2 /* $Id: aldap.c,v 1.32 2016/04/27 10:53:27 schwarze Exp $ */
3 /* $OpenBSD: aldap.c,v 1.32 2016/04/27 10:53:27 schwarze Exp $ */
6 * Copyright (c) 2008 Alexander Schrijver <aschrijver@openbsd.org>
7 * Copyright (c) 2006, 2007 Marc Balmer <mbalmer@openbsd.org>
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
36 static struct ber_element *ldap_parse_search_filter(struct ber_element *,
38 static struct ber_element *ldap_do_parse_search_filter(
39 struct ber_element *, char **);
40 char **aldap_get_stringset(struct ber_element *);
42 static int isu8cont(unsigned char);
43 char *parseval(char *, size_t);
44 int aldap_create_page_control(struct ber_element *,
45 int, struct aldap_page_control *);
48 void ldap_debug_elements(struct ber_element *);
52 #define DPRINTF(x...) printf(x)
53 #define LDAP_DEBUG(x, y) do { fprintf(stderr, "*** " x "\n"); ldap_debug_elements(y); } while (0)
55 #define DPRINTF(x...) do { } while (0)
56 #define LDAP_DEBUG(x, y) do { } while (0)
60 aldap_close(struct aldap *al)
62 if (close(al->ber.fd) == -1)
76 if ((a = calloc(1, sizeof(*a))) == NULL)
84 aldap_bind(struct aldap *ldap, char *binddn, char *bindcred)
86 struct ber_element *root = NULL, *elm;
94 if ((root = ber_add_sequence(NULL)) == NULL)
97 elm = ber_printf_elements(root, "d{tdsst", ++ldap->msgid, BER_CLASS_APP,
98 (unsigned long)LDAP_REQ_BIND, VERSION, binddn, bindcred,
99 BER_CLASS_CONTEXT, (unsigned long)LDAP_AUTH_SIMPLE);
103 LDAP_DEBUG("aldap_bind", root);
105 error = ber_write_elements(&ldap->ber, root);
106 ber_free_elements(root);
111 return (ldap->msgid);
114 ber_free_elements(root);
116 ldap->err = ALDAP_ERR_OPERATION_FAILED;
121 aldap_unbind(struct aldap *ldap)
123 struct ber_element *root = NULL, *elm;
126 if ((root = ber_add_sequence(NULL)) == NULL)
128 elm = ber_printf_elements(root, "d{t", ++ldap->msgid, BER_CLASS_APP,
133 LDAP_DEBUG("aldap_unbind", root);
135 error = ber_write_elements(&ldap->ber, root);
136 ber_free_elements(root);
141 return (ldap->msgid);
144 ber_free_elements(root);
146 ldap->err = ALDAP_ERR_OPERATION_FAILED;
152 aldap_search(struct aldap *ldap, char *basedn, enum scope scope, char *filter,
153 char **attrs, int typesonly, int sizelimit, int timelimit,
154 struct aldap_page_control *page)
156 struct ber_element *root = NULL, *ber, *c;
159 if ((root = ber_add_sequence(NULL)) == NULL)
162 ber = ber_printf_elements(root, "d{t", ++ldap->msgid, BER_CLASS_APP,
163 (unsigned long) LDAP_REQ_SEARCH);
165 ldap->err = ALDAP_ERR_OPERATION_FAILED;
170 ber = ber_printf_elements(ber, "sEEddb", basedn, (long long)scope,
171 (long long)LDAP_DEREF_NEVER, sizelimit,
172 timelimit, typesonly);
174 ldap->err = ALDAP_ERR_OPERATION_FAILED;
178 if ((ber = ldap_parse_search_filter(ber, filter)) == NULL) {
179 ldap->err = ALDAP_ERR_PARSER_ERROR;
183 if ((ber = ber_add_sequence(ber)) == NULL)
186 for (i = 0; attrs[i] != NULL; i++) {
187 if ((ber = ber_add_string(ber, attrs[i])) == NULL)
191 aldap_create_page_control(c, 100, page);
193 LDAP_DEBUG("aldap_search", root);
195 error = ber_write_elements(&ldap->ber, root);
196 ber_free_elements(root);
199 ldap->err = ALDAP_ERR_OPERATION_FAILED;
203 return (ldap->msgid);
207 ber_free_elements(root);
213 aldap_create_page_control(struct ber_element *elm, int size,
214 struct aldap_page_control *page)
218 struct ber_element *ber = NULL;
223 ber = ber_add_sequence(NULL);
226 if (ber_printf_elements(ber, "ds", 50, "") == NULL)
229 if (ber_printf_elements(ber, "dx", 50, page->cookie,
230 page->cookie_len) == NULL)
234 if ((len = ber_write_elements(&c, ber)) < 1)
236 if (ber_printf_elements(elm, "{t{sx", 2, 0, LDAP_PAGED_OID,
237 c.br_wbuf, (size_t)len) == NULL)
240 ber_free_elements(ber);
245 ber_free_elements(ber);
251 struct aldap_message *
252 aldap_parse(struct aldap *ldap)
257 struct aldap_message *m;
258 struct ber_element *a = NULL, *ep;
260 if ((m = calloc(1, sizeof(struct aldap_message))) == NULL)
263 if ((m->msg = ber_read_elements(&ldap->ber, NULL)) == NULL)
266 LDAP_DEBUG("message", m->msg);
268 if (ber_scanf_elements(m->msg, "{ite", &msgid, &class, &type, &a) != 0)
271 m->message_type = type;
274 switch (m->message_type) {
276 case LDAP_RES_MODIFY:
278 case LDAP_RES_DELETE:
279 case LDAP_RES_MODRDN:
280 case LDAP_RES_COMPARE:
281 case LDAP_RES_SEARCH_RESULT:
282 if (ber_scanf_elements(m->protocol_op, "{EeSeSe",
283 &m->body.res.rescode, &m->dn, &m->body.res.diagmsg, &a) != 0)
285 if (m->body.res.rescode == LDAP_REFERRAL)
286 if (ber_scanf_elements(a, "{e", &m->references) != 0)
288 if (m->msg->be_sub) {
289 for (ep = m->msg->be_sub; ep != NULL; ep = ep->be_next) {
290 ber_scanf_elements(ep, "t", &class, &type);
291 if (class == 2 && type == 0)
292 m->page = aldap_parse_page_control(ep->be_sub->be_sub,
293 ep->be_sub->be_sub->be_len);
298 case LDAP_RES_SEARCH_ENTRY:
299 if (ber_scanf_elements(m->protocol_op, "{eS{e", &m->dn,
300 &m->body.search.attrs) != 0)
303 case LDAP_RES_SEARCH_REFERENCE:
304 if (ber_scanf_elements(m->protocol_op, "{e", &m->references) != 0)
311 ldap->err = ALDAP_ERR_PARSER_ERROR;
316 struct aldap_page_control *
317 aldap_parse_page_control(struct ber_element *control, size_t len)
322 struct ber_element *elm;
323 struct aldap_page_control *page;
327 ber_scanf_elements(control, "ss", &oid, &encoded);
328 ber_set_readbuf(&b, encoded, control->be_next->be_len);
329 elm = ber_read_elements(&b, NULL);
331 if ((page = malloc(sizeof(struct aldap_page_control))) == NULL) {
333 ber_free_elements(elm);
338 ber_scanf_elements(elm->be_sub, "is", &page->size, &s);
339 page->cookie_len = elm->be_sub->be_next->be_len;
341 if ((page->cookie = malloc(page->cookie_len)) == NULL) {
343 ber_free_elements(elm);
348 memcpy(page->cookie, s, page->cookie_len);
350 ber_free_elements(elm);
356 aldap_freepage(struct aldap_page_control *page)
363 aldap_freemsg(struct aldap_message *msg)
366 ber_free_elements(msg->msg);
371 aldap_get_resultcode(struct aldap_message *msg)
373 return msg->body.res.rescode;
377 aldap_get_dn(struct aldap_message *msg)
384 if (ber_get_string(msg->dn, &dn) == -1)
391 aldap_get_references(struct aldap_message *msg)
393 if (msg->references == NULL)
395 return aldap_get_stringset(msg->references);
399 aldap_free_references(char **values)
406 for (i = 0; values[i] != NULL; i++)
413 aldap_get_diagmsg(struct aldap_message *msg)
417 if (msg->body.res.diagmsg == NULL)
420 if (ber_get_string(msg->body.res.diagmsg, &s) == -1)
427 aldap_count_attrs(struct aldap_message *msg)
430 struct ber_element *a;
432 if (msg->body.search.attrs == NULL)
435 for (i = 0, a = msg->body.search.attrs;
436 a != NULL && ber_get_eoc(a) != 0;
444 aldap_first_attr(struct aldap_message *msg, char **outkey, char ***outvalues)
446 struct ber_element *b, *c;
450 if (msg->body.search.attrs == NULL)
453 if (ber_scanf_elements(msg->body.search.attrs, "{s(e)}e",
457 msg->body.search.iter = msg->body.search.attrs->be_next;
459 if ((ret = aldap_get_stringset(b)) == NULL)
463 (*outkey) = utoa(key);
473 aldap_next_attr(struct aldap_message *msg, char **outkey, char ***outvalues)
475 struct ber_element *a, *b;
479 if (msg->body.search.iter == NULL)
482 LDAP_DEBUG("attr", msg->body.search.iter);
484 if (ber_get_eoc(msg->body.search.iter) == 0)
487 if (ber_scanf_elements(msg->body.search.iter, "{s(e)}e", &key, &a, &b)
491 msg->body.search.iter = msg->body.search.iter->be_next;
493 if ((ret = aldap_get_stringset(a)) == NULL)
497 (*outkey) = utoa(key);
508 aldap_match_attr(struct aldap_message *msg, char *inkey, char ***outvalues)
510 struct ber_element *a, *b;
514 if (msg->body.search.attrs == NULL)
517 LDAP_DEBUG("attr", msg->body.search.attrs);
519 for (a = msg->body.search.attrs;;) {
522 if (ber_get_eoc(a) == 0)
524 if (ber_scanf_elements(a, "{s(e", &descr, &b) != 0)
526 if (strcasecmp(descr, inkey) == 0)
532 if ((ret = aldap_get_stringset(b)) == NULL)
545 aldap_free_attr(char **values)
552 for (i = 0; values[i] != NULL; i++)
562 aldap_free_url(struct aldap_url *lu)
569 aldap_parse_url(char *url, struct aldap_url *lu)
571 char *p, *forward, *forward2;
572 const char *errstr = NULL;
575 if ((lu->buffer = p = strdup(url)) == NULL)
579 if (strncasecmp(LDAP_URL, p, strlen(LDAP_URL)) != 0)
582 p += strlen(LDAP_URL);
584 /* host and optional port */
585 if ((forward = strchr(p, '/')) != NULL)
587 /* find the optional port */
588 if ((forward2 = strchr(p, ':')) != NULL) {
590 /* if a port is given */
591 if (*(forward2+1) != '\0') {
592 #define PORT_MAX UINT16_MAX
593 lu->port = strtonum(++forward2, 0, PORT_MAX, &errstr);
598 /* fail if no host is given */
604 /* p is assigned either a pointer to a character or to '\0' */
610 if ((forward = strchr(p, '?')) != NULL)
615 /* p is assigned either a pointer to a character or to '\0' */
621 if ((forward = strchr(p, '?')) != NULL)
623 for (i = 0; i < MAXATTR; i++) {
624 if ((forward2 = strchr(p, ',')) == NULL) {
627 lu->attributes[i] = p;
631 lu->attributes[i] = p;
636 /* p is assigned either a pointer to a character or to '\0' */
642 if ((forward = strchr(p, '?')) != NULL)
644 if (strcmp(p, "base") == 0)
645 lu->scope = LDAP_SCOPE_BASE;
646 else if (strcmp(p, "one") == 0)
647 lu->scope = LDAP_SCOPE_ONELEVEL;
648 else if (strcmp(p, "sub") == 0)
649 lu->scope = LDAP_SCOPE_SUBTREE;
671 aldap_search_url(struct aldap *ldap, char *url, int typesonly, int sizelimit,
674 struct aldap_url *lu;
676 if ((lu = calloc(1, sizeof(*lu))) == NULL)
679 if (aldap_parse_url(url, lu))
682 if (aldap_search(ldap, lu->dn, lu->scope, lu->filter, lu->attributes,
683 typesonly, sizelimit, timelimit) == -1)
687 return (ldap->msgid);
699 aldap_get_stringset(struct ber_element *elm)
701 struct ber_element *a;
706 if (elm->be_type != BER_TYPE_OCTETSTRING)
709 for (a = elm, i = 1; i > 0 && a != NULL && a->be_type ==
710 BER_TYPE_OCTETSTRING; a = a->be_next, i++)
715 if ((ret = calloc(i + 1, sizeof(char *))) == NULL)
718 for (a = elm, i = 0; a != NULL && a->be_type == BER_TYPE_OCTETSTRING;
721 ber_get_string(a, &s);
737 * Base case for ldap_do_parse_search_filter
740 * struct ber_element *, ber_element tree
743 static struct ber_element *
744 ldap_parse_search_filter(struct ber_element *ber, char *filter)
746 struct ber_element *elm;
751 if (cp == NULL || *cp == '\0') {
756 if ((elm = ldap_do_parse_search_filter(ber, &cp)) == NULL)
760 ber_free_elements(elm);
761 ber_link_elements(ber, NULL);
770 * Translate RFC4515 search filter string into ber_element tree
773 * struct ber_element *, ber_element tree
777 * when cp is passed to a recursive invocation, it is updated
778 * to point one character beyond the filter that was passed
779 * i.e., cp jumps to "(filter)" upon return
781 * goto's used to discriminate error-handling based on error type
782 * doesn't handle extended filters (yet)
785 static struct ber_element *
786 ldap_do_parse_search_filter(struct ber_element *prev, char **cpp)
788 struct ber_element *elm, *root = NULL;
789 char *attr_desc, *attr_val, *parsed_val, *cp;
795 /* cpp should pass in pointer to opening parenthesis of "(filter)" */
804 type = LDAP_FILT_AND;
808 if ((elm = ber_add_set(prev)) == NULL)
811 ber_set_header(elm, BER_CLASS_CONTEXT, type);
813 if (*++cp != '(') /* opening `(` of filter */
818 ldap_do_parse_search_filter(elm, &cp)) == NULL)
822 if (*cp != ')') /* trailing `)` of filter */
827 if ((root = ber_add_sequence(prev)) == NULL)
829 ber_set_header(root, BER_CLASS_CONTEXT, LDAP_FILT_NOT);
831 cp++; /* now points to sub-filter */
832 if ((elm = ldap_do_parse_search_filter(root, &cp)) == NULL)
835 if (*cp != ')') /* trailing `)` of filter */
839 default: /* SIMPLE || PRESENCE */
842 len = strcspn(cp, "()<>~=");
846 type = LDAP_FILT_APPR;
858 type = LDAP_FILT_EQ; /* assume EQ until disproven */
867 /* presence filter */
868 if (strncmp(attr_val, "*)", 2) == 0) {
869 cp++; /* point to trailing `)` */
871 ber_add_nstring(prev, attr_desc, len)) == NULL)
874 ber_set_header(root, BER_CLASS_CONTEXT, LDAP_FILT_PRES);
878 if ((root = ber_add_sequence(prev)) == NULL)
880 ber_set_header(root, BER_CLASS_CONTEXT, type);
882 if ((elm = ber_add_nstring(root, attr_desc, len)) == NULL)
885 len = strcspn(attr_val, "*)");
886 if (len == 0 && *cp != '*')
892 if (*cp == '*') { /* substring filter */
897 ber_set_header(root, BER_CLASS_CONTEXT, LDAP_FILT_SUBS);
899 if ((elm = ber_add_sequence(elm)) == NULL)
902 for (initial = 1;; cp++, initial = 0) {
905 len = strcspn(attr_val, "*)");
917 type = LDAP_FILT_SUBS_INIT;
919 type = LDAP_FILT_SUBS_FIN;
921 type = LDAP_FILT_SUBS_ANY;
923 if ((parsed_val = parseval(attr_val, len)) ==
926 elm = ber_add_nstring(elm, parsed_val,
931 ber_set_header(elm, BER_CLASS_CONTEXT, type);
932 if (type == LDAP_FILT_SUBS_FIN)
938 if ((parsed_val = parseval(attr_val, len)) == NULL)
940 elm = ber_add_nstring(elm, parsed_val, strlen(parsed_val));
947 cp++; /* now points one char beyond the trailing `)` */
952 syntaxfail: /* XXX -- error reporting */
956 ber_free_elements(root);
957 ber_link_elements(prev, NULL);
963 * Display a list of ber elements.
967 ldap_debug_elements(struct ber_element *root)
969 static int indent = 0;
978 /* calculate lengths */
981 switch (root->be_encoding) {
982 case BER_TYPE_SEQUENCE:
984 constructed = root->be_encoding;
991 fprintf(stderr, "%*slen %lu ", indent, "", root->be_len);
992 switch (root->be_class) {
993 case BER_CLASS_UNIVERSAL:
994 fprintf(stderr, "class: universal(%u) type: ", root->be_class);
995 switch (root->be_type) {
997 fprintf(stderr, "end-of-content");
999 case BER_TYPE_BOOLEAN:
1000 fprintf(stderr, "boolean");
1002 case BER_TYPE_INTEGER:
1003 fprintf(stderr, "integer");
1005 case BER_TYPE_BITSTRING:
1006 fprintf(stderr, "bit-string");
1008 case BER_TYPE_OCTETSTRING:
1009 fprintf(stderr, "octet-string");
1012 fprintf(stderr, "null");
1014 case BER_TYPE_OBJECT:
1015 fprintf(stderr, "object");
1017 case BER_TYPE_ENUMERATED:
1018 fprintf(stderr, "enumerated");
1020 case BER_TYPE_SEQUENCE:
1021 fprintf(stderr, "sequence");
1024 fprintf(stderr, "set");
1028 case BER_CLASS_APPLICATION:
1029 fprintf(stderr, "class: application(%u) type: ",
1031 switch (root->be_type) {
1033 fprintf(stderr, "bind");
1036 fprintf(stderr, "bind");
1038 case LDAP_REQ_UNBIND_30:
1040 case LDAP_REQ_SEARCH:
1041 fprintf(stderr, "search");
1043 case LDAP_RES_SEARCH_ENTRY:
1044 fprintf(stderr, "search_entry");
1046 case LDAP_RES_SEARCH_RESULT:
1047 fprintf(stderr, "search_result");
1049 case LDAP_REQ_MODIFY:
1050 fprintf(stderr, "modify");
1052 case LDAP_RES_MODIFY:
1053 fprintf(stderr, "modify");
1056 fprintf(stderr, "add");
1059 fprintf(stderr, "add");
1061 case LDAP_REQ_DELETE_30:
1062 fprintf(stderr, "delete");
1064 case LDAP_RES_DELETE:
1065 fprintf(stderr, "delete");
1067 case LDAP_REQ_MODRDN:
1068 fprintf(stderr, "modrdn");
1070 case LDAP_RES_MODRDN:
1071 fprintf(stderr, "modrdn");
1073 case LDAP_REQ_COMPARE:
1074 fprintf(stderr, "compare");
1076 case LDAP_RES_COMPARE:
1077 fprintf(stderr, "compare");
1079 case LDAP_REQ_ABANDON_30:
1080 fprintf(stderr, "abandon");
1084 case BER_CLASS_PRIVATE:
1085 fprintf(stderr, "class: private(%u) type: ", root->be_class);
1086 fprintf(stderr, "encoding (%lu) type: ", root->be_encoding);
1088 case BER_CLASS_CONTEXT:
1089 /* XXX: this is not correct */
1090 fprintf(stderr, "class: context(%u) type: ", root->be_class);
1091 switch(root->be_type) {
1092 case LDAP_AUTH_SIMPLE:
1093 fprintf(stderr, "auth simple");
1098 fprintf(stderr, "class: <INVALID>(%u) type: ", root->be_class);
1101 fprintf(stderr, "(%lu) encoding %lu ",
1102 root->be_type, root->be_encoding);
1105 root->be_encoding = constructed;
1107 switch (root->be_encoding) {
1108 case BER_TYPE_BOOLEAN:
1109 if (ber_get_boolean(root, &d) == -1) {
1110 fprintf(stderr, "<INVALID>\n");
1113 fprintf(stderr, "%s(%d)\n", d ? "true" : "false", d);
1115 case BER_TYPE_INTEGER:
1116 if (ber_get_integer(root, &v) == -1) {
1117 fprintf(stderr, "<INVALID>\n");
1120 fprintf(stderr, "value %lld\n", v);
1122 case BER_TYPE_ENUMERATED:
1123 if (ber_get_enumerated(root, &v) == -1) {
1124 fprintf(stderr, "<INVALID>\n");
1127 fprintf(stderr, "value %lld\n", v);
1129 case BER_TYPE_BITSTRING:
1130 if (ber_get_bitstring(root, (void *)&buf, &len) == -1) {
1131 fprintf(stderr, "<INVALID>\n");
1134 fprintf(stderr, "hexdump ");
1135 for (i = 0; i < len; i++)
1136 fprintf(stderr, "%02x", buf[i]);
1137 fprintf(stderr, "\n");
1139 case BER_TYPE_OBJECT:
1140 if (ber_get_oid(root, &o) == -1) {
1141 fprintf(stderr, "<INVALID>\n");
1144 fprintf(stderr, "\n");
1146 case BER_TYPE_OCTETSTRING:
1147 if (ber_get_nstring(root, (void *)&buf, &len) == -1) {
1148 fprintf(stderr, "<INVALID>\n");
1151 fprintf(stderr, "string \"%.*s\"\n", len, buf);
1153 case BER_TYPE_NULL: /* no payload */
1155 case BER_TYPE_SEQUENCE:
1158 fprintf(stderr, "\n");
1162 if (constructed && root->be_sub) {
1164 ldap_debug_elements(root->be_sub);
1168 ldap_debug_elements(root->be_next);
1173 * Strip UTF-8 down to ASCII without validation.
1175 * non-ASCII characters are displayed as '?'
1176 * the argument u should be a NULL terminated sequence of UTF-8 bytes.
1184 /* calculate the length to allocate */
1185 for (len = 0, i = 0; u[i] != '\0'; i++)
1186 if (!isu8cont(u[i]))
1189 if ((str = calloc(len + 1, sizeof(char))) == NULL)
1192 /* copy the ASCII characters to the newly allocated string */
1193 for (i = 0, j = 0; u[i] != '\0'; i++)
1194 if (!isu8cont(u[i]))
1195 str[j++] = isascii((unsigned char)u[i]) ? u[i] : '?';
1201 isu8cont(unsigned char c)
1203 return (c & (0x80 | 0x40)) == 0x80;
1207 * Parse a LDAP value
1209 * the argument p should be a NUL-terminated sequence of ASCII bytes.
1212 parseval(char *p, size_t len)
1218 if ((buffer = calloc(1, len + 1)) == NULL)
1221 for (i = j = 0; j < len; i++) {
1223 strlcpy(hex, p + j + 1, sizeof(hex));
1224 buffer[i] = (char)strtoumax(hex, NULL, 16);
1236 aldap_get_errno(struct aldap *a, const char **estr)
1239 case ALDAP_ERR_SUCCESS:
1242 case ALDAP_ERR_PARSER_ERROR:
1243 *estr = "parser failed";
1245 case ALDAP_ERR_INVALID_FILTER:
1246 *estr = "invalid filter";
1248 case ALDAP_ERR_OPERATION_FAILED:
1249 *estr = "operation failed";