/***********************************************************************
* ber_skip_tag (WLDAP32.@)
*
* Skip the current tag and return the tag of the next element.
*
* PARAMS
* berelement [I] Pointer to a berelement structure.
* len [O] Receives the length of the skipped element.
*
* RETURNS
* Success: Tag of the next element.
* Failure: LBER_DEFAULT (no more data).
*/
ULONG CDECL WLDAP32_ber_skip_tag( BerElement *berelement, ULONG *len )
{
#ifdef HAVE_LDAP
return ber_skip_tag( berelement, len );
#else
return LBER_ERROR;
#endif
}
static void
tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
ber_int_t i;
ber_init2( ber, cert, LBER_USE_DER );
tag = ber_skip_tag( ber, &len ); /* Sequence */
tag = ber_skip_tag( ber, &len ); /* Sequence */
tag = ber_skip_tag( ber, &len ); /* Context + Constructed (version) */
if ( tag == 0xa0 ) /* Version is optional */
tag = ber_get_int( ber, &i ); /* Int: Version */
tag = ber_skip_tag( ber, &len ); /* Int: Serial (can be longer than ber_int_t) */
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
ber_skip_data( ber, len );
if ( !get_subject ) {
tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
} else {
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
ber_skip_data( ber, len );
tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
}
len = ber_ptrlen( ber );
dn->bv_val = cert->bv_val + len;
dn->bv_len = cert->bv_len - len;
}
static ber_tag_t
build_result_ber( LDAP *ld, BerElement **bp, LDAPRequest *lr )
{
ber_len_t len;
ber_tag_t tag;
ber_int_t along;
BerElement *ber;
*bp = NULL;
ber = ldap_alloc_ber_with_options( ld );
if( ber == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
return LBER_ERROR;
}
if ( ber_printf( ber, "{it{ess}}", lr->lr_msgid,
lr->lr_res_msgtype, lr->lr_res_errno,
lr->lr_res_matched ? lr->lr_res_matched : "",
lr->lr_res_error ? lr->lr_res_error : "" ) == -1 )
{
ld->ld_errno = LDAP_ENCODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
ber_reset( ber, 1 );
if ( ber_skip_tag( ber, &len ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
if ( ber_get_enum( ber, &along ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
*bp = ber;
return tag;
}
static int count_key(BerElement *ber)
{
char *end;
ber_len_t len;
ber_tag_t tag;
int count = 0;
/* Server Side Sort Control is a SEQUENCE of SEQUENCE */
for ( tag = ber_first_element( ber, &len, &end );
tag == LBER_SEQUENCE;
tag = ber_next_element( ber, &len, end ))
{
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
++count;
}
ber_rewind( ber );
return count;
}
int
ldap_send_server_request(
LDAP *ld,
BerElement *ber,
ber_int_t msgid,
LDAPRequest *parentreq,
LDAPURLDesc **srvlist,
LDAPConn *lc,
LDAPreqinfo *bind,
int m_noconn,
int m_res )
{
LDAPRequest *lr;
int incparent, rc;
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_req_mutex );
Debug( LDAP_DEBUG_TRACE, "ldap_send_server_request\n", 0, 0, 0 );
incparent = 0;
ld->ld_errno = LDAP_SUCCESS; /* optimistic */
LDAP_CONN_LOCK_IF(m_noconn);
if ( lc == NULL ) {
if ( srvlist == NULL ) {
lc = ld->ld_defconn;
} else {
lc = find_connection( ld, *srvlist, 1 );
if ( lc == NULL ) {
if ( (bind != NULL) && (parentreq != NULL) ) {
/* Remember the bind in the parent */
incparent = 1;
++parentreq->lr_outrefcnt;
}
lc = ldap_new_connection( ld, srvlist, 0,
1, bind, 1, m_res );
}
}
}
/* async connect... */
if ( lc != NULL && lc->lconn_status == LDAP_CONNST_CONNECTING ) {
ber_socket_t sd = AC_SOCKET_ERROR;
struct timeval tv = { 0 };
ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_GET_FD, &sd );
/* poll ... */
switch ( ldap_int_poll( ld, sd, &tv, 1 ) ) {
case 0:
/* go on! */
lc->lconn_status = LDAP_CONNST_CONNECTED;
break;
case -2:
/* async only occurs if a network timeout is set */
/* honor network timeout */
LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex );
if ( time( NULL ) - lc->lconn_created <= ld->ld_options.ldo_tm_net.tv_sec )
{
/* caller will have to call again */
ld->ld_errno = LDAP_X_CONNECTING;
}
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
/* fallthru */
default:
/* error */
break;
}
}
if ( lc == NULL || lc->lconn_status != LDAP_CONNST_CONNECTED ) {
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = LDAP_SERVER_DOWN;
}
ber_free( ber, 1 );
if ( incparent ) {
/* Forget about the bind */
--parentreq->lr_outrefcnt;
}
LDAP_CONN_UNLOCK_IF(m_noconn);
return( -1 );
}
use_connection( ld, lc );
#ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP( ld )) {
BerElement tmpber = *ber;
ber_rewind( &tmpber );
LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex );
rc = ber_write( &tmpber, ld->ld_options.ldo_peer,
sizeof( struct sockaddr_storage ), 0 );
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
if ( rc == -1 ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
}
#endif
/* If we still have an incomplete write, try to finish it before
* dealing with the new request. If we don't finish here, return
* LDAP_BUSY and let the caller retry later. We only allow a single
* request to be in WRITING state.
*/
rc = 0;
if ( ld->ld_requests &&
ld->ld_requests->lr_status == LDAP_REQST_WRITING &&
ldap_int_flush_request( ld, ld->ld_requests ) < 0 )
{
rc = -1;
}
if ( rc ) {
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
lr = (LDAPRequest *)LDAP_CALLOC( 1, sizeof( LDAPRequest ) );
if ( lr == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
ldap_free_connection( ld, lc, 0, 0 );
ber_free( ber, 1 );
if ( incparent ) {
/* Forget about the bind */
--parentreq->lr_outrefcnt;
}
LDAP_CONN_UNLOCK_IF(m_noconn);
return( -1 );
}
lr->lr_msgid = msgid;
lr->lr_status = LDAP_REQST_INPROGRESS;
lr->lr_res_errno = LDAP_SUCCESS; /* optimistic */
lr->lr_ber = ber;
lr->lr_conn = lc;
if ( parentreq != NULL ) { /* sub-request */
if ( !incparent ) {
/* Increment if we didn't do it before the bind */
++parentreq->lr_outrefcnt;
}
lr->lr_origid = parentreq->lr_origid;
lr->lr_parentcnt = ++parentreq->lr_parentcnt;
lr->lr_parent = parentreq;
lr->lr_refnext = parentreq->lr_child;
parentreq->lr_child = lr;
} else { /* original request */
lr->lr_origid = lr->lr_msgid;
}
/* Extract requestDN for future reference */
#ifdef LDAP_CONNECTIONLESS
if ( !LDAP_IS_UDP(ld) )
#endif
{
BerElement tmpber = *ber;
ber_int_t bint;
ber_tag_t tag, rtag;
ber_reset( &tmpber, 1 );
rtag = ber_scanf( &tmpber, "{it", /*}*/ &bint, &tag );
switch ( tag ) {
case LDAP_REQ_BIND:
rtag = ber_scanf( &tmpber, "{i" /*}*/, &bint );
break;
case LDAP_REQ_DELETE:
break;
default:
rtag = ber_scanf( &tmpber, "{" /*}*/ );
case LDAP_REQ_ABANDON:
break;
}
if ( tag != LDAP_REQ_ABANDON ) {
ber_skip_tag( &tmpber, &lr->lr_dn.bv_len );
lr->lr_dn.bv_val = tmpber.ber_ptr;
}
}
lr->lr_prev = NULL;
lr->lr_next = ld->ld_requests;
if ( lr->lr_next != NULL ) {
lr->lr_next->lr_prev = lr;
}
ld->ld_requests = lr;
ld->ld_errno = LDAP_SUCCESS;
if ( ldap_int_flush_request( ld, lr ) == -1 ) {
msgid = -1;
}
LDAP_CONN_UNLOCK_IF(m_noconn);
return( msgid );
}
static int
vc_exop(
Operation *op,
SlapReply *rs )
{
int rc = LDAP_SUCCESS;
ber_tag_t tag;
ber_len_t len = -1;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
struct berval reqdata = BER_BVNULL;
struct berval cookie = BER_BVNULL;
struct berval bdn = BER_BVNULL;
ber_tag_t authtag;
struct berval cred = BER_BVNULL;
struct berval ndn = BER_BVNULL;
struct berval mechanism = BER_BVNULL;
vc_conn_t *conn = NULL;
vc_cb_t vc = { 0 };
slap_callback sc = { 0 };
SlapReply rs2 = { 0 };
if ( op->ore_reqdata == NULL || op->ore_reqdata->bv_len == 0 ) {
rs->sr_text = "empty request data field in VerifyCredentials exop";
return LDAP_PROTOCOL_ERROR;
}
/* optimistic */
rs->sr_err = LDAP_SUCCESS;
ber_dupbv_x( &reqdata, op->ore_reqdata, op->o_tmpmemctx );
/* ber_init2 uses reqdata directly, doesn't allocate new buffers */
ber_init2( ber, &reqdata, 0 );
tag = ber_scanf( ber, "{" /*}*/ );
if ( tag != LBER_SEQUENCE ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_peek_tag( ber, &len );
if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ) {
/*
* cookie: the pointer to the connection
* of this operation
*/
ber_scanf( ber, "m", &cookie );
if ( cookie.bv_len != sizeof(Connection *) ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
}
/* DN, authtag */
tag = ber_scanf( ber, "mt", &bdn, &authtag );
if ( tag == LBER_ERROR ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
switch ( authtag ) {
case LDAP_AUTH_SIMPLE:
/* cookie only makes sense for SASL bind (so far) */
if ( !BER_BVISNULL( &cookie ) ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_scanf( ber, "m", &cred );
if ( tag == LBER_ERROR ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
break;
case LDAP_AUTH_SASL:
tag = ber_scanf( ber, "{s" /*}*/ , &mechanism );
if ( tag == LBER_ERROR ||
BER_BVISNULL( &mechanism ) || BER_BVISEMPTY( &mechanism ) )
{
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_OCTETSTRING ) {
ber_scanf( ber, "m", &cred );
}
tag = ber_scanf( ber, /*{*/ "}" );
break;
default:
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
if ( !BER_BVISNULL( &cookie ) ) {
vc_conn_t tmp = { 0 };
AC_MEMCPY( (char *)&tmp.conn, (const char *)cookie.bv_val, cookie.bv_len );
ldap_pvt_thread_mutex_lock( &vc_mutex );
conn = (vc_conn_t *)avl_find( vc_tree, (caddr_t)&tmp, vc_conn_cmp );
if ( conn == NULL || ( conn != NULL && conn->refcnt != 0 ) ) {
conn = NULL;
ldap_pvt_thread_mutex_unlock( &vc_mutex );
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
conn->refcnt++;
ldap_pvt_thread_mutex_unlock( &vc_mutex );
} else {
void *thrctx;
conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
conn->refcnt = 1;
thrctx = ldap_pvt_thread_pool_context();
connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 0 );
conn->op = &conn->opbuf.ob_op;
snprintf( conn->op->o_log_prefix, sizeof( conn->op->o_log_prefix ),
"%s VERIFYCREDENTIALS", op->o_log_prefix );
}
conn->op->o_tag = LDAP_REQ_BIND;
memset( &conn->op->oq_bind, 0, sizeof( conn->op->oq_bind ) );
conn->op->o_req_dn = ndn;
conn->op->o_req_ndn = ndn;
conn->op->o_protocol = LDAP_VERSION3;
conn->op->orb_method = authtag;
conn->op->o_callback = ≻
/* TODO: controls */
tag = ber_peek_tag( ber, &len );
if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS ) {
conn->op->o_ber = ber;
rc = get_ctrls2( conn->op, &rs2, 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
}
tag = ber_skip_tag( ber, &len );
if ( len || tag != LBER_DEFAULT ) {
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
switch ( authtag ) {
case LDAP_AUTH_SIMPLE:
break;
case LDAP_AUTH_SASL:
conn->op->orb_mech = mechanism;
break;
}
conn->op->orb_cred = cred;
sc.sc_response = vc_cb;
sc.sc_private = &vc;
conn->op->o_bd = frontendDB;
rs->sr_err = frontendDB->be_bind( conn->op, &rs2 );
if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
rc = vc_create_response( conn, rs2.sr_err, rs2.sr_text,
!BER_BVISEMPTY( &vc.sasldata ) ? &vc.sasldata : NULL,
NULL,
vc.ctrls, &rs->sr_rspdata );
} else {
rc = vc_create_response( NULL, rs2.sr_err, rs2.sr_text,
NULL,
&conn->op->o_conn->c_dn,
vc.ctrls, &rs->sr_rspdata );
}
if ( rc != 0 ) {
rs->sr_err = LDAP_OTHER;
goto done;
}
if ( !BER_BVISNULL( &conn->op->o_conn->c_dn ) &&
conn->op->o_conn->c_dn.bv_val != conn->op->o_conn->c_ndn.bv_val )
ber_memfree( conn->op->o_conn->c_dn.bv_val );
if ( !BER_BVISNULL( &conn->op->o_conn->c_ndn ) )
ber_memfree( conn->op->o_conn->c_ndn.bv_val );
done:;
if ( conn ) {
if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
if ( conn->conn == NULL ) {
conn->conn = conn;
conn->refcnt--;
ldap_pvt_thread_mutex_lock( &vc_mutex );
rc = avl_insert( &vc_tree, (caddr_t)conn,
vc_conn_cmp, vc_conn_dup );
ldap_pvt_thread_mutex_unlock( &vc_mutex );
assert( rc == 0 );
} else {
ldap_pvt_thread_mutex_lock( &vc_mutex );
conn->refcnt--;
ldap_pvt_thread_mutex_unlock( &vc_mutex );
}
} else {
if ( conn->conn != NULL ) {
vc_conn_t *tmp;
ldap_pvt_thread_mutex_lock( &vc_mutex );
tmp = avl_delete( &vc_tree, (caddr_t)conn, vc_conn_cmp );
ldap_pvt_thread_mutex_unlock( &vc_mutex );
}
SLAP_FREE( conn );
}
}
if ( vc.ctrls ) {
ldap_controls_free( vc.ctrls );
vc.ctrls = NULL;
}
if ( !BER_BVISNULL( &ndn ) ) {
op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
BER_BVZERO( &ndn );
}
op->o_tmpfree( reqdata.bv_val, op->o_tmpmemctx );
BER_BVZERO( &reqdata );
return rs->sr_err;
}
/* NOTE: The DN in *id is NOT NUL-terminated here. dnNormalize will
* reject it in this condition, the caller must NUL-terminate it.
* FIXME: should dnNormalize still be complaining about that?
*/
int slap_passwd_parse( struct berval *reqdata,
struct berval *id,
struct berval *oldpass,
struct berval *newpass,
const char **text )
{
int rc = LDAP_SUCCESS;
ber_tag_t tag;
ber_len_t len = -1;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
if( reqdata == NULL ) {
return LDAP_SUCCESS;
}
if( reqdata->bv_len == 0 ) {
*text = "empty request data field";
return LDAP_PROTOCOL_ERROR;
}
/* ber_init2 uses reqdata directly, doesn't allocate new buffers */
ber_init2( ber, reqdata, 0 );
tag = ber_skip_tag( ber, &len );
if( tag != LBER_SEQUENCE ) {
Debug( LDAP_DEBUG_TRACE,
"slap_passwd_parse: decoding error\n", 0, 0, 0 );
rc = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_peek_tag( ber, &len );
if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_ID ) {
if( id == NULL ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID not allowed.\n",
0, 0, 0 );
*text = "user must change own password";
rc = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
tag = ber_get_stringbv( ber, id, LBER_BV_NOTERM );
if( tag == LBER_ERROR ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: ID parse failed.\n",
0, 0, 0 );
goto decoding_error;
}
tag = ber_peek_tag( ber, &len );
}
if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ) {
if( oldpass == NULL ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD not allowed.\n",
0, 0, 0 );
*text = "use bind to verify old password";
rc = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
tag = ber_get_stringbv( ber, oldpass, LBER_BV_NOTERM );
if( tag == LBER_ERROR ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD parse failed.\n",
0, 0, 0 );
goto decoding_error;
}
if( oldpass->bv_len == 0 ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: OLD empty.\n",
0, 0, 0 );
*text = "old password value is empty";
rc = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
tag = ber_peek_tag( ber, &len );
}
if( tag == LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ) {
if( newpass == NULL ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW not allowed.\n",
0, 0, 0 );
*text = "user specified passwords disallowed";
rc = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
tag = ber_get_stringbv( ber, newpass, LBER_BV_NOTERM );
if( tag == LBER_ERROR ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW parse failed.\n",
0, 0, 0 );
goto decoding_error;
}
if( newpass->bv_len == 0 ) {
Debug( LDAP_DEBUG_TRACE, "slap_passwd_parse: NEW empty.\n",
0, 0, 0 );
*text = "new password value is empty";
rc = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
tag = ber_peek_tag( ber, &len );
}
if( len != 0 ) {
decoding_error:
Debug( LDAP_DEBUG_TRACE,
"slap_passwd_parse: decoding error, len=%ld\n",
(long) len, 0, 0 );
*text = "data decoding error";
rc = LDAP_PROTOCOL_ERROR;
}
done:
return rc;
}
int
get_filter(
Operation *op,
BerElement *ber,
Filter **filt,
const char **text )
{
ber_tag_t tag;
ber_len_t len;
int err;
Filter f;
Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
/*
* A filter looks like this coming in:
* Filter ::= CHOICE {
* and [0] SET OF Filter,
* or [1] SET OF Filter,
* not [2] Filter,
* equalityMatch [3] AttributeValueAssertion,
* substrings [4] SubstringFilter,
* greaterOrEqual [5] AttributeValueAssertion,
* lessOrEqual [6] AttributeValueAssertion,
* present [7] AttributeType,
* approxMatch [8] AttributeValueAssertion,
* extensibleMatch [9] MatchingRuleAssertion
* }
*
* SubstringFilter ::= SEQUENCE {
* type AttributeType,
* SEQUENCE OF CHOICE {
* initial [0] IA5String,
* any [1] IA5String,
* final [2] IA5String
* }
* }
*
* MatchingRuleAssertion ::= SEQUENCE {
* matchingRule [1] MatchingRuleId OPTIONAL,
* type [2] AttributeDescription OPTIONAL,
* matchValue [3] AssertionValue,
* dnAttributes [4] BOOLEAN DEFAULT FALSE
* }
*
*/
tag = ber_peek_tag( ber, &len );
if( tag == LBER_ERROR ) {
*text = "error decoding filter";
return SLAPD_DISCONNECT;
}
err = LDAP_SUCCESS;
f.f_next = NULL;
f.f_choice = tag;
switch ( f.f_choice ) {
case LDAP_FILTER_EQUALITY:
Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_EQUALITY, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_SUBSTRINGS:
Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
err = get_ssa( op, ber, &f, text );
if( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_sub != NULL );
break;
case LDAP_FILTER_GE:
Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_LE:
Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_PRESENT: {
struct berval type;
Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
err = SLAPD_DISCONNECT;
*text = "error decoding filter";
break;
}
f.f_desc = NULL;
err = slap_bv2ad( &type, &f.f_desc, text );
if( err != LDAP_SUCCESS ) {
f.f_choice |= SLAPD_FILTER_UNDEFINED;
err = slap_bv2undef_ad( &type, &f.f_desc, text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
if ( err != LDAP_SUCCESS ) {
/* unrecognized attribute description or other error */
Debug( LDAP_DEBUG_ANY,
"get_filter: conn %lu unknown attribute "
"type=%s (%d)\n",
op->o_connid, type.bv_val, err );
err = LDAP_SUCCESS;
f.f_desc = slap_bv2tmp_ad( &type, op->o_tmpmemctx );
}
*text = NULL;
}
assert( f.f_desc != NULL );
} break;
case LDAP_FILTER_APPROX:
Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_EQUALITY_APPROX, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_AND:
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
err = get_filter_list( op, ber, &f.f_and, text );
if ( err != LDAP_SUCCESS ) {
break;
}
if ( f.f_and == NULL ) {
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = LDAP_COMPARE_TRUE;
}
/* no assert - list could be empty */
break;
case LDAP_FILTER_OR:
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
err = get_filter_list( op, ber, &f.f_or, text );
if ( err != LDAP_SUCCESS ) {
break;
}
if ( f.f_or == NULL ) {
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = LDAP_COMPARE_FALSE;
}
/* no assert - list could be empty */
break;
case LDAP_FILTER_NOT:
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
err = get_filter( op, ber, &f.f_not, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_not != NULL );
if ( f.f_not->f_choice == SLAPD_FILTER_COMPUTED ) {
int fresult = f.f_not->f_result;
f.f_choice = SLAPD_FILTER_COMPUTED;
op->o_tmpfree( f.f_not, op->o_tmpmemctx );
f.f_not = NULL;
switch( fresult ) {
case LDAP_COMPARE_TRUE:
f.f_result = LDAP_COMPARE_FALSE;
break;
case LDAP_COMPARE_FALSE:
f.f_result = LDAP_COMPARE_TRUE;
break;
default: ;
/* (!Undefined) is Undefined */
}
}
break;
case LDAP_FILTER_EXT:
Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
err = get_mra( op, ber, &f, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_mra != NULL );
break;
default:
(void) ber_scanf( ber, "x" ); /* skip the element */
Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
f.f_choice, 0, 0 );
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = SLAPD_COMPARE_UNDEFINED;
break;
}
if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
/* ignore error */
*text = NULL;
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = SLAPD_COMPARE_UNDEFINED;
err = LDAP_SUCCESS;
}
if ( err == LDAP_SUCCESS ) {
*filt = op->o_tmpalloc( sizeof(f), op->o_tmpmemctx );
**filt = f;
}
Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
return( err );
}
int
ldap_parse_session_tracking_control(
LDAP *ld,
LDAPControl *ctrl,
struct berval *ip,
struct berval *name,
struct berval *oid,
struct berval *id )
{
BerElement *ber;
ber_tag_t tag;
ber_len_t len;
if ( ld == NULL ||
ctrl == NULL ||
ip == NULL ||
name == NULL ||
oid == NULL ||
id == NULL )
{
if ( ld ) {
ld->ld_errno = LDAP_PARAM_ERROR;
}
/* NOTE: we want the caller to get all or nothing;
* we could allow some of the pointers to be NULL,
* if one does not want part of the data */
return LDAP_PARAM_ERROR;
}
BER_BVZERO( ip );
BER_BVZERO( name );
BER_BVZERO( oid );
BER_BVZERO( id );
ber = ber_init( &ctrl->ldctl_value );
if ( ber == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
return ld->ld_errno;
}
tag = ber_skip_tag( ber, &len );
if ( tag != LBER_SEQUENCE ) {
tag = LBER_ERROR;
goto error;
}
/* sessionSourceIp */
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_DEFAULT ) {
tag = LBER_ERROR;
goto error;
}
if ( len == 0 ) {
tag = ber_skip_tag( ber, &len );
} else {
if ( len > 128 ) {
/* should be LDAP_DECODING_ERROR,
* but we're liberal in what we accept */
}
tag = ber_scanf( ber, "o", ip );
}
/* sessionSourceName */
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_DEFAULT ) {
tag = LBER_ERROR;
goto error;
}
if ( len == 0 ) {
tag = ber_skip_tag( ber, &len );
} else {
if ( len > 65536 ) {
/* should be LDAP_DECODING_ERROR,
* but we're liberal in what we accept */
}
tag = ber_scanf( ber, "o", name );
}
/* formatOID */
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_DEFAULT ) {
tag = LBER_ERROR;
goto error;
}
if ( len == 0 ) {
ld->ld_errno = LDAP_DECODING_ERROR;
goto error;
} else {
if ( len > 1024 ) {
/* should be LDAP_DECODING_ERROR,
* but we're liberal in what we accept */
}
tag = ber_scanf( ber, "o", oid );
}
/* FIXME: should check if it is an OID... leave it to the caller */
/* sessionTrackingIdentifier */
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_DEFAULT ) {
tag = LBER_ERROR;
goto error;
}
if ( len == 0 ) {
tag = ber_skip_tag( ber, &len );
} else {
#if 0
if ( len > 65536 ) {
/* should be LDAP_DECODING_ERROR,
* but we're liberal in what we accept */
}
#endif
tag = ber_scanf( ber, "o", id );
}
/* closure */
tag = ber_skip_tag( ber, &len );
if ( tag == LBER_DEFAULT && len == 0 ) {
tag = 0;
}
error:;
(void)ber_free( ber, 1 );
if ( tag == LBER_ERROR ) {
return LDAP_DECODING_ERROR;
}
return ld->ld_errno;
}
int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
int *numk, krb5_key_data **data)
{
krb5_key_data *keys = NULL;
BerElement *be = NULL;
void *tmp;
int i = 0;
ber_tag_t tag;
ber_int_t major_vno;
ber_int_t minor_vno;
ber_int_t kvno;
ber_int_t mkvno;
ber_int_t type;
ber_tag_t seqtag;
ber_len_t seqlen;
ber_len_t setlen;
ber_tag_t retag;
ber_tag_t opttag;
struct berval tval;
int ret;
be = ber_alloc_t(LBER_USE_DER);
if (!be) {
return ENOMEM;
}
/* reinit the ber element with the new val */
ber_init2(be, encoded, LBER_USE_DER);
/* fill key_data struct with the data */
retag = ber_scanf(be, "{t[i]t[i]t[i]t[i]t[{",
&tag, &major_vno,
&tag, &minor_vno,
&tag, &kvno,
&tag, &mkvno,
&seqtag);
if (retag == LBER_ERROR ||
major_vno != 1 ||
minor_vno != 1 ||
seqtag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 4)) {
ret = EINVAL;
goto done;
}
retag = ber_skip_tag(be, &seqlen);
/* sequence of keys */
for (i = 0; retag == LBER_SEQUENCE; i++) {
tmp = realloc(keys, (i + 1) * sizeof(krb5_key_data));
if (!tmp) {
ret = ENOMEM;
goto done;
}
keys = tmp;
memset(&keys[i], 0, sizeof(krb5_key_data));
keys[i].key_data_kvno = kvno;
/* do we have a salt type ? (optional) */
retag = ber_scanf(be, "t", &opttag);
if (retag == LBER_ERROR) {
ret = EINVAL;
goto done;
}
if (opttag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
keys[i].key_data_ver = 2;
retag = ber_scanf(be, "[l{tl[i]",
&seqlen, &tag, &setlen, &type);
if (tag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0)) {
ret = EINVAL;
goto done;
}
keys[i].key_data_type[1] = type;
/* do we have salt data ? (optional) */
if (seqlen > setlen + 2) {
retag = ber_scanf(be, "t[o]", &tag, &tval);
if (retag == LBER_ERROR ||
tag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1)) {
ret = EINVAL;
goto done;
}
keys[i].key_data_length[1] = tval.bv_len;
keys[i].key_data_contents[1] = (krb5_octet *)tval.bv_val;
}
retag = ber_scanf(be, "}]t", &opttag);
if (retag == LBER_ERROR) {
ret = EINVAL;
goto done;
}
} else {
keys[i].key_data_ver = 1;
}
if (opttag != (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1)) {
ret = EINVAL;
goto done;
}
/* get the key */
retag = ber_scanf(be, "[{t[i]t[o]}]", &tag, &type, &tag, &tval);
if (retag == LBER_ERROR) {
ret = EINVAL;
goto done;
}
keys[i].key_data_type[0] = type;
keys[i].key_data_length[0] = tval.bv_len;
keys[i].key_data_contents[0] = (krb5_octet *)tval.bv_val;
/* check for sk2params */
retag = ber_peek_tag(be, &setlen);
if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
} else {
retag = ber_scanf(be, "}");
}
if (retag == LBER_ERROR) {
ret = EINVAL;
goto done;
}
retag = ber_skip_tag(be, &seqlen);
}
ret = 0;
done:
ber_free(be, 0); /* internal buffer is 'encoded' */
if (ret) {
for (i -= 1; keys && i >= 0; i--) {
free(keys[i].key_data_contents[0]);
free(keys[i].key_data_contents[1]);
}
free(keys);
keys = NULL;
mkvno = 0;
}
*m_kvno = mkvno;
*numk = i;
*data = keys;
return ret;
}
int Ldap_get_filter(BerElement *ber, char *text)
{
ber_tag_t tag;
ber_len_t len;
struct berval type, value;
int err;
Filter f;
char textbuf[128];
/*
* A filter looks like this coming in:
* Filter ::= CHOICE {
* and [0] SET OF Filter,
* or [1] SET OF Filter,
* not [2] Filter,
* equalityMatch [3] AttributeValueAssertion,
* substrings [4] SubstringFilter,
* greaterOrEqual [5] AttributeValueAssertion,
* lessOrEqual [6] AttributeValueAssertion,
* present [7] AttributeType,
* approxMatch [8] AttributeValueAssertion,
* extensibleMatch [9] MatchingRuleAssertion
* }
*
* SubstringFilter ::= SEQUENCE {
* type AttributeType,
* SEQUENCE OF CHOICE {
* initial [0] IA5String,
* any [1] IA5String,
* final [2] IA5String
* }
* }
*
* MatchingRuleAssertion ::= SEQUENCE {
* matchingRule [1] MatchingRuleId OPTIONAL,
* type [2] AttributeDescription OPTIONAL,
* matchValue [3] AssertionValue,
* dnAttributes [4] BOOLEAN DEFAULT FALSE
* }
*
*/
tag = ber_peek_tag( ber, &len );
if( tag == LBER_ERROR ) {
printf("Debug: PeeK tag error in filter\n");
return LBER_ERROR;
}
//printf("| - Filter tag:%d\n", tag);
f.f_next = NULL;
f.f_choice = tag;
switch ( f.f_choice ) {
case LDAP_FILTER_EQUALITY:
//printf("Debug: Case of EQUALITY\n");
err = Ldap_get_ava(ber, &type, &value );
if ( err != LDAP_SUCCESS ) {
break;
}
//printf( "|-Filter:choice:%d type:%s, vlaue:%s\n", tag, type.bv_val, value.bv_val);
//printf( "|-Filter:(%s=%s)\n", type.bv_val, value.bv_val);
sprintf(textbuf, "(%s=%s)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
case LDAP_FILTER_PRESENT: {
//printf("Debug:Case of Present\n");
if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
printf("filter Decode Present error\n");
break;
}
sprintf(textbuf, "(%s=*)", type.bv_val);
strcat(text, textbuf);
//printf( "|-Filter:(%s=*)\n",type.bv_val);
break;
}
case LDAP_FILTER_OR:
//printf("Debug:Case of OR\n\n");
strcat(text, "(|");
err = Ldap_get_filter_list(ber, text);
if ( err != LDAP_SUCCESS ) {
printf("| OR error!\n");
break;
}
strcat(text,")");
/* no assert - list could be empty */
break;
case LDAP_FILTER_AND:
strcat(text, "(&");
err = Ldap_get_filter_list( ber, text );
if ( err != LDAP_SUCCESS ) {
printf("| AND error!\n");
break;
}
strcat(text,")");
/* no assert - list could be empty */
break;
case LDAP_FILTER_GE:
err = Ldap_get_ava(ber, &type, &value );
if ( err != LDAP_SUCCESS ) {
break;
}
sprintf(textbuf, "(%s>=%s)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
case LDAP_FILTER_LE:
err = Ldap_get_ava(ber, &type, &value );
if ( err != LDAP_SUCCESS ) {
break;
}
sprintf(textbuf, "(%s<=%s)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
case LDAP_FILTER_SUBSTRINGS:
err = Ldap_get_ssa( ber, &type, &value );
if( err==LBER_ERROR ) {
printf("Debug: SUBSTRING Decode Error, err=%X\n", err);
break;
}
switch(err){
case LDAP_SUBSTRING_INITIAL:
sprintf(textbuf, "(%s=%s*)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
case LDAP_SUBSTRING_ANY:
sprintf(textbuf, "(%s=*%s*)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
case LDAP_SUBSTRING_FINAL:
sprintf(textbuf, "(%s=*%s)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
default:printf("|-SUBSTRING ERROR, ERR:%X\n", err);
}
break;
case LDAP_FILTER_NOT:
(void) ber_skip_tag( ber, &len );
strcat(text, "(!");
err = Ldap_get_filter( ber, text );
if ( err != LDAP_SUCCESS ) {
break;
}
strcat(text, ")");
break;
case LDAP_FILTER_APPROX:
err = Ldap_get_ava(ber, &type, &value );
if ( err != LDAP_SUCCESS ) {
break;
}
sprintf(textbuf, "(%s~=%s)", type.bv_val, value.bv_val);
strcat(text, textbuf);
break;
default:
printf("| - Filter tag:%x\n", tag);
break;
}
return (LDAP_SUCCESS);
}
/* Convert a structured DN from an X.509 certificate into an LDAPV3 DN.
* x509_name must be raw DER. If func is non-NULL, the
* constructed DN will use numeric OIDs to identify attributeTypes,
* and the func() will be invoked to rewrite the DN with the given
* flags.
*
* Otherwise the DN will use shortNames from a hardcoded table.
*/
int
ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
unsigned flags )
{
LDAPDN newDN;
LDAPRDN newRDN;
LDAPAVA *newAVA, *baseAVA;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
char oids[8192], *oidptr = oids, *oidbuf = NULL;
void *ptrs[2048];
char *dn_end, *rdn_end;
int i, navas, nrdns, rc = LDAP_SUCCESS;
size_t dnsize, oidrem = sizeof(oids), oidsize = 0;
int csize;
ber_tag_t tag;
ber_len_t len;
oid_name *oidname;
struct berval Oid, Val, oid2, *in = x509_name;
assert( bv != NULL );
bv->bv_len = 0;
bv->bv_val = NULL;
navas = 0;
nrdns = 0;
/* A DN is a SEQUENCE of RDNs. An RDN is a SET of AVAs.
* An AVA is a SEQUENCE of attr and value.
* Count the number of AVAs and RDNs
*/
ber_init2( ber, in, LBER_USE_DER );
tag = ber_peek_tag( ber, &len );
if ( tag != LBER_SEQUENCE )
return LDAP_DECODING_ERROR;
for ( tag = ber_first_element( ber, &len, &dn_end );
tag == LBER_SET;
tag = ber_next_element( ber, &len, dn_end )) {
nrdns++;
for ( tag = ber_first_element( ber, &len, &rdn_end );
tag == LBER_SEQUENCE;
tag = ber_next_element( ber, &len, rdn_end )) {
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
navas++;
}
}
/* Allocate the DN/RDN/AVA stuff as a single block */
dnsize = sizeof(LDAPRDN) * (nrdns+1);
dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
dnsize += sizeof(LDAPAVA) * navas;
if (dnsize > sizeof(ptrs)) {
newDN = (LDAPDN)LDAP_MALLOC( dnsize );
if ( newDN == NULL )
return LDAP_NO_MEMORY;
} else {
newDN = (LDAPDN)(char *)ptrs;
}
newDN[nrdns] = NULL;
newRDN = (LDAPRDN)(newDN + nrdns+1);
newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
baseAVA = newAVA;
/* Rewind and start extracting */
ber_rewind( ber );
tag = ber_first_element( ber, &len, &dn_end );
for ( i = nrdns - 1; i >= 0; i-- ) {
newDN[i] = newRDN;
for ( tag = ber_first_element( ber, &len, &rdn_end );
tag == LBER_SEQUENCE;
tag = ber_next_element( ber, &len, rdn_end )) {
*newRDN++ = newAVA;
tag = ber_skip_tag( ber, &len );
tag = ber_get_stringbv( ber, &Oid, LBER_BV_NOTERM );
if ( tag != LBER_TAG_OID ) {
rc = LDAP_DECODING_ERROR;
goto nomem;
}
oid2.bv_val = oidptr;
oid2.bv_len = oidrem;
if ( ber_decode_oid( &Oid, &oid2 ) < 0 ) {
rc = LDAP_DECODING_ERROR;
goto nomem;
}
oidname = find_oid( &oid2 );
if ( !oidname ) {
newAVA->la_attr = oid2;
oidptr += oid2.bv_len + 1;
oidrem -= oid2.bv_len + 1;
/* Running out of OID buffer space? */
if (oidrem < 128) {
if ( oidsize == 0 ) {
oidsize = sizeof(oids) * 2;
oidrem = oidsize;
oidbuf = LDAP_MALLOC( oidsize );
if ( oidbuf == NULL ) goto nomem;
oidptr = oidbuf;
} else {
char *old = oidbuf;
oidbuf = LDAP_REALLOC( oidbuf, oidsize*2 );
if ( oidbuf == NULL ) goto nomem;
/* Buffer moved! Fix AVA pointers */
if ( old != oidbuf ) {
LDAPAVA *a;
long dif = oidbuf - old;
for (a=baseAVA; a<=newAVA; a++){
if (a->la_attr.bv_val >= old &&
a->la_attr.bv_val <= (old + oidsize))
a->la_attr.bv_val += dif;
}
}
oidptr = oidbuf + oidsize - oidrem;
oidrem += oidsize;
oidsize *= 2;
}
}
} else {
if ( func ) {
newAVA->la_attr = oidname->oid;
} else {
newAVA->la_attr = oidname->name;
}
}
newAVA->la_private = NULL;
newAVA->la_flags = LDAP_AVA_STRING;
tag = ber_get_stringbv( ber, &Val, LBER_BV_NOTERM );
switch(tag) {
case LBER_TAG_UNIVERSAL:
/* This uses 32-bit ISO 10646-1 */
csize = 4; goto to_utf8;
case LBER_TAG_BMP:
/* This uses 16-bit ISO 10646-1 */
csize = 2; goto to_utf8;
case LBER_TAG_TELETEX:
/* This uses 8-bit, assume ISO 8859-1 */
csize = 1;
to_utf8: rc = ldap_ucs_to_utf8s( &Val, csize, &newAVA->la_value );
newAVA->la_flags |= LDAP_AVA_NONPRINTABLE;
allocd:
newAVA->la_flags |= LDAP_AVA_FREE_VALUE;
if (rc != LDAP_SUCCESS) goto nomem;
break;
case LBER_TAG_UTF8:
newAVA->la_flags |= LDAP_AVA_NONPRINTABLE;
/* This is already in UTF-8 encoding */
case LBER_TAG_IA5:
case LBER_TAG_PRINTABLE:
/* These are always 7-bit strings */
newAVA->la_value = Val;
break;
case LBER_BITSTRING:
/* X.690 bitString value converted to RFC4517 Bit String */
rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
goto allocd;
default:
/* Not a string type at all */
newAVA->la_flags = 0;
newAVA->la_value = Val;
break;
}
newAVA++;
}
*newRDN++ = NULL;
tag = ber_next_element( ber, &len, dn_end );
}
if ( func ) {
rc = func( newDN, flags, NULL );
if ( rc != LDAP_SUCCESS )
goto nomem;
}
rc = ldap_dn2bv_x( newDN, bv, LDAP_DN_FORMAT_LDAPV3, NULL );
nomem:
for (;baseAVA < newAVA; baseAVA++) {
if (baseAVA->la_flags & LDAP_AVA_FREE_ATTR)
LDAP_FREE( baseAVA->la_attr.bv_val );
if (baseAVA->la_flags & LDAP_AVA_FREE_VALUE)
LDAP_FREE( baseAVA->la_value.bv_val );
}
if ( oidsize != 0 )
LDAP_FREE( oidbuf );
if ( newDN != (LDAPDN)(char *) ptrs )
LDAP_FREE( newDN );
return rc;
}
static int
dupent_parseCtrl (
Operation *op,
SlapReply *rs,
LDAPControl *ctrl )
{
ber_tag_t tag;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_len_t len;
BerVarray AttributeDescriptionList = NULL;
ber_len_t cnt = sizeof(struct berval);
ber_len_t off = 0;
ber_int_t PartialApplicationAllowed = 1;
dupent_t *ds = NULL;
int i;
if ( op->o_dupent != SLAP_CONTROL_NONE ) {
rs->sr_text = "Dupent control specified multiple times";
return LDAP_PROTOCOL_ERROR;
}
if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {
rs->sr_text = "Dupent control value is absent";
return LDAP_PROTOCOL_ERROR;
}
if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {
rs->sr_text = "Dupent control value is empty";
return LDAP_PROTOCOL_ERROR;
}
ber_init2( ber, &ctrl->ldctl_value, 0 );
/*
DuplicateEntryRequest ::= SEQUENCE {
AttributeDescriptionList, -- from [RFC2251]
PartialApplicationAllowed BOOLEAN DEFAULT TRUE }
AttributeDescriptionList ::= SEQUENCE OF
AttributeDescription
AttributeDescription ::= LDAPString
attributeDescription = AttributeType [ ";" <options> ]
*/
tag = ber_skip_tag( ber, &len );
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
if ( ber_scanf( ber, "{M}", &AttributeDescriptionList, &cnt, off )
== LBER_ERROR )
{
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_skip_tag( ber, &len );
if ( tag == LBER_BOOLEAN ) {
/* NOTE: PartialApplicationAllowed is ignored, since the control
* can always be honored
*/
if ( ber_scanf( ber, "b", &PartialApplicationAllowed ) == LBER_ERROR )
{
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
tag = ber_skip_tag( ber, &len );
}
if ( len || tag != LBER_DEFAULT ) {
rs->sr_text = "Dupent control: dupentSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
ds = (dupent_t *)op->o_tmpcalloc( 1,
sizeof(dupent_t) + sizeof(AttributeName)*cnt,
op->o_tmpmemctx );
ds->ds_paa = PartialApplicationAllowed;
if ( cnt == 0 ) {
ds->ds_flags |= SLAP_USERATTRS_YES;
} else {
int c;
ds->ds_an = (AttributeName *)&ds[ 1 ];
for ( i = 0, c = 0; i < cnt; i++ ) {
const char *text;
int j;
int rc;
AttributeDescription *ad = NULL;
if ( bvmatch( &AttributeDescriptionList[i],
slap_bv_all_user_attrs ) )
{
if ( ds->ds_flags & SLAP_USERATTRS_YES ) {
rs->sr_text = "Dupent control: AttributeDescription decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
ds->ds_flags |= SLAP_USERATTRS_YES;
continue;
}
rc = slap_bv2ad( &AttributeDescriptionList[i], &ad, &text );
if ( rc != LDAP_SUCCESS ) {
continue;
}
ds->ds_an[c].an_desc = ad;
ds->ds_an[c].an_name = ad->ad_cname;
/* FIXME: not specified; consider this an error, just in case */
for ( j = 0; j < c; j++ ) {
if ( ds->ds_an[c].an_desc == ds->ds_an[j].an_desc ) {
rs->sr_text = "Dupent control: AttributeDescription must be unique within AttributeDescriptionList";
rs->sr_err = LDAP_PROTOCOL_ERROR;
goto done;
}
}
c++;
}
ds->ds_nattrs = c;
if ( ds->ds_flags & SLAP_USERATTRS_YES ) {
/* purge user attrs */
for ( i = 0; i < ds->ds_nattrs; ) {
if ( is_at_operational( ds->ds_an[i].an_desc->ad_type ) ) {
i++;
continue;
}
ds->ds_nattrs--;
if ( i < ds->ds_nattrs ) {
ds->ds_an[i] = ds->ds_an[ds->ds_nattrs];
}
}
}
}
op->o_ctrldupent = (void *)ds;
op->o_dupent = ctrl->ldctl_iscritical
? SLAP_CONTROL_CRITICAL
: SLAP_CONTROL_NONCRITICAL;
rs->sr_err = LDAP_SUCCESS;
done:;
if ( rs->sr_err != LDAP_SUCCESS ) {
op->o_tmpfree( ds, op->o_tmpmemctx );
}
if ( AttributeDescriptionList != NULL ) {
ber_memfree_x( AttributeDescriptionList, op->o_tmpmemctx );
}
return rs->sr_err;
}
static ber_tag_t
try_read1msg(
LDAP *ld,
ber_int_t msgid,
int all,
LDAPConn **lcp,
LDAPMessage **result )
{
BerElement *ber;
LDAPMessage *newmsg, *l, *prev;
ber_int_t id;
int idx;
ber_tag_t tag;
ber_len_t len;
int foundit = 0;
LDAPRequest *lr, *tmplr, dummy_lr = { 0 };
LDAPConn *lc;
BerElement tmpber;
int rc, refer_cnt, hadref, simple_request;
ber_int_t lderr;
#ifdef LDAP_CONNECTIONLESS
LDAPMessage *tmp = NULL, *chain_head = NULL;
int moremsgs = 0, isv2 = 0;
#endif
assert( ld != NULL );
assert( lcp != NULL );
assert( *lcp != NULL );
#ifdef LDAP_R_COMPILE
LDAP_PVT_THREAD_ASSERT_MUTEX_OWNER( &ld->ld_res_mutex );
#endif
Debug( LDAP_DEBUG_TRACE, "read1msg: ld %p msgid %d all %d\n",
(void *)ld, msgid, all );
lc = *lcp;
retry:
if ( lc->lconn_ber == NULL ) {
lc->lconn_ber = ldap_alloc_ber_with_options( ld );
if ( lc->lconn_ber == NULL ) {
return -1;
}
}
ber = lc->lconn_ber;
assert( LBER_VALID (ber) );
/* get the next message */
sock_errset(0);
#ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP(ld) ) {
struct sockaddr from;
ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr) );
if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
}
nextresp3:
#endif
tag = ber_get_next( lc->lconn_sb, &len, ber );
switch ( tag ) {
case LDAP_TAG_MESSAGE:
/*
* We read a complete message.
* The connection should no longer need this ber.
*/
lc->lconn_ber = NULL;
break;
case LBER_DEFAULT:
#ifdef LDAP_DEBUG
Debug( LDAP_DEBUG_CONNS,
"ber_get_next failed.\n", 0, 0, 0 );
#endif
#ifdef EWOULDBLOCK
if ( sock_errno() == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
#endif
#ifdef EAGAIN
if ( sock_errno() == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
#endif
ld->ld_errno = LDAP_SERVER_DOWN;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
#endif
ldap_free_connection( ld, lc, 1, 0 );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
#endif
lc = *lcp = NULL;
return -1;
default:
ld->ld_errno = LDAP_LOCAL_ERROR;
return -1;
}
/* message id */
if ( ber_get_int( ber, &id ) == LBER_ERROR ) {
ber_free( ber, 1 );
ld->ld_errno = LDAP_DECODING_ERROR;
return( -1 );
}
/* id == 0 iff unsolicited notification message (RFC 4511) */
/* if it's been abandoned, toss it */
if ( id > 0 ) {
if ( ldap_abandoned( ld, id, &idx ) ) {
/* the message type */
tag = ber_peek_tag( ber, &len );
switch ( tag ) {
case LDAP_RES_SEARCH_ENTRY:
case LDAP_RES_SEARCH_REFERENCE:
case LDAP_RES_INTERMEDIATE:
case LBER_ERROR:
break;
default:
/* there's no need to keep the id
* in the abandoned list any longer */
ldap_mark_abandoned( ld, id, idx );
break;
}
Debug( LDAP_DEBUG_ANY,
"abandoned/discarded ld %p msgid %ld message type %s\n",
(void *)ld, (long)id, ldap_int_msgtype2str( tag ) );
retry_ber:
ber_free( ber, 1 );
if ( ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) {
goto retry;
}
return( LDAP_MSG_X_KEEP_LOOKING ); /* continue looking */
}
lr = ldap_find_request_by_msgid( ld, id );
if ( lr == NULL ) {
const char *msg = "unknown";
/* the message type */
tag = ber_peek_tag( ber, &len );
switch ( tag ) {
case LBER_ERROR:
break;
default:
msg = ldap_int_msgtype2str( tag );
break;
}
Debug( LDAP_DEBUG_ANY,
"no request for response on ld %p msgid %ld message type %s (tossing)\n",
(void *)ld, (long)id, msg );
goto retry_ber;
}
#ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP(ld) && isv2 ) {
ber_scanf(ber, "x{");
}
nextresp2:
#endif
}
/* the message type */
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( -1 );
}
Debug( LDAP_DEBUG_TRACE,
"read1msg: ld %p msgid %ld message type %s\n",
(void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) );
if ( id == 0 ) {
/* unsolicited notification message (RFC 4511) */
if ( tag != LDAP_RES_EXTENDED ) {
/* toss it */
goto retry_ber;
/* strictly speaking, it's an error; from RFC 4511:
4.4. Unsolicited Notification
An unsolicited notification is an LDAPMessage sent from the server to
the client that is not in response to any LDAPMessage received by the
server. It is used to signal an extraordinary condition in the
server or in the LDAP session between the client and the server. The
notification is of an advisory nature, and the server will not expect
any response to be returned from the client.
The unsolicited notification is structured as an LDAPMessage in which
the messageID is zero and protocolOp is set to the extendedResp
choice using the ExtendedResponse type (See Section 4.12). The
responseName field of the ExtendedResponse always contains an LDAPOID
that is unique for this notification.
* however, since unsolicited responses
* are of advisory nature, better
* toss it, right now
*/
#if 0
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( -1 );
#endif
}
lr = &dummy_lr;
}
id = lr->lr_origid;
refer_cnt = 0;
hadref = simple_request = 0;
rc = LDAP_MSG_X_KEEP_LOOKING; /* default is to keep looking (no response found) */
lr->lr_res_msgtype = tag;
/*
* Check for V3 search reference
*/
if ( tag == LDAP_RES_SEARCH_REFERENCE ) {
if ( ld->ld_version > LDAP_VERSION2 ) {
/* This is a V3 search reference */
if ( LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_REFERRALS) ||
lr->lr_parent != NULL )
{
char **refs = NULL;
tmpber = *ber;
/* Get the referral list */
if ( ber_scanf( &tmpber, "{v}", &refs ) == LBER_ERROR ) {
rc = LDAP_DECODING_ERROR;
} else {
/* Note: refs array is freed by ldap_chase_v3referrals */
refer_cnt = ldap_chase_v3referrals( ld, lr, refs,
1, &lr->lr_res_error, &hadref );
if ( refer_cnt > 0 ) {
/* successfully chased reference */
/* If haven't got end search, set chasing referrals */
if ( lr->lr_status != LDAP_REQST_COMPLETED ) {
lr->lr_status = LDAP_REQST_CHASINGREFS;
Debug( LDAP_DEBUG_TRACE,
"read1msg: search ref chased, "
"mark request chasing refs, "
"id = %d\n",
lr->lr_msgid, 0, 0 );
}
}
}
}
}
} else if ( tag != LDAP_RES_SEARCH_ENTRY && tag != LDAP_RES_INTERMEDIATE ) {
/* All results that just return a status, i.e. don't return data
* go through the following code. This code also chases V2 referrals
* and checks if all referrals have been chased.
*/
char *lr_res_error = NULL;
tmpber = *ber; /* struct copy */
if ( ber_scanf( &tmpber, "{eAA", &lderr,
&lr->lr_res_matched, &lr_res_error )
!= LBER_ERROR )
{
if ( lr_res_error != NULL ) {
if ( lr->lr_res_error != NULL ) {
(void)ldap_append_referral( ld, &lr->lr_res_error, lr_res_error );
LDAP_FREE( (char *)lr_res_error );
} else {
lr->lr_res_error = lr_res_error;
}
lr_res_error = NULL;
}
/* Do we need to check for referrals? */
if ( LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_REFERRALS) ||
lr->lr_parent != NULL )
{
char **refs = NULL;
ber_len_t len;
/* Check if V3 referral */
if ( ber_peek_tag( &tmpber, &len ) == LDAP_TAG_REFERRAL ) {
if ( ld->ld_version > LDAP_VERSION2 ) {
/* Get the referral list */
if ( ber_scanf( &tmpber, "{v}", &refs) == LBER_ERROR) {
rc = LDAP_DECODING_ERROR;
lr->lr_status = LDAP_REQST_COMPLETED;
Debug( LDAP_DEBUG_TRACE,
"read1msg: referral decode error, "
"mark request completed, ld %p msgid %d\n",
(void *)ld, lr->lr_msgid, 0 );
} else {
/* Chase the referral
* refs array is freed by ldap_chase_v3referrals
*/
refer_cnt = ldap_chase_v3referrals( ld, lr, refs,
0, &lr->lr_res_error, &hadref );
lr->lr_status = LDAP_REQST_COMPLETED;
Debug( LDAP_DEBUG_TRACE,
"read1msg: referral %s chased, "
"mark request completed, ld %p msgid %d\n",
refer_cnt > 0 ? "" : "not",
(void *)ld, lr->lr_msgid);
if ( refer_cnt < 0 ) {
refer_cnt = 0;
}
}
}
} else {
switch ( lderr ) {
case LDAP_SUCCESS:
case LDAP_COMPARE_TRUE:
case LDAP_COMPARE_FALSE:
break;
default:
if ( lr->lr_res_error == NULL ) {
break;
}
/* pedantic, should never happen */
if ( lr->lr_res_error[ 0 ] == '\0' ) {
LDAP_FREE( lr->lr_res_error );
lr->lr_res_error = NULL;
break;
}
/* V2 referrals are in error string */
refer_cnt = ldap_chase_referrals( ld, lr,
&lr->lr_res_error, -1, &hadref );
lr->lr_status = LDAP_REQST_COMPLETED;
Debug( LDAP_DEBUG_TRACE,
"read1msg: V2 referral chased, "
"mark request completed, id = %d\n",
lr->lr_msgid, 0, 0 );
break;
}
}
}
/* save errno, message, and matched string */
if ( !hadref || lr->lr_res_error == NULL ) {
lr->lr_res_errno =
lderr == LDAP_PARTIAL_RESULTS
? LDAP_SUCCESS : lderr;
} else if ( ld->ld_errno != LDAP_SUCCESS ) {
lr->lr_res_errno = ld->ld_errno;
} else {
lr->lr_res_errno = LDAP_PARTIAL_RESULTS;
}
}
/* in any case, don't leave any lr_res_error 'round */
if ( lr_res_error ) {
LDAP_FREE( lr_res_error );
}
Debug( LDAP_DEBUG_TRACE,
"read1msg: ld %p %d new referrals\n",
(void *)ld, refer_cnt, 0 );
if ( refer_cnt != 0 ) { /* chasing referrals */
ber_free( ber, 1 );
ber = NULL;
if ( refer_cnt < 0 ) {
ldap_return_request( ld, lr, 0 );
return( -1 ); /* fatal error */
}
lr->lr_res_errno = LDAP_SUCCESS; /* sucessfully chased referral */
} else {
if ( lr->lr_outrefcnt <= 0 && lr->lr_parent == NULL ) {
/* request without any referrals */
simple_request = ( hadref ? 0 : 1 );
} else {
/* request with referrals or child request */
ber_free( ber, 1 );
ber = NULL;
}
lr->lr_status = LDAP_REQST_COMPLETED; /* declare this request done */
Debug( LDAP_DEBUG_TRACE,
"read1msg: mark request completed, ld %p msgid %d\n",
(void *)ld, lr->lr_msgid, 0);
while ( lr->lr_parent != NULL ) {
merge_error_info( ld, lr->lr_parent, lr );
lr = lr->lr_parent;
if ( --lr->lr_outrefcnt > 0 ) {
break; /* not completely done yet */
}
}
/* Check if all requests are finished, lr is now parent */
tmplr = lr;
if ( tmplr->lr_status == LDAP_REQST_COMPLETED ) {
for ( tmplr = lr->lr_child;
tmplr != NULL;
tmplr = tmplr->lr_refnext )
{
if ( tmplr->lr_status != LDAP_REQST_COMPLETED ) break;
}
}
/* This is the parent request if the request has referrals */
if ( lr->lr_outrefcnt <= 0 &&
lr->lr_parent == NULL &&
tmplr == NULL )
{
id = lr->lr_msgid;
tag = lr->lr_res_msgtype;
Debug( LDAP_DEBUG_TRACE, "request done: ld %p msgid %ld\n",
(void *)ld, (long) id, 0 );
Debug( LDAP_DEBUG_TRACE,
"res_errno: %d, res_error: <%s>, "
"res_matched: <%s>\n",
lr->lr_res_errno,
lr->lr_res_error ? lr->lr_res_error : "",
lr->lr_res_matched ? lr->lr_res_matched : "" );
if ( !simple_request ) {
ber_free( ber, 1 );
ber = NULL;
if ( build_result_ber( ld, &ber, lr )
== LBER_ERROR )
{
rc = -1; /* fatal error */
}
}
if ( lr != &dummy_lr ) {
ldap_return_request( ld, lr, 1 );
}
lr = NULL;
}
/*
* RF 4511 unsolicited (id == 0) responses
* shouldn't necessarily end the connection
*/
if ( lc != NULL && id != 0 ) {
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
#endif
ldap_free_connection( ld, lc, 0, 1 );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
#endif
lc = *lcp = NULL;
}
}
}
if ( lr != NULL ) {
if ( lr != &dummy_lr ) {
ldap_return_request( ld, lr, 0 );
}
lr = NULL;
}
if ( ber == NULL ) {
return( rc );
}
/* try to handle unsolicited responses as appropriate */
if ( id == 0 && msgid > LDAP_RES_UNSOLICITED ) {
int is_nod = 0;
tag = ber_peek_tag( &tmpber, &len );
/* we have a res oid */
if ( tag == LDAP_TAG_EXOP_RES_OID ) {
static struct berval bv_nod = BER_BVC( LDAP_NOTICE_OF_DISCONNECTION );
struct berval resoid = BER_BVNULL;
if ( ber_scanf( &tmpber, "m", &resoid ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return -1;
}
assert( !BER_BVISEMPTY( &resoid ) );
is_nod = ber_bvcmp( &resoid, &bv_nod ) == 0;
tag = ber_peek_tag( &tmpber, &len );
}
#if 0 /* don't need right now */
/* we have res data */
if ( tag == LDAP_TAG_EXOP_RES_VALUE ) {
struct berval resdata;
if ( ber_scanf( &tmpber, "m", &resdata ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 0 );
return ld->ld_errno;
}
/* use it... */
}
#endif
/* handle RFC 4511 "Notice of Disconnection" locally */
if ( is_nod ) {
if ( tag == LDAP_TAG_EXOP_RES_VALUE ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return -1;
}
/* get rid of the connection... */
if ( lc != NULL ) {
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
#endif
ldap_free_connection( ld, lc, 0, 1 );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
#endif
lc = *lcp = NULL;
}
/* need to return -1, because otherwise
* a valid result is expected */
return -1;
}
}
/* make a new ldap message */
newmsg = (LDAPMessage *) LDAP_CALLOC( 1, sizeof(LDAPMessage) );
if ( newmsg == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
return( -1 );
}
newmsg->lm_msgid = (int)id;
newmsg->lm_msgtype = tag;
newmsg->lm_ber = ber;
newmsg->lm_chain_tail = newmsg;
#ifdef LDAP_CONNECTIONLESS
/* CLDAP replies all fit in a single datagram. In LDAPv2 RFC1798
* the responses are all a sequence wrapped in one message. In
* LDAPv3 each response is in its own message. The datagram must
* end with a SearchResult. We can't just parse each response in
* separate calls to try_read1msg because the header info is only
* present at the beginning of the datagram, not at the beginning
* of each response. So parse all the responses at once and queue
* them up, then pull off the first response to return to the
* caller when all parsing is complete.
*/
if ( LDAP_IS_UDP(ld) ) {
/* If not a result, look for more */
if ( tag != LDAP_RES_SEARCH_RESULT ) {
int ok = 0;
moremsgs = 1;
if (isv2) {
/* LDAPv2: dup the current ber, skip past the current
* response, and see if there are any more after it.
*/
ber = ber_dup( ber );
ber_scanf( ber, "x" );
if ( ber_peek_tag( ber, &len ) != LBER_DEFAULT ) {
/* There's more - dup the ber buffer so they can all be
* individually freed by ldap_msgfree.
*/
struct berval bv;
ber_get_option( ber, LBER_OPT_BER_REMAINING_BYTES, &len );
bv.bv_val = LDAP_MALLOC( len );
if ( bv.bv_val ) {
ok = 1;
ber_read( ber, bv.bv_val, len );
bv.bv_len = len;
ber_init2( ber, &bv, ld->ld_lberoptions );
}
}
} else {
/* LDAPv3: Just allocate a new ber. Since this is a buffered
* datagram, if the sockbuf is readable we still have data
* to parse.
*/
ber = ldap_alloc_ber_with_options( ld );
if ( ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) ok = 1;
}
/* set up response chain */
if ( tmp == NULL ) {
newmsg->lm_next = ld->ld_responses;
ld->ld_responses = newmsg;
chain_head = newmsg;
} else {
tmp->lm_chain = newmsg;
}
chain_head->lm_chain_tail = newmsg;
tmp = newmsg;
/* "ok" means there's more to parse */
if ( ok ) {
if ( isv2 ) {
goto nextresp2;
} else {
goto nextresp3;
}
} else {
/* got to end of datagram without a SearchResult. Free
* our dup'd ber, but leave any buffer alone. For v2 case,
* the previous response is still using this buffer. For v3,
* the new ber has no buffer to free yet.
*/
ber_free( ber, 0 );
return -1;
}
} else if ( moremsgs ) {
/* got search result, and we had multiple responses in 1 datagram.
* stick the result onto the end of the chain, and then pull the
* first response off the head of the chain.
*/
tmp->lm_chain = newmsg;
chain_head->lm_chain_tail = newmsg;
*result = chkResponseList( ld, msgid, all );
ld->ld_errno = LDAP_SUCCESS;
return( (*result)->lm_msgtype );
}
}
#endif /* LDAP_CONNECTIONLESS */
/* is this the one we're looking for? */
if ( msgid == LDAP_RES_ANY || id == msgid ) {
if ( all == LDAP_MSG_ONE
|| ( newmsg->lm_msgtype != LDAP_RES_SEARCH_RESULT
&& newmsg->lm_msgtype != LDAP_RES_SEARCH_ENTRY
&& newmsg->lm_msgtype != LDAP_RES_SEARCH_REFERENCE ) )
{
*result = newmsg;
ld->ld_errno = LDAP_SUCCESS;
return( tag );
} else if ( newmsg->lm_msgtype == LDAP_RES_SEARCH_RESULT) {
foundit = 1; /* return the chain later */
}
}
/*
* if not, we must add it to the list of responses. if
* the msgid is already there, it must be part of an existing
* search response.
*/
prev = NULL;
for ( l = ld->ld_responses; l != NULL; l = l->lm_next ) {
if ( l->lm_msgid == newmsg->lm_msgid ) {
break;
}
prev = l;
}
/* not part of an existing search response */
if ( l == NULL ) {
if ( foundit ) {
*result = newmsg;
goto exit;
}
newmsg->lm_next = ld->ld_responses;
ld->ld_responses = newmsg;
goto exit;
}
Debug( LDAP_DEBUG_TRACE, "adding response ld %p msgid %ld type %ld:\n",
(void *)ld, (long) newmsg->lm_msgid, (long) newmsg->lm_msgtype );
/* part of a search response - add to end of list of entries */
l->lm_chain_tail->lm_chain = newmsg;
l->lm_chain_tail = newmsg;
/* return the whole chain if that's what we were looking for */
if ( foundit ) {
if ( prev == NULL ) {
ld->ld_responses = l->lm_next;
} else {
prev->lm_next = l->lm_next;
}
*result = l;
}
exit:
if ( foundit ) {
ld->ld_errno = LDAP_SUCCESS;
return( tag );
}
if ( lc && ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) {
goto retry;
}
return( LDAP_MSG_X_KEEP_LOOKING ); /* continue looking */
}
static ber_tag_t
build_result_ber( LDAP *ld, BerElement **bp, LDAPRequest *lr )
{
ber_len_t len;
ber_tag_t tag;
ber_int_t along;
BerElement *ber;
*bp = NULL;
ber = ldap_alloc_ber_with_options( ld );
if( ber == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
return LBER_ERROR;
}
if ( ber_printf( ber, "{it{ess}}", lr->lr_msgid,
lr->lr_res_msgtype, lr->lr_res_errno,
lr->lr_res_matched ? lr->lr_res_matched : "",
lr->lr_res_error ? lr->lr_res_error : "" ) == -1 )
{
ld->ld_errno = LDAP_ENCODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
ber_reset( ber, 1 );
if ( ber_skip_tag( ber, &len ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
if ( ber_get_enum( ber, &along ) == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
tag = ber_peek_tag( ber, &len );
if ( tag == LBER_ERROR ) {
ld->ld_errno = LDAP_DECODING_ERROR;
ber_free( ber, 1 );
return( LBER_ERROR );
}
*bp = ber;
return tag;
}
int
ldap_parse_passwordpolicy_control(
LDAP *ld,
LDAPControl *ctrl,
ber_int_t *expirep,
ber_int_t *gracep,
LDAPPasswordPolicyError *errorp )
{
BerElement *ber;
int exp = -1, grace = -1;
ber_tag_t tag;
ber_len_t berLen;
char *last;
int err = PP_noError;
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( ctrl != NULL );
/* Create a BerElement from the berval returned in the control. */
ber = ber_init(&ctrl->ldctl_value);
if (ber == NULL) {
ld->ld_errno = LDAP_NO_MEMORY;
return(ld->ld_errno);
}
tag = ber_peek_tag( ber, &berLen );
if (tag != LBER_SEQUENCE) goto exit;
for( tag = ber_first_element( ber, &berLen, &last );
tag != LBER_DEFAULT;
tag = ber_next_element( ber, &berLen, last ) )
{
switch (tag) {
case PPOLICY_WARNING:
ber_skip_tag(ber, &berLen );
tag = ber_peek_tag( ber, &berLen );
switch( tag ) {
case PPOLICY_EXPIRE:
if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
break;
case PPOLICY_GRACE:
if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
break;
default:
goto exit;
}
break;
case PPOLICY_ERROR:
if (ber_get_enum( ber, &err ) == LBER_DEFAULT) goto exit;
break;
default:
goto exit;
}
}
ber_free(ber, 1);
/* Return data to the caller for items that were requested. */
if (expirep) *expirep = exp;
if (gracep) *gracep = grace;
if (errorp) *errorp = err;
ld->ld_errno = LDAP_SUCCESS;
return(ld->ld_errno);
exit:
ber_free(ber, 1);
ld->ld_errno = LDAP_DECODING_ERROR;
return(ld->ld_errno);
}
int ldap_parse_passwordpolicy_control(LDAP UNUSED(*ld), LDAPControl *ctrl,
ber_int_t *expirep, ber_int_t *gracep,
LDAPPasswordPolicyError UNUSED(*errorp))
{
BerElement *ber;
ber_tag_t tag;
ber_len_t berLen;
char *last;
#ifdef HAVE_BER_GET_ENUM
int err = PP_noError;
#endif /* HAVE_BER_GET_ENUM */
/* get a BerElement from the control */
ber = ber_init(&ctrl->ldctl_value);
if (ber == NULL)
return LDAP_LOCAL_ERROR;
/* go over tags */
for(tag = ber_first_element(ber, &berLen, &last); tag != LBER_DEFAULT; tag = ber_next_element(ber, &berLen, last))
{
switch (tag)
{
case PPOLICY_WARNING:
ber_skip_tag(ber, &berLen);
tag = ber_peek_tag(ber, &berLen);
switch (tag)
{
case PPOLICY_EXPIRE:
if (ber_get_int(ber, expirep) == LBER_DEFAULT)
{
ber_free(ber, 1);
return LDAP_DECODING_ERROR;
}
break;
case PPOLICY_GRACE:
if (ber_get_int(ber, gracep) == LBER_DEFAULT)
{
ber_free(ber, 1);
return LDAP_DECODING_ERROR;
}
break;
default:
ber_free(ber, 1);
return LDAP_DECODING_ERROR;
}
break;
#ifdef HAVE_BER_GET_ENUM
case PPOLICY_ERROR:
if (ber_get_enum(ber, &err) == LBER_DEFAULT)
{
ber_free(ber, 1);
return LDAP_DECODING_ERROR;
}
break;
#endif /* HAVE_BER_GET_ENUM */
default:
ber_free(ber, 1);
return LDAP_DECODING_ERROR;
}
}
ber_free(ber, 1);
return LDAP_SUCCESS;
}
