1 /*        $NetBSD: extended.c,v 1.3 2021/08/14 16:14:58 christos Exp $          */
2 
3 /* $OpenLDAP$ */
4 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5  *
6  * Copyright 1999-2021 The OpenLDAP Foundation.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted only as authorized by the OpenLDAP
11  * Public License.
12  *
13  * A copy of this license is available in the file LICENSE in the
14  * top-level directory of the distribution or, alternatively, at
15  * <http://www.OpenLDAP.org/license.html>.
16  */
17 
18 /*
19  * LDAPv3 Extended Operation Request
20  *        ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
21  *                  requestName          [0] LDAPOID,
22  *                  requestValue         [1] OCTET STRING OPTIONAL
23  *        }
24  *
25  * LDAPv3 Extended Operation Response
26  *        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
27  *                  COMPONENTS OF LDAPResult,
28  *                  responseName         [10] LDAPOID OPTIONAL,
29  *                  response   [11] OCTET STRING OPTIONAL
30  *        }
31  *
32  */
33 
34 #include <sys/cdefs.h>
35 __RCSID("$NetBSD: extended.c,v 1.3 2021/08/14 16:14:58 christos Exp $");
36 
37 #include "portable.h"
38 
39 #include <stdio.h>
40 
41 #include <ac/socket.h>
42 #include <ac/string.h>
43 
44 #include "slap.h"
45 #include "lber_pvt.h"
46 
47 static struct extop_list {
48           struct extop_list *next;
49           struct berval oid;
50           slap_mask_t flags;
51           SLAP_EXTOP_MAIN_FN *ext_main;
52 } *supp_ext_list = NULL;
53 
54 static SLAP_EXTOP_MAIN_FN whoami_extop;
55 
56 /* This list of built-in extops is for extops that are not part
57  * of backends or in external modules.  Essentially, this is
58  * just a way to get built-in extops onto the extop list without
59  * having a separate init routine for each built-in extop.
60  */
61 static struct {
62           const struct berval *oid;
63           slap_mask_t flags;
64           SLAP_EXTOP_MAIN_FN *ext_main;
65 } builtin_extops[] = {
66           { &slap_EXOP_TXN_START, 0, txn_start_extop },
67           { &slap_EXOP_TXN_END, 0, txn_end_extop },
68           { &slap_EXOP_CANCEL, 0, cancel_extop },
69           { &slap_EXOP_WHOAMI, 0, whoami_extop },
70           { &slap_EXOP_MODIFY_PASSWD, SLAP_EXOP_WRITES, passwd_extop },
71           { NULL, 0, NULL }
72 };
73 
74 
75 static struct extop_list *find_extop(
76           struct extop_list *list, struct berval *oid );
77 
78 struct berval *
get_supported_extop(int index)79 get_supported_extop (int index)
80 {
81           struct extop_list *ext;
82 
83           /* linear scan is slow, but this way doesn't force a
84            * big change on root_dse.c, where this routine is used.
85            */
86           for (ext = supp_ext_list; ext != NULL && --index >= 0; ext = ext->next) {
87                     ; /* empty */
88           }
89 
90           if (ext == NULL) return NULL;
91 
92           return &ext->oid;
93 }
94 
95 
exop_root_dse_info(Entry * e)96 int exop_root_dse_info( Entry *e )
97 {
98           AttributeDescription *ad_supportedExtension
99                     = slap_schema.si_ad_supportedExtension;
100           struct berval vals[2];
101           struct extop_list *ext;
102 
103           vals[1].bv_val = NULL;
104           vals[1].bv_len = 0;
105 
106           for (ext = supp_ext_list; ext != NULL; ext = ext->next) {
107                     if( ext->flags & SLAP_EXOP_HIDE ) continue;
108 
109                     vals[0] = ext->oid;
110 
111                     if( attr_merge( e, ad_supportedExtension, vals, NULL ) ) {
112                               return LDAP_OTHER;
113                     }
114           }
115 
116           return LDAP_SUCCESS;
117 }
118 
119 int
do_extended(Operation * op,SlapReply * rs)120 do_extended(
121     Operation       *op,
122     SlapReply       *rs
123 )
124 {
125           struct berval reqdata = {0, NULL};
126           ber_len_t len;
127 
128           Debug( LDAP_DEBUG_TRACE, "%s do_extended\n",
129                     op->o_log_prefix );
130 
131           if( op->o_protocol < LDAP_VERSION3 ) {
132                     Debug( LDAP_DEBUG_ANY, "%s do_extended: protocol version (%d) too low\n",
133                               op->o_log_prefix, op->o_protocol );
134                     send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "requires LDAPv3" );
135                     rs->sr_err = SLAPD_DISCONNECT;
136                     goto done;
137           }
138 
139           if ( ber_scanf( op->o_ber, "{m" /*}*/, &op->ore_reqoid ) == LBER_ERROR ) {
140                     Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
141                               op->o_log_prefix );
142                     send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
143                     rs->sr_err = SLAPD_DISCONNECT;
144                     goto done;
145           }
146 
147           if( ber_peek_tag( op->o_ber, &len ) == LDAP_TAG_EXOP_REQ_VALUE ) {
148                     if( ber_scanf( op->o_ber, "m", &reqdata ) == LBER_ERROR ) {
149                               Debug( LDAP_DEBUG_ANY, "%s do_extended: ber_scanf failed\n",
150                                         op->o_log_prefix );
151                               send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
152                               rs->sr_err = SLAPD_DISCONNECT;
153                               goto done;
154                     }
155           }
156 
157           if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
158                     Debug( LDAP_DEBUG_ANY, "%s do_extended: get_ctrls failed\n",
159                               op->o_log_prefix );
160                     return rs->sr_err;
161           }
162 
163           Debug( LDAP_DEBUG_STATS, "%s EXT oid=%s\n",
164               op->o_log_prefix, op->ore_reqoid.bv_val );
165 
166           /* check for controls inappropriate for all extended operations */
167           if( get_manageDSAit( op ) == SLAP_CONTROL_CRITICAL ) {
168                     send_ldap_error( op, rs,
169                               LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
170                               "manageDSAit control inappropriate" );
171                     goto done;
172           }
173 
174           /* FIXME: temporary? */
175           if ( reqdata.bv_val ) {
176                     op->ore_reqdata = &reqdata;
177           }
178 
179           op->o_bd = frontendDB;
180           rs->sr_err = frontendDB->be_extended( op, rs );
181 
182           if ( rs->sr_err == SLAPD_ASYNCOP ||
183                     rs->sr_err == LDAP_TXN_SPECIFY_OKAY ) {
184                     /* skip cleanup */
185                     return rs->sr_err;
186           }
187 
188           /* clean up in case some overlay set them? */
189           if ( !BER_BVISNULL( &op->o_req_ndn ) ) {
190                     if ( !BER_BVISNULL( &op->o_req_dn )
191                               && op->o_req_ndn.bv_val != op->o_req_dn.bv_val )
192                     {
193                               op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
194                     }
195                     op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
196                     BER_BVZERO( &op->o_req_dn );
197                     BER_BVZERO( &op->o_req_ndn );
198           }
199 
200 done:
201           return rs->sr_err;
202 }
203 
204 int
fe_extended(Operation * op,SlapReply * rs)205 fe_extended( Operation *op, SlapReply *rs )
206 {
207           struct extop_list   *ext = NULL;
208           struct berval                 reqdata = BER_BVNULL;
209 
210           if (op->ore_reqdata) {
211                     reqdata = *op->ore_reqdata;
212           }
213 
214           ext = find_extop(supp_ext_list, &op->ore_reqoid );
215           if ( ext == NULL ) {
216                     Debug( LDAP_DEBUG_ANY, "%s do_extended: unsupported operation \"%s\"\n",
217                               op->o_log_prefix, op->ore_reqoid.bv_val );
218                     send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR,
219                               "unsupported extended operation" );
220                     goto done;
221           }
222 
223           op->ore_flags = ext->flags;
224 
225           Debug( LDAP_DEBUG_ARGS, "do_extended: oid=%s\n",
226                     op->ore_reqoid.bv_val );
227 
228           { /* start of OpenLDAP extended operation */
229                     BackendDB *bd = op->o_bd;
230 
231                     rs->sr_err = (ext->ext_main)( op, rs );
232 
233                     if( rs->sr_err != SLAPD_ABANDON ) {
234                               if ( rs->sr_err == LDAP_REFERRAL && rs->sr_ref == NULL ) {
235                                         rs->sr_ref = referral_rewrite( default_referral,
236                                                   NULL, NULL, LDAP_SCOPE_DEFAULT );
237                                         if ( !rs->sr_ref ) rs->sr_ref = default_referral;
238                                         if ( !rs->sr_ref ) {
239                                                   rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
240                                                   rs->sr_text = "referral missing";
241                                         }
242                               }
243 
244                               if ( op->o_bd == NULL )
245                                         op->o_bd = bd;
246                               send_ldap_extended( op, rs );
247 
248                               if ( rs->sr_ref != default_referral ) {
249                                         ber_bvarray_free( rs->sr_ref );
250                                         rs->sr_ref = NULL;
251                               }
252                     }
253 
254                     if ( rs->sr_rspoid != NULL ) {
255                               free( (char *)rs->sr_rspoid );
256                               rs->sr_rspoid = NULL;
257                     }
258 
259                     if ( rs->sr_rspdata != NULL ) {
260                               ber_bvfree( rs->sr_rspdata );
261                               rs->sr_rspdata = NULL;
262                     }
263           } /* end of OpenLDAP extended operation */
264 
265 done:;
266           return rs->sr_err;
267 }
268 
269 int
load_extop2(const struct berval * ext_oid,slap_mask_t ext_flags,SLAP_EXTOP_MAIN_FN * ext_main,unsigned flags)270 load_extop2(
271           const struct berval *ext_oid,
272           slap_mask_t ext_flags,
273           SLAP_EXTOP_MAIN_FN *ext_main,
274           unsigned flags )
275 {
276           struct berval                 oidm = BER_BVNULL;
277           struct extop_list   *ext;
278           int                           insertme = 0;
279 
280           if ( !ext_main ) {
281                     return -1;
282           }
283 
284           if ( ext_oid == NULL || BER_BVISNULL( ext_oid ) ||
285                     BER_BVISEMPTY( ext_oid ) )
286           {
287                     return -1;
288           }
289 
290           if ( numericoidValidate( NULL, (struct berval *)ext_oid ) !=
291                     LDAP_SUCCESS )
292           {
293                     oidm.bv_val = oidm_find( ext_oid->bv_val );
294                     if ( oidm.bv_val == NULL ) {
295                               return -1;
296                     }
297                     oidm.bv_len = strlen( oidm.bv_val );
298                     ext_oid = &oidm;
299           }
300 
301           for ( ext = supp_ext_list; ext; ext = ext->next ) {
302                     if ( bvmatch( ext_oid, &ext->oid ) ) {
303                               if ( flags == 1 ) {
304                                         break;
305                               }
306                               return -1;
307                     }
308           }
309 
310           if ( flags == 0 || ext == NULL ) {
311                     ext = ch_calloc( 1, sizeof(struct extop_list) + ext_oid->bv_len + 1 );
312                     if ( ext == NULL ) {
313                               return(-1);
314                     }
315 
316                     ext->oid.bv_val = (char *)(ext + 1);
317                     AC_MEMCPY( ext->oid.bv_val, ext_oid->bv_val, ext_oid->bv_len );
318                     ext->oid.bv_len = ext_oid->bv_len;
319                     ext->oid.bv_val[ext->oid.bv_len] = '\0';
320 
321                     insertme = 1;
322           }
323 
324           ext->flags = ext_flags;
325           ext->ext_main = ext_main;
326 
327           if ( insertme ) {
328                     ext->next = supp_ext_list;
329                     supp_ext_list = ext;
330           }
331 
332           return(0);
333 }
334 
335 int
unload_extop(const struct berval * ext_oid,SLAP_EXTOP_MAIN_FN * ext_main,unsigned flags)336 unload_extop(
337           const struct berval *ext_oid,
338           SLAP_EXTOP_MAIN_FN *ext_main,
339           unsigned flags )
340 {
341           struct berval                 oidm = BER_BVNULL;
342           struct extop_list   *ext, **extp;
343 
344           /* oid must be given */
345           if ( ext_oid == NULL || BER_BVISNULL( ext_oid ) ||
346                     BER_BVISEMPTY( ext_oid ) )
347           {
348                     return -1;
349           }
350 
351           /* if it's not an oid, check if it's a macto */
352           if ( numericoidValidate( NULL, (struct berval *)ext_oid ) !=
353                     LDAP_SUCCESS )
354           {
355                     oidm.bv_val = oidm_find( ext_oid->bv_val );
356                     if ( oidm.bv_val == NULL ) {
357                               return -1;
358                     }
359                     oidm.bv_len = strlen( oidm.bv_val );
360                     ext_oid = &oidm;
361           }
362 
363           /* lookup the oid */
364           for ( extp = &supp_ext_list; *extp; extp = &(*extp)->next ) {
365                     if ( bvmatch( ext_oid, &(*extp)->oid ) ) {
366                               /* if ext_main is given, only remove if it matches */
367                               if ( ext_main != NULL && (*extp)->ext_main != ext_main ) {
368                                         return -1;
369                               }
370                               break;
371                     }
372           }
373 
374           if ( *extp == NULL ) {
375                     return -1;
376           }
377 
378           ext = *extp;
379           *extp = (*extp)->next;
380 
381           ch_free( ext );
382 
383           return 0;
384 }
385 
386 int
extops_init(void)387 extops_init (void)
388 {
389           int i;
390 
391           for ( i = 0; builtin_extops[i].oid != NULL; i++ ) {
392                     load_extop( (struct berval *)builtin_extops[i].oid,
393                               builtin_extops[i].flags,
394                               builtin_extops[i].ext_main );
395           }
396 
397           return(0);
398 }
399 
400 int
extops_kill(void)401 extops_kill (void)
402 {
403           struct extop_list *ext;
404 
405           /* we allocated the memory, so we have to free it, too. */
406           while ((ext = supp_ext_list) != NULL) {
407                     supp_ext_list = ext->next;
408                     ch_free(ext);
409           }
410           return(0);
411 }
412 
413 static struct extop_list *
find_extop(struct extop_list * list,struct berval * oid)414 find_extop( struct extop_list *list, struct berval *oid )
415 {
416           struct extop_list *ext;
417 
418           for (ext = list; ext; ext = ext->next) {
419                     if (bvmatch(&ext->oid, oid))
420                               return(ext);
421           }
422           return(NULL);
423 }
424 
425 
426 const struct berval slap_EXOP_WHOAMI = BER_BVC(LDAP_EXOP_WHO_AM_I);
427 
428 static int
whoami_extop(Operation * op,SlapReply * rs)429 whoami_extop (
430           Operation *op,
431           SlapReply *rs )
432 {
433           struct berval *bv;
434 
435           if ( op->ore_reqdata != NULL ) {
436                     /* no request data should be provided */
437                     rs->sr_text = "no request data expected";
438                     return LDAP_PROTOCOL_ERROR;
439           }
440 
441           Debug( LDAP_DEBUG_STATS, "%s WHOAMI\n",
442               op->o_log_prefix );
443 
444           op->o_bd = op->o_conn->c_authz_backend;
445           if( backend_check_restrictions( op, rs,
446                     (struct berval *)&slap_EXOP_WHOAMI ) != LDAP_SUCCESS )
447           {
448                     return rs->sr_err;
449           }
450 
451           bv = (struct berval *) ch_malloc( sizeof(struct berval) );
452           if( op->o_dn.bv_len ) {
453                     bv->bv_len = op->o_dn.bv_len + STRLENOF( "dn:" );
454                     bv->bv_val = ch_malloc( bv->bv_len + 1 );
455                     AC_MEMCPY( bv->bv_val, "dn:", STRLENOF( "dn:" ) );
456                     AC_MEMCPY( &bv->bv_val[STRLENOF( "dn:" )], op->o_dn.bv_val,
457                               op->o_dn.bv_len );
458                     bv->bv_val[bv->bv_len] = '\0';
459 
460           } else {
461                     bv->bv_len = 0;
462                     bv->bv_val = NULL;
463           }
464 
465           rs->sr_rspdata = bv;
466           return LDAP_SUCCESS;
467 }
468