/* * Return the first host and port in hostlist (setting *hostp and *portp). * Return value is an LDAP API error code (LDAP_SUCCESS if all goes well). * Note that a NULL or zero-length hostlist causes the host "127.0.0.1" to * be returned. */ int LDAP_CALL ldap_x_hostlist_first( const char *hostlist, int defport, char **hostp, int *portp, struct ldap_x_hostlist_status **statusp ) { if ( NULL == hostp || NULL == portp || NULL == statusp ) { return( LDAP_PARAM_ERROR ); } if ( NULL == hostlist || *hostlist == '\0' ) { *hostp = nsldapi_strdup( "127.0.0.1" ); if ( NULL == *hostp ) { return( LDAP_NO_MEMORY ); } *portp = defport; *statusp = NULL; return( LDAP_SUCCESS ); } *statusp = NSLDAPI_CALLOC( 1, sizeof( struct ldap_x_hostlist_status )); if ( NULL == *statusp ) { return( LDAP_NO_MEMORY ); } (*statusp)->lhs_hostlist = nsldapi_strdup( hostlist ); if ( NULL == (*statusp)->lhs_hostlist ) { return( LDAP_NO_MEMORY ); } (*statusp)->lhs_nexthost = (*statusp)->lhs_hostlist; (*statusp)->lhs_defport = defport; return( ldap_x_hostlist_next( hostp, portp, *statusp )); }
/* * Return the next host and port in hostlist (setting *hostp and *portp). * Return value is an LDAP API error code (LDAP_SUCCESS if all goes well). * If no more hosts are available, LDAP_SUCCESS is returned but *hostp is set * to NULL. */ int LDAP_CALL ldap_x_hostlist_next(char **hostp, int *portp, struct ldap_x_hostlist_status *status) { char *q; int squarebrackets = 0; if (NULL == hostp || NULL == portp) { return (LDAP_PARAM_ERROR); } if (NULL == status || NULL == status->lhs_nexthost) { *hostp = NULL; return (LDAP_SUCCESS); } /* * skip past leading '[' if present (IPv6 addresses may be surrounded * with square brackets, e.g., [fe80::a00:20ff:fee5:c0b4]:389 */ if (status->lhs_nexthost[0] == '[') { ++status->lhs_nexthost; squarebrackets = 1; } /* copy host into *hostp */ if (NULL != (q = strchr(status->lhs_nexthost, ' '))) { size_t len = q - status->lhs_nexthost; *hostp = NSLDAPI_MALLOC(len + 1); if (NULL == *hostp) { return (LDAP_NO_MEMORY); } strncpy(*hostp, status->lhs_nexthost, len); (*hostp)[len] = '\0'; status->lhs_nexthost += (len + 1); } else { /* last host */ *hostp = nsldapi_strdup(status->lhs_nexthost); if (NULL == *hostp) { return (LDAP_NO_MEMORY); } status->lhs_nexthost = NULL; } /* * Look for closing ']' and skip past it before looking for port. */ if (squarebrackets && NULL != (q = strchr(*hostp, ']'))) { *q++ = '\0'; } else { q = *hostp; } /* determine and set port */ if (NULL != (q = strchr(q, ':'))) { *q++ = '\0'; *portp = atoi(q); } else { *portp = status->lhs_defport; } return (LDAP_SUCCESS); }
/* returns 0 if connection opened and -1 if an error occurs */ int nsldapi_open_ldap_defconn( LDAP *ld ) { LDAPServer *srv; if (( srv = (LDAPServer *)NSLDAPI_CALLOC( 1, sizeof( LDAPServer ))) == NULL || ( ld->ld_defhost != NULL && ( srv->lsrv_host = nsldapi_strdup( ld->ld_defhost )) == NULL )) { LDAP_SET_LDERRNO( ld, LDAP_NO_MEMORY, NULL, NULL ); return( -1 ); } srv->lsrv_port = ld->ld_defport; #ifdef LDAP_SSLIO_HOOKS if (( ld->ld_options & LDAP_BITOPT_SSL ) != 0 ) { srv->lsrv_options |= LDAP_SRV_OPT_SECURE; } #endif if (( ld->ld_defconn = nsldapi_new_connection( ld, &srv, 1, 1, 0 )) == NULL ) { if ( ld->ld_defhost != NULL ) { NSLDAPI_FREE( srv->lsrv_host ); } NSLDAPI_FREE( (char *)srv ); return( -1 ); } ++ld->ld_defconn->lconn_refcnt; /* so it never gets closed/freed */ return( 0 ); }
/* * duplicate the contents of "ctrl_src" and place in "ctrl_dst" */ static int /* LDAP_CALL */ /* keep this routine internal for now */ ldap_control_copy_contents( LDAPControl *ctrl_dst, LDAPControl *ctrl_src ) { size_t len; if ( NULL == ctrl_dst || NULL == ctrl_src ) { return( LDAP_PARAM_ERROR ); } ctrl_dst->ldctl_iscritical = ctrl_src->ldctl_iscritical; /* fill in the fields of this new control */ if (( ctrl_dst->ldctl_oid = nsldapi_strdup( ctrl_src->ldctl_oid )) == NULL ) { return( LDAP_NO_MEMORY ); } len = (size_t)(ctrl_src->ldctl_value).bv_len; if ( ctrl_src->ldctl_value.bv_val == NULL || len <= 0 ) { ctrl_dst->ldctl_value.bv_len = 0; ctrl_dst->ldctl_value.bv_val = NULL; } else { ctrl_dst->ldctl_value.bv_len = len; if (( ctrl_dst->ldctl_value.bv_val = NSLDAPI_MALLOC( len )) == NULL ) { NSLDAPI_FREE( ctrl_dst->ldctl_oid ); return( LDAP_NO_MEMORY ); } SAFEMEMCPY( ctrl_dst->ldctl_value.bv_val, ctrl_src->ldctl_value.bv_val, len ); } return ( LDAP_SUCCESS ); }
LDAP_CALL ldap_getfirstfilter( LDAPFiltDesc *lfdp, char *tagpat, char *value ) { LDAPFiltList *flp; if ( lfdp == NULL || tagpat == NULL || value == NULL ) { return( NULL ); /* punt */ } if ( lfdp->lfd_curvalcopy != NULL ) { NSLDAPI_FREE( lfdp->lfd_curvalcopy ); NSLDAPI_FREE( lfdp->lfd_curvalwords ); } NSLDAPI_FREE(lfdp->lfd_curval); if ((lfdp->lfd_curval = nsldapi_strdup(value)) == NULL) { return( NULL ); } lfdp->lfd_curfip = NULL; for ( flp = lfdp->lfd_filtlist; flp != NULL; flp = flp->lfl_next ) { if ( re_comp( tagpat ) == NULL && re_exec( flp->lfl_tag ) == 1 && re_comp( flp->lfl_pattern ) == NULL && re_exec( lfdp->lfd_curval ) == 1 ) { lfdp->lfd_curfip = flp->lfl_ilist; break; } } if ( lfdp->lfd_curfip == NULL ) { return( NULL ); } if (( lfdp->lfd_curvalcopy = nsldapi_strdup( value )) == NULL ) { return( NULL ); } if ( break_into_words( lfdp->lfd_curvalcopy, flp->lfl_delims, &lfdp->lfd_curvalwords ) < 0 ) { NSLDAPI_FREE( lfdp->lfd_curvalcopy ); lfdp->lfd_curvalcopy = NULL; return( NULL ); } return( ldap_getnextfilter( lfdp )); }
int LDAP_CALL ldap_set_filter_additions(LDAPFiltDesc *lfdp, char *prefix, char *suffix) { if (lfdp == NULL) { return (LDAP_PARAM_ERROR); } if (lfdp->lfd_filtprefix != NULL) { NSLDAPI_FREE(lfdp->lfd_filtprefix); } lfdp->lfd_filtprefix = (prefix == NULL) ? NULL : nsldapi_strdup(prefix); if (lfdp->lfd_filtsuffix != NULL) { NSLDAPI_FREE(lfdp->lfd_filtsuffix); } lfdp->lfd_filtsuffix = (suffix == NULL) ? NULL : nsldapi_strdup(suffix); return (LDAP_SUCCESS); }
static LBER_SOCKET nsldapi_os_socket( LDAP *ld, int secure, int domain, int type, int protocol ) { int s, invalid_socket; char *errmsg = NULL; if ( secure ) { LDAP_SET_LDERRNO( ld, LDAP_LOCAL_ERROR, NULL, nsldapi_strdup( dgettext(TEXT_DOMAIN, "secure mode not supported") )); return( -1 ); } s = socket( domain, type, protocol ); /* * if the socket() call failed or it returned a socket larger * than we can deal with, return a "local error." */ if ( NSLDAPI_INVALID_OS_SOCKET( s )) { errmsg = dgettext(TEXT_DOMAIN, "unable to create a socket"); invalid_socket = 1; } else { /* valid socket -- check for overflow */ invalid_socket = 0; #if !defined(NSLDAPI_HAVE_POLL) && !defined(_WINDOWS) /* not on Windows and do not have poll() */ if ( s >= FD_SETSIZE ) { errmsg = "can't use socket >= FD_SETSIZE"; } #endif } if ( errmsg != NULL ) { /* local socket error */ if ( !invalid_socket ) { nsldapi_os_closesocket( s ); } errmsg = nsldapi_strdup( errmsg ); LDAP_SET_LDERRNO( ld, LDAP_LOCAL_ERROR, NULL, errmsg ); return( -1 ); } return( s ); }
LDAP_CALL ldap_explode_dns( const char *dn ) { int ncomps, maxcomps; char *s, *cpydn; char **rdns; #ifdef HAVE_STRTOK_R /* defined in portable.h */ char *lasts; #endif if ( dn == NULL ) { dn = ""; } if ( (rdns = (char **)NSLDAPI_MALLOC( 8 * sizeof(char *) )) == NULL ) { return( NULL ); } maxcomps = 8; ncomps = 0; cpydn = nsldapi_strdup( (char *)dn ); for ( s = STRTOK( cpydn, "@.", &lasts ); s != NULL; s = STRTOK( NULL, "@.", &lasts ) ) { if ( ncomps == maxcomps ) { maxcomps *= 2; if ( (rdns = (char **)NSLDAPI_REALLOC( rdns, maxcomps * sizeof(char *) )) == NULL ) { NSLDAPI_FREE( cpydn ); return( NULL ); } } rdns[ncomps++] = nsldapi_strdup( s ); } rdns[ncomps] = NULL; NSLDAPI_FREE( cpydn ); return( rdns ); }
/* * build an allocated LDAPv3 control. Returns an LDAP error code. */ int nsldapi_build_control( char *oid, BerElement *ber, int freeber, char iscritical, LDAPControl **ctrlp ) { int rc; struct berval *bvp; if ( ber == NULL ) { bvp = NULL; } else { /* allocate struct berval with contents of the BER encoding */ rc = ber_flatten( ber, &bvp ); if ( freeber ) { ber_free( ber, 1 ); } if ( rc == -1 ) { return( LDAP_NO_MEMORY ); } } /* allocate the new control structure */ if (( *ctrlp = (LDAPControl *)NSLDAPI_MALLOC( sizeof(LDAPControl))) == NULL ) { if ( bvp != NULL ) { ber_bvfree( bvp ); } return( LDAP_NO_MEMORY ); } /* fill in the fields of this new control */ (*ctrlp)->ldctl_iscritical = iscritical; if (( (*ctrlp)->ldctl_oid = nsldapi_strdup( oid )) == NULL ) { NSLDAPI_FREE( *ctrlp ); if ( bvp != NULL ) { ber_bvfree( bvp ); } return( LDAP_NO_MEMORY ); } if ( bvp == NULL ) { (*ctrlp)->ldctl_value.bv_len = 0; (*ctrlp)->ldctl_value.bv_val = NULL; } else { (*ctrlp)->ldctl_value = *bvp; /* struct copy */ NSLDAPI_FREE( bvp ); /* free container, not contents! */ } return( LDAP_SUCCESS ); }
LDAP_CALL ldap_dn2ufn( const char *dn ) { char *p, *ufn, *r; size_t plen; int state; LDAPDebug( LDAP_DEBUG_TRACE, "ldap_dn2ufn\n", 0, 0, 0 ); if ( dn == NULL ) { dn = ""; } if ( ldap_is_dns_dn( dn ) || ( p = strchr( dn, '=' )) == NULL ) return( nsldapi_strdup( (char *)dn )); ufn = nsldapi_strdup( ++p ); #define INQUOTE 1 #define OUTQUOTE 2 state = OUTQUOTE; for ( p = ufn, r = ufn; *p; p += plen ) { plen = 1; switch ( *p ) { case '\\': if ( *++p == '\0' ) plen=0; else { *r++ = '\\'; r += (plen = LDAP_UTF8COPY(r,p)); } break; case '"': if ( state == INQUOTE ) state = OUTQUOTE; else state = INQUOTE; *r++ = *p; break; case ';': case ',': if ( state == OUTQUOTE ) *r++ = ','; else *r++ = *p; break; case '=': if ( state == INQUOTE ) *r++ = *p; else { char *rsave = r; LDAP_UTF8DEC(r); *rsave = '\0'; while ( !ldap_utf8isspace( r ) && *r != ';' && *r != ',' && r > ufn ) LDAP_UTF8DEC(r); LDAP_UTF8INC(r); if ( strcasecmp( r, "c" ) && strcasecmp( r, "o" ) && strcasecmp( r, "ou" ) && strcasecmp( r, "st" ) && strcasecmp( r, "l" ) && strcasecmp( r, "dc" ) && strcasecmp( r, "uid" ) && strcasecmp( r, "cn" ) ) { r = rsave; *r++ = '='; } } break; default: r += (plen = LDAP_UTF8COPY(r,p)); break; } } *r = '\0'; return( ufn ); }
/* returns an LDAP error code and also sets it in ld */ int nsldapi_build_search_req( LDAP *ld, const char *base, int scope, const char *filter, char **attrs, int attrsonly, LDAPControl **serverctrls, LDAPControl **clientctrls, /* not used for anything yet */ int timelimit, /* if -1, ld->ld_timelimit is used */ int sizelimit, /* if -1, ld->ld_sizelimit is used */ int msgid, BerElement **berp ) { BerElement *ber; int err; char *fdup; /* * Create the search request. It looks like this: * SearchRequest := [APPLICATION 3] SEQUENCE { * baseObject DistinguishedName, * scope ENUMERATED { * baseObject (0), * singleLevel (1), * wholeSubtree (2) * }, * derefAliases ENUMERATED { * neverDerefaliases (0), * derefInSearching (1), * derefFindingBaseObj (2), * alwaysDerefAliases (3) * }, * sizelimit INTEGER (0 .. 65535), * timelimit INTEGER (0 .. 65535), * attrsOnly BOOLEAN, * filter Filter, * attributes SEQUENCE OF AttributeType * } * wrapped in an ldap message. */ /* create a message to send */ if (( err = nsldapi_alloc_ber_with_options( ld, &ber )) != LDAP_SUCCESS ) { return( err ); } if ( base == NULL ) { base = ""; } if ( sizelimit == -1 ) { sizelimit = ld->ld_sizelimit; } if ( timelimit == -1 ) { timelimit = ld->ld_timelimit; } #ifdef CLDAP if ( ld->ld_sbp->sb_naddr > 0 ) { err = ber_printf( ber, "{ist{seeiib", msgid, ld->ld_cldapdn, LDAP_REQ_SEARCH, base, scope, ld->ld_deref, sizelimit, timelimit, attrsonly ); } else { #endif /* CLDAP */ err = ber_printf( ber, "{it{seeiib", msgid, LDAP_REQ_SEARCH, base, scope, ld->ld_deref, sizelimit, timelimit, attrsonly ); #ifdef CLDAP } #endif /* CLDAP */ if ( err == -1 ) { LDAP_SET_LDERRNO( ld, LDAP_ENCODING_ERROR, NULL, NULL ); ber_free( ber, 1 ); return( LDAP_ENCODING_ERROR ); } fdup = nsldapi_strdup( filter ); err = put_filter( ber, fdup ); NSLDAPI_FREE( fdup ); if ( err == -1 ) { LDAP_SET_LDERRNO( ld, LDAP_FILTER_ERROR, NULL, NULL ); ber_free( ber, 1 ); return( LDAP_FILTER_ERROR ); } if ( ber_printf( ber, "{v}}", attrs ) == -1 ) { LDAP_SET_LDERRNO( ld, LDAP_ENCODING_ERROR, NULL, NULL ); ber_free( ber, 1 ); return( LDAP_ENCODING_ERROR ); } if ( (err = nsldapi_put_controls( ld, serverctrls, 1, ber )) != LDAP_SUCCESS ) { ber_free( ber, 1 ); return( err ); } *berp = ber; return( LDAP_SUCCESS ); }
static int put_simple_filter( BerElement *ber, char *str ) { char *s, *s2, *s3, filterop; char *value; unsigned long ftype; int rc, len; char *oid; /* for v3 extended filter */ int dnattr; /* for v3 extended filter */ LDAPDebug( LDAP_DEBUG_TRACE, "put_simple_filter \"%s\"\n", str, 0, 0 ); rc = -1; /* pessimistic */ if (( str = nsldapi_strdup( str )) == NULL ) { return( rc ); } if ( (s = strchr( str, '=' )) == NULL ) { goto free_and_return; } value = s + 1; *s-- = '\0'; filterop = *s; if ( filterop == '<' || filterop == '>' || filterop == '~' || filterop == ':' ) { *s = '\0'; } if ( ! is_valid_attr( str ) ) { goto free_and_return; } switch ( filterop ) { case '<': ftype = LDAP_FILTER_LE; break; case '>': ftype = LDAP_FILTER_GE; break; case '~': ftype = LDAP_FILTER_APPROX; break; case ':': /* extended filter - v3 only */ /* * extended filter looks like this: * * [type][':dn'][':'oid]':='value * * where one of type or :oid is required. * */ ftype = LDAP_FILTER_EXTENDED; s2 = s3 = NULL; if ( (s2 = strrchr( str, ':' )) == NULL ) { goto free_and_return; } if ( strcasecmp( s2, ":dn" ) == 0 ) { oid = NULL; dnattr = 1; *s2 = '\0'; } else { oid = s2 + 1; dnattr = 0; *s2 = '\0'; if ( (s3 = strrchr( str, ':' )) != NULL ) { if ( strcasecmp( s3, ":dn" ) == 0 ) { dnattr = 1; } else { goto free_and_return; } *s3 = '\0'; } } if ( (rc = ber_printf( ber, "t{", ftype )) == -1 ) { goto free_and_return; } if ( oid != NULL ) { if ( (rc = ber_printf( ber, "ts", LDAP_TAG_MRA_OID, oid )) == -1 ) { goto free_and_return; } } if ( *str != '\0' ) { if ( (rc = ber_printf( ber, "ts", LDAP_TAG_MRA_TYPE, str )) == -1 ) { goto free_and_return; } } if (( len = unescape_filterval( value )) < 0 || ( rc = ber_printf( ber, "totb}", LDAP_TAG_MRA_VALUE, value, len, LDAP_TAG_MRA_DNATTRS, dnattr )) == -1 ) { goto free_and_return; } rc = 0; goto free_and_return; break; default: if ( find_star( value ) == NULL ) { ftype = LDAP_FILTER_EQUALITY; } else if ( strcmp( value, "*" ) == 0 ) { ftype = LDAP_FILTER_PRESENT; } else { rc = put_substring_filter( ber, str, value ); goto free_and_return; } break; } if ( ftype == LDAP_FILTER_PRESENT ) { rc = ber_printf( ber, "ts", ftype, str ); } else if (( len = unescape_filterval( value )) >= 0 ) { rc = ber_printf( ber, "t{so}", ftype, str, value, len ); } if ( rc != -1 ) { rc = 0; } free_and_return: NSLDAPI_FREE( str ); return( rc ); }
LDAP_CALL ldap_init( const char *defhost, int defport ) { LDAP *ld; if ( !nsldapi_initialized ) { nsldapi_initialize_defaults(); } if ( defport < 0 || defport > LDAP_PORT_MAX ) { LDAPDebug( LDAP_DEBUG_ANY, "ldap_init: port %d is invalid (port numbers must range from 1 to %d)\n", defport, LDAP_PORT_MAX, 0 ); #if !defined( macintosh ) && !defined( DOS ) errno = EINVAL; #endif return( NULL ); } LDAPDebug( LDAP_DEBUG_TRACE, "ldap_init\n", 0, 0, 0 ); if ( (ld = (LDAP*)NSLDAPI_MALLOC( sizeof(struct ldap) )) == NULL ) { return( NULL ); } /* copy defaults */ SAFEMEMCPY( ld, &nsldapi_ld_defaults, sizeof( struct ldap )); if ( nsldapi_ld_defaults.ld_io_fns_ptr != NULL ) { if (( ld->ld_io_fns_ptr = (struct ldap_io_fns *)NSLDAPI_MALLOC( sizeof( struct ldap_io_fns ))) == NULL ) { NSLDAPI_FREE( (char *)ld ); return( NULL ); } /* struct copy */ *(ld->ld_io_fns_ptr) = *(nsldapi_ld_defaults.ld_io_fns_ptr); } /* call the new handle I/O callback if one is defined */ if ( ld->ld_extnewhandle_fn != NULL ) { /* * We always pass the session extended I/O argument to * the new handle callback. */ if ( ld->ld_extnewhandle_fn( ld, ld->ld_ext_session_arg ) != LDAP_SUCCESS ) { NSLDAPI_FREE( (char*)ld ); return( NULL ); } } /* allocate session-specific resources */ if (( ld->ld_sbp = ber_sockbuf_alloc()) == NULL || ( defhost != NULL && ( ld->ld_defhost = nsldapi_strdup( defhost )) == NULL ) || ((ld->ld_mutex = (void **) NSLDAPI_CALLOC( LDAP_MAX_LOCK, sizeof(void *))) == NULL )) { if ( ld->ld_sbp != NULL ) { ber_sockbuf_free( ld->ld_sbp ); } if( ld->ld_mutex != NULL ) { NSLDAPI_FREE( ld->ld_mutex ); } NSLDAPI_FREE( (char*)ld ); return( NULL ); } /* install Sockbuf I/O functions if set in LDAP * */ if ( ld->ld_extread_fn != NULL || ld->ld_extwrite_fn != NULL ) { struct lber_x_ext_io_fns lberiofns; memset( &lberiofns, 0, sizeof( lberiofns )); lberiofns.lbextiofn_size = LBER_X_EXTIO_FNS_SIZE; lberiofns.lbextiofn_read = ld->ld_extread_fn; lberiofns.lbextiofn_write = ld->ld_extwrite_fn; lberiofns.lbextiofn_writev = ld->ld_extwritev_fn; lberiofns.lbextiofn_socket_arg = NULL; ber_sockbuf_set_option( ld->ld_sbp, LBER_SOCKBUF_OPT_EXT_IO_FNS, (void *)&lberiofns ); } #ifdef _SOLARIS_SDK /* Install the functions for IPv6 support */ /* code sequencing is critical from here to nsldapi_mutex_alloc_all */ if ( prldap_install_thread_functions( ld, 1 ) != 0 || prldap_install_io_functions( ld, 1 ) != 0 || prldap_install_dns_functions( ld ) != 0 ) { /* go through ld and free resources */ ldap_unbind( ld ); ld = NULL; return( NULL ); } #else /* allocate mutexes */ nsldapi_mutex_alloc_all( ld ); #endif /* set default port */ ld->ld_defport = ( defport == 0 ) ? LDAP_PORT : defport; return( ld ); }
/* * like ldap_url_parse() with a few exceptions: * 1) if dn_required is zero, a missing DN does not generate an error * (we just leave the lud_dn field NULL) * 2) no defaults are set for lud_scope and lud_filter (they are set to -1 * and NULL respectively if no SCOPE or FILTER are present in the URL). * 3) when there is a zero-length DN in a URL we do not set lud_dn to NULL. * * note that LDAPv3 URL extensions are ignored unless they are marked * critical, in which case an LDAP_URL_UNRECOGNIZED_CRITICAL_EXTENSION error * is returned. */ int nsldapi_url_parse( const char *url, LDAPURLDesc **ludpp, int dn_required ) { LDAPURLDesc *ludp; char *urlcopy, *attrs, *scope, *extensions = NULL, *p, *q; int enclosed, secure, i, nattrs, at_start; LDAPDebug( LDAP_DEBUG_TRACE, "nsldapi_url_parse(%s)\n", url, 0, 0 ); if ( url == NULL || ludpp == NULL ) { return( LDAP_URL_ERR_PARAM ); } *ludpp = NULL; /* pessimistic */ if ( !skip_url_prefix( &url, &enclosed, &secure )) { return( LDAP_URL_ERR_NOTLDAP ); } /* allocate return struct */ if (( ludp = (LDAPURLDesc *)NSLDAPI_CALLOC( 1, sizeof( LDAPURLDesc ))) == NULLLDAPURLDESC ) { return( LDAP_URL_ERR_MEM ); } if ( secure ) { ludp->lud_options |= LDAP_URL_OPT_SECURE; } /* make working copy of the remainder of the URL */ if (( urlcopy = nsldapi_strdup( url )) == NULL ) { ldap_free_urldesc( ludp ); return( LDAP_URL_ERR_MEM ); } if ( enclosed && *((p = urlcopy + strlen( urlcopy ) - 1)) == '>' ) { *p = '\0'; } /* initialize scope and filter */ ludp->lud_scope = -1; ludp->lud_filter = NULL; /* lud_string is the only malloc'd string space we use */ ludp->lud_string = urlcopy; /* scan forward for '/' that marks end of hostport and begin. of dn */ if (( ludp->lud_dn = strchr( urlcopy, '/' )) == NULL ) { if ( dn_required ) { ldap_free_urldesc( ludp ); return( LDAP_URL_ERR_NODN ); } } else { /* terminate hostport; point to start of dn */ *ludp->lud_dn++ = '\0'; } if ( *urlcopy == '\0' ) { ludp->lud_host = NULL; } else { ludp->lud_host = urlcopy; nsldapi_hex_unescape( ludp->lud_host ); /* * Locate and strip off optional port number (:#) in host * portion of URL. * * If more than one space-separated host is listed, we only * look for a port number within the right-most one since * ldap_init() will handle host parameters that look like * host:port anyway. */ if (( p = strrchr( ludp->lud_host, ' ' )) == NULL ) { p = ludp->lud_host; } else { ++p; } if ( *p == '[' && ( q = strchr( p, ']' )) != NULL ) { /* square brackets present -- skip past them */ p = q++; } if (( p = strchr( p, ':' )) != NULL ) { *p++ = '\0'; ludp->lud_port = atoi( p ); if ( *ludp->lud_host == '\0' ) { ludp->lud_host = NULL; /* no hostname */ } } } /* scan for '?' that marks end of dn and beginning of attributes */ attrs = NULL; if ( ludp->lud_dn != NULL && ( attrs = strchr( ludp->lud_dn, '?' )) != NULL ) { /* terminate dn; point to start of attrs. */ *attrs++ = '\0'; /* scan for '?' that marks end of attrs and begin. of scope */ if (( p = strchr( attrs, '?' )) != NULL ) { /* * terminate attrs; point to start of scope and scan for * '?' that marks end of scope and begin. of filter */ *p++ = '\0'; scope = p; if (( p = strchr( scope, '?' )) != NULL ) { /* terminate scope; point to start of filter */ *p++ = '\0'; if ( *p != '\0' ) { ludp->lud_filter = p; /* * scan for the '?' that marks the end * of the filter and the start of any * extensions */ if (( p = strchr( ludp->lud_filter, '?' )) != NULL ) { *p++ = '\0'; /* term. filter */ extensions = p; } if ( *ludp->lud_filter == '\0' ) { ludp->lud_filter = NULL; } else { nsldapi_hex_unescape( ludp->lud_filter ); } } } if ( strcasecmp( scope, "one" ) == 0 ) { ludp->lud_scope = LDAP_SCOPE_ONELEVEL; } else if ( strcasecmp( scope, "base" ) == 0 ) { ludp->lud_scope = LDAP_SCOPE_BASE; } else if ( strcasecmp( scope, "sub" ) == 0 ) { ludp->lud_scope = LDAP_SCOPE_SUBTREE; } else if ( *scope != '\0' ) { ldap_free_urldesc( ludp ); return( LDAP_URL_ERR_BADSCOPE ); } } } if ( ludp->lud_dn != NULL ) { nsldapi_hex_unescape( ludp->lud_dn ); } /* * if attrs list was included, turn it into a null-terminated array */ if ( attrs != NULL && *attrs != '\0' ) { nsldapi_hex_unescape( attrs ); for ( nattrs = 1, p = attrs; *p != '\0'; ++p ) { if ( *p == ',' ) { ++nattrs; } } if (( ludp->lud_attrs = (char **)NSLDAPI_CALLOC( nattrs + 1, sizeof( char * ))) == NULL ) { ldap_free_urldesc( ludp ); return( LDAP_URL_ERR_MEM ); } for ( i = 0, p = attrs; i < nattrs; ++i ) { ludp->lud_attrs[ i ] = p; if (( p = strchr( p, ',' )) != NULL ) { *p++ ='\0'; } nsldapi_hex_unescape( ludp->lud_attrs[ i ] ); } } /* if extensions list was included, check for critical ones */ if ( extensions != NULL && *extensions != '\0' ) { /* Note: at present, we do not recognize ANY extensions */ at_start = 1; for ( p = extensions; *p != '\0'; ++p ) { if ( at_start ) { if ( *p == '!' ) { /* critical extension */ ldap_free_urldesc( ludp ); return( LDAP_URL_UNRECOGNIZED_CRITICAL_EXTENSION ); } at_start = 0; } else if ( *p == ',' ) { at_start = 1; } } } *ludpp = ludp; return( 0 ); }
/* * returns an LDAP error code * * XXXmcs: this function used to have #ifdef LDAP_DNS code in it but I * removed it when I improved the parsing (we don't define LDAP_DNS * here at Netscape). */ static int chase_one_referral( LDAP *ld, LDAPRequest *lr, LDAPRequest *origreq, char *refurl, char *desc, int *unknownp ) { int rc, tmprc, secure, msgid; LDAPServer *srv; BerElement *ber; LDAPURLDesc *ludp; *unknownp = 0; ludp = NULLLDAPURLDESC; if ( nsldapi_url_parse( refurl, &ludp, 0 ) != 0 ) { LDAPDebug( LDAP_DEBUG_TRACE, "ignoring unknown %s <%s>\n", desc, refurl, 0 ); *unknownp = 1; rc = LDAP_SUCCESS; goto cleanup_and_return; } secure = (( ludp->lud_options & LDAP_URL_OPT_SECURE ) != 0 ); /* XXXmcs: can't tell if secure is supported by connect callback */ if ( secure && ld->ld_extconnect_fn == NULL ) { LDAPDebug( LDAP_DEBUG_TRACE, "ignoring LDAPS %s <%s>\n", desc, refurl, 0 ); *unknownp = 1; rc = LDAP_SUCCESS; goto cleanup_and_return; } LDAPDebug( LDAP_DEBUG_TRACE, "chasing LDAP%s %s: <%s>\n", secure ? "S" : "", desc, refurl ); LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK ); msgid = ++ld->ld_msgid; LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK ); if (( tmprc = re_encode_request( ld, origreq->lr_ber, msgid, ludp, &ber )) != LDAP_SUCCESS ) { rc = tmprc; goto cleanup_and_return; } if (( srv = (LDAPServer *)NSLDAPI_CALLOC( 1, sizeof( LDAPServer ))) == NULL ) { ber_free( ber, 1 ); rc = LDAP_NO_MEMORY; goto cleanup_and_return; } if (ludp->lud_host == NULL && ld->ld_defhost == NULL) { srv->lsrv_host = NULL; } else { if (ludp->lud_host == NULL) { srv->lsrv_host = nsldapi_strdup( origreq->lr_conn->lconn_server->lsrv_host ); LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using hostname '%s' from original " "request on new request\n", srv->lsrv_host, 0, 0); } else { srv->lsrv_host = nsldapi_strdup(ludp->lud_host); LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using hostname '%s' as specified " "on new request\n", srv->lsrv_host, 0, 0); } if (srv->lsrv_host == NULL) { NSLDAPI_FREE((char *)srv); ber_free(ber, 1); rc = LDAP_NO_MEMORY; goto cleanup_and_return; } } /* * According to our reading of RFCs 2255 and 1738, the * following algorithm applies: * - no hostport (no host, no port) provided in LDAP URL, use those * of previous request * - no port but a host, use default LDAP port * - else use given hostport */ if (ludp->lud_port == 0 && ludp->lud_host == NULL) { srv->lsrv_port = origreq->lr_conn->lconn_server->lsrv_port; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using port (%d) from original " "request on new request\n", srv->lsrv_port, 0, 0); } else if (ludp->lud_port == 0 && ludp->lud_host != NULL) { srv->lsrv_port = (secure) ? LDAPS_PORT : LDAP_PORT; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using default port (%d) \n", srv->lsrv_port, 0, 0); } else { srv->lsrv_port = ludp->lud_port; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using port (%d) as specified on " "new request\n", srv->lsrv_port, 0, 0); } if ( secure ) { srv->lsrv_options |= LDAP_SRV_OPT_SECURE; } if ( nsldapi_send_server_request( ld, ber, msgid, lr, srv, NULL, NULL, 1 ) < 0 ) { rc = LDAP_GET_LDERRNO( ld, NULL, NULL ); LDAPDebug( LDAP_DEBUG_ANY, "Unable to chase %s %s (%s)\n", desc, refurl, ldap_err2string( rc )); } else { rc = LDAP_SUCCESS; } cleanup_and_return: if ( ludp != NULLLDAPURLDESC ) { ldap_free_urldesc( ludp ); } return( rc ); }
static LDAPServer * dn2servers( LDAP *ld, char *dn ) /* dn can also be a domain.... */ { char *p, *domain, *host, *server_dn, **dxs; int i, port; LDAPServer *srvlist, *prevsrv, *srv; if (( domain = strrchr( dn, '@' )) != NULL ) { ++domain; } else { domain = dn; } if (( dxs = nsldapi_getdxbyname( domain )) == NULL ) { LDAP_SET_LDERRNO( ld, LDAP_NO_MEMORY, NULL, NULL ); return( NULL ); } srvlist = NULL; for ( i = 0; dxs[ i ] != NULL; ++i ) { port = LDAP_PORT; server_dn = NULL; if ( strchr( dxs[ i ], ':' ) == NULL ) { host = dxs[ i ]; } else if ( strlen( dxs[ i ] ) >= 7 && strncmp( dxs[ i ], "ldap://", 7 ) == 0 ) { host = dxs[ i ] + 7; if (( p = strchr( host, ':' )) == NULL ) { p = host; } else { *p++ = '\0'; port = atoi( p ); } if (( p = strchr( p, '/' )) != NULL ) { server_dn = ++p; if ( *server_dn == '\0' ) { server_dn = NULL; } } } else { host = NULL; } if ( host != NULL ) { /* found a server we can use */ if (( srv = (LDAPServer *)NSLDAPI_CALLOC( 1, sizeof( LDAPServer ))) == NULL ) { free_servers( srvlist ); srvlist = NULL; break; /* exit loop & return */ } /* add to end of list of servers */ if ( srvlist == NULL ) { srvlist = srv; } else { prevsrv->lsrv_next = srv; } prevsrv = srv; /* copy in info. */ if (( srv->lsrv_host = nsldapi_strdup( host )) == NULL || ( server_dn != NULL && ( srv->lsrv_dn = nsldapi_strdup( server_dn )) == NULL )) { free_servers( srvlist ); srvlist = NULL; break; /* exit loop & return */ } srv->lsrv_port = port; } } ldap_value_free( dxs ); if ( srvlist == NULL ) { LDAP_SET_LDERRNO( ld, LDAP_SERVER_DOWN, NULL, NULL ); } return( srvlist ); }
LDAPFiltDesc *LDAP_CALL ldap_init_getfilter_buf(char *buf, long buflen) { LDAPFiltDesc *lfdp; LDAPFiltList *flp, *nextflp; LDAPFiltInfo *fip, *nextfip; char *errmsg, *tag, **tok; int tokcnt, i; if ((buf == NULL) || (buflen < 0) || (lfdp = (LDAPFiltDesc *)NSLDAPI_CALLOC(1, sizeof(LDAPFiltDesc))) == NULL) { return (NULL); } flp = nextflp = NULL; fip = NULL; tag = NULL; while (buflen > 0 && (tokcnt = nsldapi_next_line_tokens(&buf, &buflen, &tok)) > 0) { switch (tokcnt) { case 1: /* tag line */ if (tag != NULL) { NSLDAPI_FREE(tag); } tag = tok[0]; NSLDAPI_FREE(tok); break; case 4: case 5: /* start of filter info. list */ if ((nextflp = (LDAPFiltList *)NSLDAPI_CALLOC( 1, sizeof(LDAPFiltList))) == NULL) { ldap_getfilter_free(lfdp); return (NULL); } nextflp->lfl_tag = nsldapi_strdup(tag); nextflp->lfl_pattern = tok[0]; if ((errmsg = re_comp(nextflp->lfl_pattern)) != NULL) { char msg[512]; ldap_getfilter_free(lfdp); snprintf(msg, sizeof(msg), "bad regular expression \"%s\" - %s\n", nextflp->lfl_pattern, errmsg); ber_err_print(msg); nsldapi_free_strarray(tok); return (NULL); } nextflp->lfl_delims = tok[1]; nextflp->lfl_ilist = NULL; nextflp->lfl_next = NULL; if (flp == NULL) { /* first one */ lfdp->lfd_filtlist = nextflp; } else { flp->lfl_next = nextflp; } flp = nextflp; fip = NULL; for (i = 2; i < 5; ++i) { tok[i - 2] = tok[i]; } /* fall through */ case 2: case 3: /* filter, desc, and optional search scope */ if (nextflp != NULL) { /* add to info list */ if ((nextfip = (LDAPFiltInfo *)NSLDAPI_CALLOC( 1, sizeof(LDAPFiltInfo))) == NULL) { ldap_getfilter_free(lfdp); nsldapi_free_strarray(tok); return (NULL); } if (fip == NULL) { /* first one */ nextflp->lfl_ilist = nextfip; } else { fip->lfi_next = nextfip; } fip = nextfip; nextfip->lfi_next = NULL; nextfip->lfi_filter = tok[0]; nextfip->lfi_desc = tok[1]; if (tok[2] != NULL) { if (strcasecmp(tok[2], "subtree") == 0) { nextfip->lfi_scope = LDAP_SCOPE_SUBTREE; } else if (strcasecmp(tok[2], "onelevel") == 0) { nextfip->lfi_scope = LDAP_SCOPE_ONELEVEL; } else if (strcasecmp(tok[2], "base") == 0) { nextfip->lfi_scope = LDAP_SCOPE_BASE; } else { nsldapi_free_strarray(tok); ldap_getfilter_free(lfdp); return (NULL); } NSLDAPI_FREE(tok[2]); tok[2] = NULL; } else { nextfip->lfi_scope = LDAP_SCOPE_SUBTREE; /* default */ } nextfip->lfi_isexact = (strchr(tok[0], '*') == NULL && strchr(tok[0], '~') == NULL); NSLDAPI_FREE(tok); } break; default: nsldapi_free_strarray(tok); ldap_getfilter_free(lfdp); return (NULL); } } if (tag != NULL) { NSLDAPI_FREE(tag); } return (lfdp); }
int LDAP_CALL ldap_url_search( LDAP *ld, const char *url, int attrsonly ) { int err, msgid; LDAPURLDesc *ludp; BerElement *ber; LDAPServer *srv; char *host; if ( !NSLDAPI_VALID_LDAP_POINTER( ld )) { return( -1 ); /* punt */ } if ( ldap_url_parse( url, &ludp ) != 0 ) { LDAP_SET_LDERRNO( ld, LDAP_PARAM_ERROR, NULL, NULL ); return( -1 ); } LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK ); msgid = ++ld->ld_msgid; LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK ); if ( nsldapi_build_search_req( ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, attrsonly, NULL, NULL, -1, -1, msgid, &ber ) != LDAP_SUCCESS ) { return( -1 ); } err = 0; if ( ludp->lud_host == NULL ) { host = ld->ld_defhost; } else { host = ludp->lud_host; } if (( srv = (LDAPServer *)NSLDAPI_CALLOC( 1, sizeof( LDAPServer ))) == NULL || ( host != NULL && ( srv->lsrv_host = nsldapi_strdup( host )) == NULL )) { if ( srv != NULL ) { NSLDAPI_FREE( srv ); } LDAP_SET_LDERRNO( ld, LDAP_NO_MEMORY, NULL, NULL ); err = -1; } else { if ( ludp->lud_port == 0 ) { if (( ludp->lud_options & LDAP_URL_OPT_SECURE ) == 0 ) { srv->lsrv_port = LDAP_PORT; } else { srv->lsrv_port = LDAPS_PORT; } } else { srv->lsrv_port = ludp->lud_port; } } if (( ludp->lud_options & LDAP_URL_OPT_SECURE ) != 0 ) { srv->lsrv_options |= LDAP_SRV_OPT_SECURE; } if ( err != 0 ) { ber_free( ber, 1 ); } else { err = nsldapi_send_server_request( ld, ber, msgid, NULL, srv, NULL, NULL, 1 ); } ldap_free_urldesc( ludp ); return( err ); }
/* returns the message id of the request or -1 if an error occurs */ int nsldapi_send_server_request( LDAP *ld, /* session handle */ BerElement *ber, /* message to send */ int msgid, /* ID of message to send */ LDAPRequest *parentreq, /* non-NULL for referred requests */ LDAPServer *srvlist, /* servers to connect to (NULL for default) */ LDAPConn *lc, /* connection to use (NULL for default) */ char *bindreqdn, /* non-NULL for bind requests */ int bind /* perform a bind after opening new conn.? */ ) { LDAPRequest *lr; int err; int incparent; /* did we bump parent's ref count? */ LDAPDebug( LDAP_DEBUG_TRACE, "nsldapi_send_server_request\n", 0, 0, 0 ); incparent = 0; LDAP_MUTEX_LOCK( ld, LDAP_CONN_LOCK ); if ( lc == NULL ) { if ( srvlist == NULL ) { if ( ld->ld_defconn == NULL ) { LDAP_MUTEX_LOCK( ld, LDAP_OPTION_LOCK ); if ( bindreqdn == NULL && ( ld->ld_options & LDAP_BITOPT_RECONNECT ) != 0 ) { LDAP_SET_LDERRNO( ld, LDAP_SERVER_DOWN, NULL, NULL ); ber_free( ber, 1 ); LDAP_MUTEX_UNLOCK( ld, LDAP_OPTION_LOCK ); LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); return( -1 ); } LDAP_MUTEX_UNLOCK( ld, LDAP_OPTION_LOCK ); if ( nsldapi_open_ldap_defconn( ld ) < 0 ) { ber_free( ber, 1 ); LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); return( -1 ); } } lc = ld->ld_defconn; } else { if (( lc = find_connection( ld, srvlist, 1 )) == NULL ) { if ( bind && (parentreq != NULL) ) { /* Remember the bind in the parent */ incparent = 1; ++parentreq->lr_outrefcnt; } lc = nsldapi_new_connection( ld, &srvlist, 0, 1, bind ); } free_servers( srvlist ); } } /* * the logic here is: * if * 1. no connections exists, * or * 2. if the connection is either not in the connected * or connecting state in an async io model * or * 3. the connection is notin a connected state with normal (non async io) */ if ( lc == NULL || ( (ld->ld_options & LDAP_BITOPT_ASYNC && lc->lconn_status != LDAP_CONNST_CONNECTING && lc->lconn_status != LDAP_CONNST_CONNECTED) || (!(ld->ld_options & LDAP_BITOPT_ASYNC ) && lc->lconn_status != LDAP_CONNST_CONNECTED) ) ) { ber_free( ber, 1 ); if ( lc != NULL ) { LDAP_SET_LDERRNO( ld, LDAP_SERVER_DOWN, NULL, NULL ); } if ( incparent ) { /* Forget about the bind */ --parentreq->lr_outrefcnt; } LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); return( -1 ); } use_connection( ld, lc ); if (( lr = (LDAPRequest *)NSLDAPI_CALLOC( 1, sizeof( LDAPRequest ))) == NULL || ( bindreqdn != NULL && ( bindreqdn = nsldapi_strdup( bindreqdn )) == NULL )) { if ( lr != NULL ) { NSLDAPI_FREE( lr ); } LDAP_SET_LDERRNO( ld, LDAP_NO_MEMORY, NULL, NULL ); nsldapi_free_connection( ld, lc, NULL, NULL, 0, 0 ); ber_free( ber, 1 ); if ( incparent ) { /* Forget about the bind */ --parentreq->lr_outrefcnt; } LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); return( -1 ); } lr->lr_binddn = bindreqdn; lr->lr_msgid = msgid; lr->lr_status = LDAP_REQST_INPROGRESS; lr->lr_res_errno = LDAP_SUCCESS; /* optimistic */ lr->lr_ber = ber; lr->lr_conn = lc; if ( parentreq != NULL ) { /* sub-request */ if ( !incparent ) { /* Increment if we didn't do it before the bind */ ++parentreq->lr_outrefcnt; } lr->lr_origid = parentreq->lr_origid; lr->lr_parentcnt = parentreq->lr_parentcnt + 1; lr->lr_parent = parentreq; if ( parentreq->lr_child != NULL ) { lr->lr_sibling = parentreq->lr_child; } parentreq->lr_child = lr; } else { /* original request */ lr->lr_origid = lr->lr_msgid; } LDAP_MUTEX_LOCK( ld, LDAP_REQ_LOCK ); if (( lr->lr_next = ld->ld_requests ) != NULL ) { lr->lr_next->lr_prev = lr; } ld->ld_requests = lr; lr->lr_prev = NULL; if (( err = nsldapi_ber_flush( ld, lc->lconn_sb, ber, 0, 1 )) != 0 ) { /* need to continue write later */ if (ld->ld_options & LDAP_BITOPT_ASYNC && err == -2 ) { lr->lr_status = LDAP_REQST_WRITING; nsldapi_iostatus_interest_write( ld, lc->lconn_sb ); } else { LDAP_SET_LDERRNO( ld, LDAP_SERVER_DOWN, NULL, NULL ); nsldapi_free_request( ld, lr, 0 ); nsldapi_free_connection( ld, lc, NULL, NULL, 0, 0 ); LDAP_MUTEX_UNLOCK( ld, LDAP_REQ_LOCK ); LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); return( -1 ); } } else { if ( parentreq == NULL ) { ber->ber_end = ber->ber_ptr; ber->ber_ptr = ber->ber_buf; } /* sent -- waiting for a response */ if (ld->ld_options & LDAP_BITOPT_ASYNC) { lc->lconn_status = LDAP_CONNST_CONNECTED; } nsldapi_iostatus_interest_read( ld, lc->lconn_sb ); } LDAP_MUTEX_UNLOCK( ld, LDAP_REQ_LOCK ); LDAP_MUTEX_UNLOCK( ld, LDAP_CONN_LOCK ); LDAP_SET_LDERRNO( ld, LDAP_SUCCESS, NULL, NULL ); return( msgid ); }
int nsldapi_sasl_secprops( const char *in, sasl_security_properties_t *secprops ) { int i; char **props = NULL; char *inp; unsigned sflags = 0; sasl_ssf_t max_ssf = 0; sasl_ssf_t min_ssf = 0; unsigned maxbufsize = 0; int got_sflags = 0; int got_max_ssf = 0; int got_min_ssf = 0; int got_maxbufsize = 0; if (in == NULL) { return LDAP_PARAM_ERROR; } inp = nsldapi_strdup(in); if (inp == NULL) { return LDAP_PARAM_ERROR; } props = ldap_str2charray( inp, "," ); NSLDAPI_FREE( inp ); if( props == NULL || secprops == NULL ) { return LDAP_PARAM_ERROR; } for( i=0; props[i]; i++ ) { if( strcasecmp(props[i], "none") == 0 ) { got_sflags++; } else if( strcasecmp(props[i], "noactive") == 0 ) { got_sflags++; sflags |= SASL_SEC_NOACTIVE; } else if( strcasecmp(props[i], "noanonymous") == 0 ) { got_sflags++; sflags |= SASL_SEC_NOANONYMOUS; } else if( strcasecmp(props[i], "nodict") == 0 ) { got_sflags++; sflags |= SASL_SEC_NODICTIONARY; } else if( strcasecmp(props[i], "noplain") == 0 ) { got_sflags++; sflags |= SASL_SEC_NOPLAINTEXT; } else if( strcasecmp(props[i], "forwardsec") == 0 ) { got_sflags++; sflags |= SASL_SEC_FORWARD_SECRECY; } else if( strcasecmp(props[i], "passcred") == 0 ) { got_sflags++; sflags |= SASL_SEC_PASS_CREDENTIALS; } else if( strncasecmp(props[i], "minssf=", sizeof("minssf")) == 0 ) { if( isdigit( props[i][sizeof("minssf")] ) ) { got_min_ssf++; min_ssf = atoi( &props[i][sizeof("minssf")] ); } else { return LDAP_NOT_SUPPORTED; } } else if( strncasecmp(props[i], "maxssf=", sizeof("maxssf")) == 0 ) { if( isdigit( props[i][sizeof("maxssf")] ) ) { got_max_ssf++; max_ssf = atoi( &props[i][sizeof("maxssf")] ); } else { return LDAP_NOT_SUPPORTED; } } else if( strncasecmp(props[i], "maxbufsize=", sizeof("maxbufsize")) == 0 ) { if( isdigit( props[i][sizeof("maxbufsize")] ) ) { got_maxbufsize++; maxbufsize = atoi( &props[i][sizeof("maxbufsize")] ); if( maxbufsize && (( maxbufsize < SASL_MIN_BUFF_SIZE ) || (maxbufsize > SASL_MAX_BUFF_SIZE ))) { return( LDAP_PARAM_ERROR ); } } else { return( LDAP_NOT_SUPPORTED ); } } else { return( LDAP_NOT_SUPPORTED ); } } if(got_sflags) { secprops->security_flags = sflags; } if(got_min_ssf) { secprops->min_ssf = min_ssf; } if(got_max_ssf) { secprops->max_ssf = max_ssf; } if(got_maxbufsize) { secprops->maxbufsize = maxbufsize; } ldap_charray_free( props ); return( LDAP_SUCCESS ); }
static int nsldapi_sasl_do_bind( LDAP *ld, const char *dn, const char *mechs, unsigned flags, LDAP_SASL_INTERACT_PROC *callback, void *defaults, LDAPControl **sctrl, LDAPControl **cctrl, LDAPControl ***rctrl ) { sasl_interact_t *prompts = NULL; sasl_conn_t *ctx = NULL; sasl_ssf_t *ssf = NULL; const char *mech = NULL; int saslrc, rc; struct berval ccred; unsigned credlen; int stepnum = 1; char *sasl_username = NULL; if (rctrl) { /* init to NULL so we can call ldap_controls_free below */ *rctrl = NULL; } if (NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3) { LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL ); return( LDAP_NOT_SUPPORTED ); } /* shouldn't happen */ if (callback == NULL) { return( LDAP_LOCAL_ERROR ); } if ( (rc = nsldapi_sasl_open(ld, NULL, &ctx, 0)) != LDAP_SUCCESS ) { return( rc ); } ccred.bv_val = NULL; ccred.bv_len = 0; LDAPDebug(LDAP_DEBUG_TRACE, "Starting SASL/%s authentication\n", (mechs ? mechs : ""), 0, 0 ); do { saslrc = sasl_client_start( ctx, mechs, &prompts, (const char **)&ccred.bv_val, &credlen, &mech ); LDAPDebug(LDAP_DEBUG_TRACE, "Doing step %d of client start for SASL/%s authentication\n", stepnum, (mech ? mech : ""), 0 ); stepnum++; if( saslrc == SASL_INTERACT && (callback)(ld, flags, defaults, prompts) != LDAP_SUCCESS ) { break; } } while ( saslrc == SASL_INTERACT ); ccred.bv_len = credlen; if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) { return( nsldapi_sasl_cvterrno( ld, saslrc, nsldapi_strdup( sasl_errdetail( ctx ) ) ) ); } stepnum = 1; do { struct berval *scred; int clientstepnum = 1; scred = NULL; if (rctrl) { /* if we're looping again, we need to free any controls set during the previous loop */ /* NOTE that this assumes we only care about the controls returned by the last call to nsldapi_sasl_bind_s - if we care about _all_ controls, we will have to figure out some way to append them each loop go round */ ldap_controls_free(*rctrl); *rctrl = NULL; } LDAPDebug(LDAP_DEBUG_TRACE, "Doing step %d of bind for SASL/%s authentication\n", stepnum, (mech ? mech : ""), 0 ); stepnum++; /* notify server of a sasl bind step */ rc = nsldapi_sasl_bind_s(ld, dn, mech, &ccred, sctrl, cctrl, &scred, rctrl); if ( ccred.bv_val != NULL ) { ccred.bv_val = NULL; } if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) { ber_bvfree( scred ); return( rc ); } if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) { /* we're done, no need to step */ if( scred ) { if ( scred->bv_len == 0 ) { /* MS AD sends back empty screds */ LDAPDebug(LDAP_DEBUG_ANY, "SASL BIND complete - ignoring empty credential response\n", 0, 0, 0); ber_bvfree( scred ); } else { /* but server provided us with data! */ LDAPDebug(LDAP_DEBUG_TRACE, "SASL BIND complete but invalid because server responded with credentials - length [%u]\n", scred->bv_len, 0, 0); ber_bvfree( scred ); LDAP_SET_LDERRNO( ld, LDAP_LOCAL_ERROR, NULL, "Error during SASL handshake - invalid server credential response" ); return( LDAP_LOCAL_ERROR ); } } break; } /* perform the next step of the sasl bind */ do { LDAPDebug(LDAP_DEBUG_TRACE, "Doing client step %d of bind step %d for SASL/%s authentication\n", clientstepnum, stepnum, (mech ? mech : "") ); clientstepnum++; saslrc = sasl_client_step( ctx, (scred == NULL) ? NULL : scred->bv_val, (scred == NULL) ? 0 : scred->bv_len, &prompts, (const char **)&ccred.bv_val, &credlen ); if( saslrc == SASL_INTERACT && (callback)(ld, flags, defaults, prompts) != LDAP_SUCCESS ) { break; } } while ( saslrc == SASL_INTERACT ); ccred.bv_len = credlen; ber_bvfree( scred ); if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) { return( nsldapi_sasl_cvterrno( ld, saslrc, nsldapi_strdup( sasl_errdetail( ctx ) ) ) ); } } while ( rc == LDAP_SASL_BIND_IN_PROGRESS ); if ( rc != LDAP_SUCCESS ) { return( rc ); } if ( saslrc != SASL_OK ) { return( nsldapi_sasl_cvterrno( ld, saslrc, nsldapi_strdup( sasl_errdetail( ctx ) ) ) ); } saslrc = sasl_getprop( ctx, SASL_USERNAME, (const void **) &sasl_username ); if ( (saslrc == SASL_OK) && sasl_username ) { LDAPDebug(LDAP_DEBUG_TRACE, "SASL identity: %s\n", sasl_username, 0, 0); } saslrc = sasl_getprop( ctx, SASL_SSF, (const void **) &ssf ); if( saslrc == SASL_OK ) { if( ssf && *ssf ) { LDAPDebug(LDAP_DEBUG_TRACE, "SASL install encryption, for SSF: %lu\n", (unsigned long) *ssf, 0, 0 ); nsldapi_sasl_install( ld, NULL ); } } return( rc ); }
LDAP_CALL ldap_tmplattrs( struct ldap_disptmpl *tmpl, char **includeattrs, int exclude, unsigned long syntaxmask ) { /* * this routine should filter out duplicate attributes... */ struct ldap_tmplitem *tirowp, *ticolp; int i, attrcnt, memerr; char **attrs; attrcnt = 0; memerr = 0; if (( attrs = (char **)NSLDAPI_MALLOC( sizeof( char * ))) == NULL ) { return( NULL ); } if ( includeattrs != NULL ) { for ( i = 0; !memerr && includeattrs[ i ] != NULL; ++i ) { if (( attrs = (char **)NSLDAPI_REALLOC( attrs, ( attrcnt + 2 ) * sizeof( char * ))) == NULL || ( attrs[ attrcnt++ ] = nsldapi_strdup( includeattrs[ i ] )) == NULL ) { memerr = 1; } else { attrs[ attrcnt ] = NULL; } } } for ( tirowp = ldap_first_tmplrow( tmpl ); !memerr && tirowp != NULLTMPLITEM; tirowp = ldap_next_tmplrow( tmpl, tirowp )) { for ( ticolp = ldap_first_tmplcol( tmpl, tirowp ); ticolp != NULLTMPLITEM; ticolp = ldap_next_tmplcol( tmpl, tirowp, ticolp )) { if ( syntaxmask != 0 ) { if (( exclude && ( syntaxmask & ticolp->ti_syntaxid ) != 0 ) || ( !exclude && ( syntaxmask & ticolp->ti_syntaxid ) == 0 )) { continue; } } if ( ticolp->ti_attrname != NULL ) { if (( attrs = (char **)NSLDAPI_REALLOC( attrs, ( attrcnt + 2 ) * sizeof( char * ))) == NULL || ( attrs[ attrcnt++ ] = nsldapi_strdup( ticolp->ti_attrname )) == NULL ) { memerr = 1; } else { attrs[ attrcnt ] = NULL; } } } } if ( memerr || attrcnt == 0 ) { for ( i = 0; i < attrcnt; ++i ) { if ( attrs[ i ] != NULL ) { NSLDAPI_FREE( attrs[ i ] ); } } NSLDAPI_FREE( (char *)attrs ); return( NULL ); } return( attrs ); }