLen + 1;
        retOctStr = (char*)SMB_MALLOC_ARRAY(char, retOctStrLen);
        if (!retOctStr) {
            err = LDAP_OPERATIONS_ERROR;
        } else if (ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != LBER_ERROR) {
            if (*retDataLen >= retOctStrLen) {
                memcpy(retData, retOctStr, retOctStrLen);
            } else if (!err) {
                err = LDAP_NO_MEMORY;
            }

            *retDataLen = retOctStrLen;
        } else if (!err) {
            err = LDAP_DECODING_ERROR;
        }
    } else {
        if (ber_scanf(replyBer, "{ii}", serverVersion, &err) == LBER_ERROR) {
            if (!err) {
                err = LDAP_DECODING_ERROR;
            }
        }
    }

    if (replyBer) {
        ber_free(replyBer, 1);
    }

    if (retOctStr != NULL) {
        memset(retOctStr, 0, retOctStrLen);
        free(retOctStr);
    }

    return err;
}

/**********************************************************************
 Retrieves data in the login configuration of the specified object
 that is tagged with the specified methodID and tag.
**********************************************************************/

static int getLoginConfig(
    LDAP     *ld,
    char     *objectDN,
    unsigned int  methodIDLen,
    unsigned int *methodID,
    char     *tag,
    size_t   *dataLen,
    void     *data )
{
    int     err = 0;
    struct  berval *requestBV = NULL;
    char    *replyOID = NULL;
    struct  berval *replyBV = NULL;
    int     serverVersion = 0;

    /* Validate unicode parameters. */
    if ((strlen(objectDN) == 0) || ld == NULL) {
        return LDAP_NO_SUCH_ATTRIBUTE;
    }

    err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
    if (err) {
        ;
    } else if (!err && (err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
                              requestBV, NULL, NULL, &replyOID, &replyBV))) {
        /* Call the ldap_extended_operation (synchronously) */
        ;
    } else if (!replyOID) {
        /* Make sure there is a return OID */
        err = LDAP_NOT_SUPPORTED;
    } else if (strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) {
        /* Is this what we were expecting to get back. */
        err = LDAP_NOT_SUPPORTED;
    } else if (!replyBV) {
        /* Do we have a good returned berval? */

        /* No; returned berval means we experienced a rather drastic error. */
        /* Return operations error. */
        err = LDAP_OPERATIONS_ERROR;
    } else {

        err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);

        if (serverVersion != NMAS_LDAP_EXT_VERSION) {
            err = LDAP_OPERATIONS_ERROR;
        }
    }

    if (replyBV) {
        ber_bvfree(replyBV);
    }

    /* Free the return OID string if one was returned. */
    if (replyOID) {
        ldap_memfree(replyOID);
    }

    /* Free memory allocated while building the request ber and berval. */
    if (requestBV) {
        ber_bvfree(requestBV);
    }

    /* Return the appropriate error/success code. */
    return err;
}

/**********************************************************************
 Attempts to get the Simple Password
**********************************************************************/

static int nmasldap_get_simple_pwd(
    LDAP     *ld,
    char     *objectDN,
    size_t   pwdLen,
    char     *pwd )
{
    int err = 0;
    unsigned int methodID = 0;
    unsigned int methodIDLen = sizeof(methodID);
    char    tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
    char    *pwdBuf=NULL;
    size_t  pwdBufLen, bufferLen;

    bufferLen = pwdBufLen = pwdLen+2;
    pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
    if (pwdBuf == NULL) {
        return LDAP_NO_MEMORY;
    }

    err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
    if (err == 0) {
        if (pwdBufLen !=0) {
            pwdBuf[pwdBufLen] = 0;       /* null terminate */

            switch (pwdBuf[0]) {
            case 1:  /* cleartext password  */
                break;
            case 2:  /* SHA1 HASH */
            case 3:  /* MD5_ID */
            case 4:  /* UNIXCrypt_ID */
            case 8:  /* SSHA_ID */
            default: /* Unknown digest */
                err = LDAP_INAPPROPRIATE_AUTH;  /* only return clear text */
                break;
            }

            if (!err) {
                if (pwdLen >= pwdBufLen-1) {
                    memcpy(pwd, &pwdBuf[1], pwdBufLen-1);  /* skip digest tag and include null */
                } else {
                    err = LDAP_NO_MEMORY;
                }
            }
        }
    }

    if (pwdBuf != NULL) {
        memset(pwdBuf, 0, bufferLen);
        free(pwdBuf);
    }

    return err;
}

/**********************************************************************
 Attempts to get the Universal Password
**********************************************************************/

static int nmasldap_get_password(
    LDAP     *ld,
    char     *objectDN,
    size_t   *pwdSize,  /* in bytes */
    unsigned char     *pwd )
{
    int err = 0;

    struct berval *requestBV = NULL;
    char *replyOID = NULL;
    struct berval *replyBV = NULL;
    int serverVersion;
    char *pwdBuf;
    size_t pwdBufLen, bufferLen;

    /* Validate char parameters. */
    if (objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) {
        return LDAP_NO_SUCH_ATTRIBUTE;
    }

    bufferLen = pwdBufLen = *pwdSize;
    pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen+2);
    if (pwdBuf == NULL) {
        return LDAP_NO_MEMORY;
    }

    err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
    if (err) {
        ;
    } else if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) {
        ; /* Call the ldap_extended_operation (synchronously) */
    } else if (!replyOID) {
        /* Make sure there is a return OID */
        err = LDAP_NOT_SUPPORTED;
    } else if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
        /* Is this what we were expecting to get back. */
        err = LDAP_NOT_SUPPORTED;
    } else if (!replyBV) {
        /* Do we have a good returned berval? */
        /* No; returned berval means we experienced a rather drastic error. */
        /* Return operations error. */
        err = LDAP_OPERATIONS_ERROR;
    } else {
        err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);

        if (serverVersion != NMAS_LDAP_EXT_VERSION) {
            err = LDAP_OPERATIONS_ERROR;

        } else if (!err && pwdBufLen != 0) {
            if (*pwdSize >= pwdBufLen+1 && pwd != NULL) {
                memcpy(pwd, pwdBuf, pwdBufLen);
                pwd[pwdBufLen] = 0; /* add null termination */
            }
            *pwdSize = pwdBufLen; /* does not include null termination */
        }
    }

    if (replyBV) {
        ber_bvfree(replyBV);
    }

    /* Free the return OID string if one was returned. */
    if (replyOID) {
        ldap_memfree(replyOID);
    }

    /* Free memory allocated while building the request ber and berval. */
    if (requestBV) {
        ber_bvfree(requestBV);
    }

    if (pwdBuf != NULL) {
        memset(pwdBuf, 0, bufferLen);
        free(pwdBuf);
    }

    /* Return the appropriate error/success code. */
    return err;
}

/**********************************************************************
 Get the user's password from NDS.
 *********************************************************************/

int nds_get_password(
    LDAP *ld,
    char *object_dn,
    size_t *pwd_len,
    char *pwd )
{
    int rc = -1;

    rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
    if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
        DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
#endif
        DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
    } else {
        DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
    }

    if (rc != LDAP_SUCCESS) {
        rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
        if (rc == LDAP_SUCCESS) {
#ifdef DEBUG_PASSWORD
            DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
#endif
            DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
        } else {
            /* We couldn't get the password */
            DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
            return LDAP_INVALID_CREDENTIALS;
        }
    }

    /* We got the password */
    return LDAP_SUCCESS;
}
Commit	Line	Data
ca02e0ec	1	/*
5b74111a	2	* Copyright (C) 1996-2018 The Squid Software Foundation and contributors
ca02e0ec AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
26ac0430	9	/*
591c3246	10	* NDS LDAP helper functions
	11	* Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
	12	* limited functionality needed to access the plain text password only
89f77e43	13	*
591c3246	14	* Original copyright & license follows:
89f77e43	15	*
f53969cc	16	* Copyright (C) Vince Brimhall 2004-2005
26ac0430	17	*
591c3246	18	* This program is free software; you can redistribute it and/or modify
	19	* it under the terms of the GNU General Public License as published by
	20	* the Free Software Foundation; either version 2 of the License, or
	21	* (at your option) any later version.
26ac0430	22	*
591c3246	23	* This program is distributed in the hope that it will be useful,
	24	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	25	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	26	* GNU General Public License for more details.
26ac0430	27	*
591c3246	28	* You should have received a copy of the GNU General Public License
	29	* along with this program; if not, write to the Free Software
	30	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
ca02e0ec	31	*/
f971fe39	32
ca02e0ec	33	#include "squid.h"
d4d7f6dd	34	#include "auth/digest/eDirectory/digest_common.h"
f5a88a5e	35
7aa9bb3e	36	#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
f5a88a5e	37
	38	#define snprintf _snprintf
	39	#include <windows.h>
	40	#include <winldap.h>
	41	#include <winber.h>
	42	#ifndef LDAPAPI
	43	#define LDAPAPI __cdecl
	44	#endif
	45	#ifdef LDAP_VERSION3
	46	#ifndef LDAP_OPT_X_TLS
	47	#define LDAP_OPT_X_TLS 0x6000
	48	#endif
	49	#define ber_alloc() ber_alloc_t(0)
	50	#endif /* LDAP_VERSION3 */
	51
	52	#else
	53
f971fe39	54	#include <lber.h>
f971fe39	55	#include <ldap.h>
f5a88a5e	56
f5a88a5e	57	#endif
591c3246	58	#include <wchar.h>
e9505fad	59
	60	#include "edir_ldapext.h"
	61
f53969cc SM	62	#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
	63	#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
	64	#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
	65	#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
	66	#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
	67	#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
89f77e43	68
f53969cc	69	#define NMAS_LDAP_EXT_VERSION 1
89f77e43	70
f53969cc	71	#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem)
591c3246	72	#define DEBUG(level, args)
89f77e43	73
591c3246	74	/**********************************************************************
	75	Take the request BER value and input data items and BER encodes the
	76	data into the BER value
	77	**********************************************************************/
89f77e43	78
591c3246	79	static int berEncodePasswordData(
26ac0430 AJ	80	struct berval **requestBV,
	81	const char *objectDN,
	82	const char *password,
	83	const char *password2)
591c3246	84	{
26ac0430 AJ	85	int err = 0, rc=0;
	86	BerElement *requestBer = NULL;
	87
	88	const char * utf8ObjPtr = NULL;
	89	int utf8ObjSize = 0;
	90	const char * utf8PwdPtr = NULL;
	91	int utf8PwdSize = 0;
	92	const char * utf8Pwd2Ptr = NULL;
	93	int utf8Pwd2Size = 0;
	94
26ac0430 AJ	95	/* Convert objectDN and tag strings from Unicode to UTF-8 */
	96	utf8ObjSize = strlen(objectDN)+1;
	97	utf8ObjPtr = objectDN;
	98
	99	if (password != NULL) {
	100	utf8PwdSize = strlen(password)+1;
	101	utf8PwdPtr = password;
	102	}
	103
	104	if (password2 != NULL) {
	105	utf8Pwd2Size = strlen(password2)+1;
	106	utf8Pwd2Ptr = password2;
	107	}
	108
	109	/* Allocate a BerElement for the request parameters. */
	110	if ((requestBer = ber_alloc()) == NULL) {
	111	err = LDAP_ENCODING_ERROR;
56ff4687 AJ	112	ber_free(requestBer, 1);
56ff4687 AJ	113	return err;
26ac0430 AJ	114	}
	115
	116	if (password != NULL && password2 != NULL) {
	117	/* BER encode the NMAS Version, the objectDN, and the password */
	118	rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
	119	} else if (password != NULL) {
	120	/* BER encode the NMAS Version, the objectDN, and the password */
	121	rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
	122	} else {
	123	/* BER encode the NMAS Version and the objectDN */
	124	rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
	125	}
	126
	127	if (rc < 0) {
	128	err = LDAP_ENCODING_ERROR;
26ac0430 AJ	129	} else {
26ac0430 AJ	130	err = 0;
56ff4687 AJ	131	/* Convert the BER we just built to a berval that we'll send with the extended request. */
	132	if ((ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
	133	err = LDAP_ENCODING_ERROR;
	134	}
26ac0430 AJ	135	}
26ac0430 AJ	136
26ac0430 AJ	137	if (requestBer) {
	138	ber_free(requestBer, 1);
	139	}
591c3246	140
26ac0430	141	return err;
591c3246	142	}
	143
	144	/**********************************************************************
	145	Take the request BER value and input data items and BER encodes the
	146	data into the BER value
	147	**********************************************************************/
	148
	149	static int berEncodeLoginData(
26ac0430 AJ	150	struct berval **requestBV,
	151	char *objectDN,
	152	unsigned int methodIDLen,
	153	unsigned int *methodID,
	154	char *tag,
	155	size_t putDataLen,
	156	void *putData)
89f77e43	157	{
26ac0430 AJ	158	unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
26ac0430 AJ	159
f53969cc	160	char *utf8ObjPtr=NULL;
26ac0430 AJ	161	int utf8ObjSize = 0;
	162
	163	char *utf8TagPtr = NULL;
	164	int utf8TagSize = 0;
	165
	166	utf8ObjPtr = objectDN;
	167	utf8ObjSize = strlen(utf8ObjPtr)+1;
	168
	169	utf8TagPtr = tag;
	170	utf8TagSize = strlen(utf8TagPtr)+1;
	171
	172	/* Allocate a BerElement for the request parameters. */
d7844b4a FC	173	BerElement *requestBer = ber_alloc();
	174	if (!requestBer)
	175	return LDAP_ENCODING_ERROR;
26ac0430 AJ	176
26ac0430 AJ	177	/* BER encode the NMAS Version and the objectDN */
d7844b4a FC	178	if (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) {
	179	ber_free(requestBer, 1);
	180	return LDAP_ENCODING_ERROR;
	181	}
26ac0430 AJ	182
26ac0430 AJ	183	/* BER encode the MethodID Length and value */
d7844b4a FC	184	if (ber_printf(requestBer, "{i{", methodIDLen) < 0) {
	185	ber_free(requestBer, 1);
	186	return LDAP_ENCODING_ERROR;
26ac0430 AJ	187	}
26ac0430 AJ	188
d7844b4a FC	189	for (unsigned int i = 0; i < elemCnt; ++i) {
	190	if (ber_printf(requestBer, "i", methodID[i]) < 0) {
	191	ber_free(requestBer, 1);
	192	return LDAP_ENCODING_ERROR;
	193	}
26ac0430 AJ	194	}
26ac0430 AJ	195
d7844b4a FC	196	if (ber_printf(requestBer, "}}", 0) < 0) {
	197	ber_free(requestBer, 1);
	198	return LDAP_ENCODING_ERROR;
26ac0430 AJ	199	}
	200
	201	if (putData) {
	202	/* BER Encode the the tag and data */
d7844b4a FC	203	if (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) {
	204	ber_free(requestBer, 1);
	205	return LDAP_ENCODING_ERROR;
	206	}
26ac0430 AJ	207	} else {
26ac0430 AJ	208	/* BER Encode the the tag */
d7844b4a FC	209	if (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) {
	210	ber_free(requestBer, 1);
	211	return LDAP_ENCODING_ERROR;
	212	}
26ac0430 AJ	213	}
26ac0430 AJ	214
26ac0430	215	/* Convert the BER we just built to a berval that we'll send with the extended request. */
d7844b4a	216	if (static_cast<ber_tag_t>(ber_flatten(requestBer, requestBV)) == LBER_ERROR) {
26ac0430	217	ber_free(requestBer, 1);
d7844b4a	218	return LDAP_ENCODING_ERROR;
26ac0430	219	}
591c3246	220
d7844b4a FC	221	ber_free(requestBer, 1);
d7844b4a FC	222	return 0; /* no error */
591c3246	223	}
	224
	225	/**********************************************************************
	226	Takes the reply BER Value and decodes the NMAS server version and
	227	return code and if a non null retData buffer was supplied, tries to
	228	decode the the return data and length
	229	**********************************************************************/
	230
	231	static int berDecodeLoginData(
26ac0430 AJ	232	struct berval *replyBV,
	233	int *serverVersion,
	234	size_t *retDataLen,
	235	void *retData )
89f77e43	236	{
26ac0430 AJ	237	int err = 0;
	238	BerElement *replyBer = NULL;
	239	char *retOctStr = NULL;
	240	size_t retOctStrLen = 0;
	241
	242	if ((replyBer = ber_init(replyBV)) == NULL) {
	243	err = LDAP_OPERATIONS_ERROR;
feec68a0	244	} else if (retData) {
26ac0430	245	retOctStrLen = *retDataLen + 1;
56ff4687	246	retOctStr = (char*)SMB_MALLOC_ARRAY(char, retOctStrLen);
26ac0430 AJ	247	if (!retOctStr) {
26ac0430 AJ	248	err = LDAP_OPERATIONS_ERROR;
feec68a0	249	} else if (ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != LBER_ERROR) {
26ac0430 AJ	250	if (*retDataLen >= retOctStrLen) {
	251	memcpy(retData, retOctStr, retOctStrLen);
	252	} else if (!err) {
	253	err = LDAP_NO_MEMORY;
	254	}
	255
	256	*retDataLen = retOctStrLen;
	257	} else if (!err) {
	258	err = LDAP_DECODING_ERROR;
	259	}
	260	} else {
56ff4687	261	if (ber_scanf(replyBer, "{ii}", serverVersion, &err) == LBER_ERROR) {
26ac0430 AJ	262	if (!err) {
	263	err = LDAP_DECODING_ERROR;
	264	}
	265	}
	266	}
591c3246	267
26ac0430 AJ	268	if (replyBer) {
	269	ber_free(replyBer, 1);
	270	}
591c3246	271
26ac0430 AJ	272	if (retOctStr != NULL) {
	273	memset(retOctStr, 0, retOctStrLen);
	274	free(retOctStr);
	275	}
591c3246	276
26ac0430	277	return err;
591c3246	278	}
	279
	280	/**********************************************************************
	281	Retrieves data in the login configuration of the specified object
	282	that is tagged with the specified methodID and tag.
	283	**********************************************************************/
	284
	285	static int getLoginConfig(
f53969cc	286	LDAP *ld,
26ac0430 AJ	287	char *objectDN,
	288	unsigned int methodIDLen,
	289	unsigned int *methodID,
	290	char *tag,
	291	size_t *dataLen,
	292	void *data )
89f77e43	293	{
26ac0430 AJ	294	int err = 0;
	295	struct berval *requestBV = NULL;
	296	char *replyOID = NULL;
	297	struct berval *replyBV = NULL;
	298	int serverVersion = 0;
	299
	300	/* Validate unicode parameters. */
	301	if ((strlen(objectDN) == 0) \|\| ld == NULL) {
	302	return LDAP_NO_SUCH_ATTRIBUTE;
	303	}
	304
	305	err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
	306	if (err) {
56ff4687 AJ	307	;
56ff4687 AJ	308	} else if (!err && (err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
feec68a0	309	requestBV, NULL, NULL, &replyOID, &replyBV))) {
56ff4687 AJ	310	/* Call the ldap_extended_operation (synchronously) */
	311	;
	312	} else if (!replyOID) {
	313	/* Make sure there is a return OID */
26ac0430	314	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	315	} else if (strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) {
56ff4687 AJ	316	/* Is this what we were expecting to get back. */
26ac0430	317	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	318	} else if (!replyBV) {
56ff4687 AJ	319	/* Do we have a good returned berval? */
26ac0430	320
26ac0430 AJ	321	/* No; returned berval means we experienced a rather drastic error. */
	322	/* Return operations error. */
	323	err = LDAP_OPERATIONS_ERROR;
56ff4687	324	} else {
26ac0430	325
56ff4687	326	err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
26ac0430	327
56ff4687 AJ	328	if (serverVersion != NMAS_LDAP_EXT_VERSION) {
	329	err = LDAP_OPERATIONS_ERROR;
	330	}
26ac0430	331	}
591c3246	332
26ac0430 AJ	333	if (replyBV) {
	334	ber_bvfree(replyBV);
	335	}
	336
	337	/* Free the return OID string if one was returned. */
	338	if (replyOID) {
	339	ldap_memfree(replyOID);
	340	}
	341
	342	/* Free memory allocated while building the request ber and berval. */
	343	if (requestBV) {
	344	ber_bvfree(requestBV);
	345	}
	346
	347	/* Return the appropriate error/success code. */
	348	return err;
591c3246	349	}
	350
	351	/**********************************************************************
	352	Attempts to get the Simple Password
	353	**********************************************************************/
	354
	355	static int nmasldap_get_simple_pwd(
f53969cc	356	LDAP *ld,
26ac0430	357	char *objectDN,
f53969cc	358	size_t pwdLen,
26ac0430	359	char *pwd )
591c3246	360	{
26ac0430 AJ	361	int err = 0;
	362	unsigned int methodID = 0;
	363	unsigned int methodIDLen = sizeof(methodID);
	364	char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
	365	char *pwdBuf=NULL;
	366	size_t pwdBufLen, bufferLen;
	367
	368	bufferLen = pwdBufLen = pwdLen+2;
56ff4687	369	pwdBuf = (char)SMB_MALLOC_ARRAY(char, pwdBufLen); / digest and null */
26ac0430 AJ	370	if (pwdBuf == NULL) {
	371	return LDAP_NO_MEMORY;
	372	}
	373
	374	err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
	375	if (err == 0) {
	376	if (pwdBufLen !=0) {
	377	pwdBuf[pwdBufLen] = 0; /* null terminate */
	378
	379	switch (pwdBuf[0]) {
	380	case 1: /* cleartext password */
	381	break;
	382	case 2: /* SHA1 HASH */
	383	case 3: /* MD5_ID */
	384	case 4: /* UNIXCrypt_ID */
	385	case 8: /* SSHA_ID */
	386	default: /* Unknown digest */
	387	err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */
	388	break;
	389	}
	390
	391	if (!err) {
	392	if (pwdLen >= pwdBufLen-1) {
	393	memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */
	394	} else {
	395	err = LDAP_NO_MEMORY;
	396	}
	397	}
	398	}
	399	}
	400
	401	if (pwdBuf != NULL) {
	402	memset(pwdBuf, 0, bufferLen);
	403	free(pwdBuf);
	404	}
	405
	406	return err;
591c3246	407	}
591c3246	408
591c3246	409	/**********************************************************************
	410	Attempts to get the Universal Password
	411	**********************************************************************/
	412
	413	static int nmasldap_get_password(
f53969cc	414	LDAP *ld,
26ac0430	415	char *objectDN,
f53969cc	416	size_t pwdSize, / in bytes */
26ac0430	417	unsigned char *pwd )
591c3246	418	{
26ac0430 AJ	419	int err = 0;
	420
	421	struct berval *requestBV = NULL;
	422	char *replyOID = NULL;
	423	struct berval *replyBV = NULL;
	424	int serverVersion;
	425	char *pwdBuf;
	426	size_t pwdBufLen, bufferLen;
	427
	428	/* Validate char parameters. */
	429	if (objectDN == NULL \|\| (strlen(objectDN) == 0) \|\| pwdSize == NULL \|\| ld == NULL) {
	430	return LDAP_NO_SUCH_ATTRIBUTE;
	431	}
	432
	433	bufferLen = pwdBufLen = *pwdSize;
56ff4687	434	pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen+2);
26ac0430 AJ	435	if (pwdBuf == NULL) {
	436	return LDAP_NO_MEMORY;
	437	}
	438
	439	err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
	440	if (err) {
56ff4687 AJ	441	;
	442	} else if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) {
	443	; /* Call the ldap_extended_operation (synchronously) */
	444	} else if (!replyOID) {
	445	/* Make sure there is a return OID */
26ac0430	446	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	447	} else if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
56ff4687 AJ	448	/* Is this what we were expecting to get back. */
26ac0430	449	err = LDAP_NOT_SUPPORTED;
56ff4687 AJ	450	} else if (!replyBV) {
56ff4687 AJ	451	/* Do we have a good returned berval? */
26ac0430 AJ	452	/* No; returned berval means we experienced a rather drastic error. */
	453	/* Return operations error. */
	454	err = LDAP_OPERATIONS_ERROR;
56ff4687 AJ	455	} else {
56ff4687 AJ	456	err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
26ac0430	457
56ff4687 AJ	458	if (serverVersion != NMAS_LDAP_EXT_VERSION) {
56ff4687 AJ	459	err = LDAP_OPERATIONS_ERROR;
26ac0430	460
56ff4687 AJ	461	} else if (!err && pwdBufLen != 0) {
	462	if (*pwdSize >= pwdBufLen+1 && pwd != NULL) {
	463	memcpy(pwd, pwdBuf, pwdBufLen);
	464	pwd[pwdBufLen] = 0; /* add null termination */
	465	}
	466	pwdSize = pwdBufLen; / does not include null termination */
26ac0430	467	}
26ac0430	468	}
591c3246	469
26ac0430 AJ	470	if (replyBV) {
	471	ber_bvfree(replyBV);
	472	}
	473
	474	/* Free the return OID string if one was returned. */
	475	if (replyOID) {
	476	ldap_memfree(replyOID);
	477	}
	478
	479	/* Free memory allocated while building the request ber and berval. */
	480	if (requestBV) {
	481	ber_bvfree(requestBV);
	482	}
	483
	484	if (pwdBuf != NULL) {
	485	memset(pwdBuf, 0, bufferLen);
	486	free(pwdBuf);
	487	}
	488
	489	/* Return the appropriate error/success code. */
	490	return err;
591c3246	491	}
	492
	493	/**********************************************************************
	494	Get the user's password from NDS.
	495	*********************************************************************/
	496
	497	int nds_get_password(
26ac0430 AJ	498	LDAP *ld,
	499	char *object_dn,
	500	size_t *pwd_len,
	501	char *pwd )
591c3246	502	{
26ac0430	503	int rc = -1;
591c3246	504
26ac0430 AJ	505	rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
26ac0430 AJ	506	if (rc == LDAP_SUCCESS) {
591c3246	507	#ifdef DEBUG_PASSWORD
26ac0430 AJ	508	DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
	509	#endif
	510	DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
	511	} else {
	512	DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
	513	}
	514
	515	if (rc != LDAP_SUCCESS) {
	516	rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
	517	if (rc == LDAP_SUCCESS) {
591c3246	518	#ifdef DEBUG_PASSWORD
26ac0430 AJ	519	DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
	520	#endif
	521	DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
	522	} else {
	523	/* We couldn't get the password */
	524	DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
	525	return LDAP_INVALID_CREDENTIALS;
	526	}
	527	}
	528
	529	/* We got the password */
	530	return LDAP_SUCCESS;
591c3246	531	}
591c3246	532