edir_ldapext.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /*
10  * NDS LDAP helper functions
11  * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
12  * limited functionality needed to access the plain text password only
13  *
14  * Original copyright & license follows:
15  *
16  * Copyright (C) Vince Brimhall 2004-2005
17  *
18  * This program is free software; you can redistribute it and/or modify
19  * it under the terms of the GNU General Public License as published by
20  * the Free Software Foundation; either version 2 of the License, or
21  * (at your option) any later version.
22  *
23  * This program is distributed in the hope that it will be useful,
24  * but WITHOUT ANY WARRANTY; without even the implied warranty of
25  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26  * GNU General Public License for more details.
27  *
28  * You should have received a copy of the GNU General Public License
29  * along with this program; if not, write to the Free Software
30  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31  */
32 
33 #include "squid.h"
34 #include "auth/digest/eDirectory/digest_common.h"
35 #include "mem/Sensitive.h"
36 
37 #if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
38 
39 #define snprintf _snprintf
40 #include <windows.h>
41 #include <winldap.h>
42 #include <winber.h>
43 #ifndef LDAPAPI
44 #define LDAPAPI __cdecl
45 #endif
46 #ifdef LDAP_VERSION3
47 #ifndef LDAP_OPT_X_TLS
48 #define LDAP_OPT_X_TLS 0x6000
49 #endif
50 #define ber_alloc() ber_alloc_t(0)
51 #endif /* LDAP_VERSION3 */
52 
53 #else
54 
55 #include <lber.h>
56 #include <ldap.h>
57 
58 #endif
59 
60 #include "edir_ldapext.h"
61 #include <cwchar>
62 
63 #define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
64 #define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
65 #define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
66 #define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
67 #define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
68 #define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
69 
70 #define NMAS_LDAP_EXT_VERSION 1
71 
72 #define SMB_MALLOC_ARRAY(type, nelem) calloc(nelem, sizeof(type))
73 #define DEBUG(level, args)
74 
75 /**********************************************************************
76  Take the request BER value and input data items and BER encodes the
77  data into the BER value
78 **********************************************************************/
79 
80 static int berEncodePasswordData(
81  struct berval **requestBV,
82  const char *objectDN,
83  const char *password,
84  const char *password2)
85 {
86  int err = 0, rc=0;
87  BerElement *requestBer = nullptr;
88 
89  const char * utf8ObjPtr = nullptr;
90  int utf8ObjSize = 0;
91  const char * utf8PwdPtr = nullptr;
92  int utf8PwdSize = 0;
93  const char * utf8Pwd2Ptr = nullptr;
94  int utf8Pwd2Size = 0;
95 
96  /* Convert objectDN and tag strings from Unicode to UTF-8 */
97  utf8ObjSize = strlen(objectDN)+1;
98  utf8ObjPtr = objectDN;
99 
100  if (password != nullptr) {
101  utf8PwdSize = strlen(password)+1;
102  utf8PwdPtr = password;
103  }
104 
105  if (password2 != nullptr) {
106  utf8Pwd2Size = strlen(password2)+1;
107  utf8Pwd2Ptr = password2;
108  }
109 
110  /* Allocate a BerElement for the request parameters. */
111  if ((requestBer = ber_alloc()) == nullptr) {
112  err = LDAP_ENCODING_ERROR;
113  return err;
114  }
115 
116  if (password != nullptr && password2 != nullptr) {
117  /* BER encode the NMAS Version, the objectDN, and the password */
118  rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
119  } else if (password != nullptr) {
120  /* BER encode the NMAS Version, the objectDN, and the password */
121  rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
122  } else {
123  /* BER encode the NMAS Version and the objectDN */
124  rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
125  }
126 
127  if (rc < 0) {
128  err = LDAP_ENCODING_ERROR;
129  } else {
130  err = 0;
131  /* Convert the BER we just built to a berval that we'll send with the extended request. */
132  if ((ber_tag_t)ber_flatten(requestBer, requestBV) == LBER_ERROR) {
133  err = LDAP_ENCODING_ERROR;
134  }
135  }
136 
137  if (requestBer) {
138  ber_free(requestBer, 1);
139  }
140 
141  return err;
142 }
143 
144 /**********************************************************************
145  Take the request BER value and input data items and BER encodes the
146  data into the BER value
147 **********************************************************************/
148 
149 static int berEncodeLoginData(
150  struct berval **requestBV,
151  char *objectDN,
152  unsigned int methodIDLen,
153  unsigned int *methodID,
154  char *tag,
155  size_t putDataLen,
156  void *putData)
157 {
158  unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
159 
160  char *utf8ObjPtr=nullptr;
161  int utf8ObjSize = 0;
162 
163  char *utf8TagPtr = nullptr;
164  int utf8TagSize = 0;
165 
166  utf8ObjPtr = objectDN;
167  utf8ObjSize = strlen(utf8ObjPtr)+1;
168 
169  utf8TagPtr = tag;
170  utf8TagSize = strlen(utf8TagPtr)+1;
171 
172  /* Allocate a BerElement for the request parameters. */
173  BerElement *requestBer = ber_alloc();
174  if (!requestBer)
175  return LDAP_ENCODING_ERROR;
176 
177  /* BER encode the NMAS Version and the objectDN */
178  if (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) {
179  ber_free(requestBer, 1);
180  return LDAP_ENCODING_ERROR;
181  }
182 
183  /* BER encode the MethodID Length and value */
184  if (ber_printf(requestBer, "{i{", methodIDLen) < 0) {
185  ber_free(requestBer, 1);
186  return LDAP_ENCODING_ERROR;
187  }
188 
189  for (unsigned int i = 0; i < elemCnt; ++i) {
190  if (ber_printf(requestBer, "i", methodID[i]) < 0) {
191  ber_free(requestBer, 1);
192  return LDAP_ENCODING_ERROR;
193  }
194  }
195 
196  if (ber_printf(requestBer, "}}", 0) < 0) {
197  ber_free(requestBer, 1);
198  return LDAP_ENCODING_ERROR;
199  }
200 
201  if (putData) {
202  /* BER Encode the the tag and data */
203  if (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) {
204  ber_free(requestBer, 1);
205  return LDAP_ENCODING_ERROR;
206  }
207  } else {
208  /* BER Encode the the tag */
209  if (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) {
210  ber_free(requestBer, 1);
211  return LDAP_ENCODING_ERROR;
212  }
213  }
214 
215  /* Convert the BER we just built to a berval that we'll send with the extended request. */
216  if (static_cast<ber_tag_t>(ber_flatten(requestBer, requestBV)) == LBER_ERROR) {
217  ber_free(requestBer, 1);
218  return LDAP_ENCODING_ERROR;
219  }
220 
221  ber_free(requestBer, 1);
222  return 0; /* no error */
223 }
224 
225 /**********************************************************************
226  Takes the reply BER Value and decodes the NMAS server version and
227  return code and if a non null retData buffer was supplied, tries to
228  decode the the return data and length
229 **********************************************************************/
230 
231 static int berDecodeLoginData(
232  struct berval *replyBV,
233  int *serverVersion,
234  size_t *retDataLen,
235  void *retData )
236 {
237  int err = 0;
238  BerElement *replyBer = nullptr;
239  char *retOctStr = nullptr;
240  size_t retOctStrLen = 0;
241 
242  if ((replyBer = ber_init(replyBV)) == nullptr) {
243  err = LDAP_OPERATIONS_ERROR;
244  } else if (retData) {
245  retOctStrLen = *retDataLen + 1;
246  retOctStr = (char*)SMB_MALLOC_ARRAY(char, retOctStrLen);
247  if (!retOctStr) {
248  err = LDAP_OPERATIONS_ERROR;
249  } else if (ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != LBER_ERROR) {
250  if (*retDataLen >= retOctStrLen) {
251  memcpy(retData, retOctStr, retOctStrLen);
252  } else if (!err) {
253  err = LDAP_NO_MEMORY;
254  }
255 
256  *retDataLen = retOctStrLen;
257  } else if (!err) {
258  err = LDAP_DECODING_ERROR;
259  }
260  } else {
261  if (ber_scanf(replyBer, "{ii}", serverVersion, &err) == LBER_ERROR) {
262  if (!err) {
263  err = LDAP_DECODING_ERROR;
264  }
265  }
266  }
267 
268  if (replyBer) {
269  ber_free(replyBer, 1);
270  }
271 
272  if (retOctStr != nullptr) {
273  memset(retOctStr, 0, retOctStrLen);
274  free(retOctStr);
275  }
276 
277  return err;
278 }
279 
280 /**********************************************************************
281  Retrieves data in the login configuration of the specified object
282  that is tagged with the specified methodID and tag.
283 **********************************************************************/
284 
285 static int getLoginConfig(
286  LDAP *ld,
287  char *objectDN,
288  unsigned int methodIDLen,
289  unsigned int *methodID,
290  char *tag,
291  size_t *dataLen,
292  void *data )
293 {
294  int err = 0;
295  struct berval *requestBV = nullptr;
296  char *replyOID = nullptr;
297  struct berval *replyBV = nullptr;
298  int serverVersion = 0;
299 
300  /* Validate unicode parameters. */
301  if ((strlen(objectDN) == 0) || ld == nullptr) {
302  return LDAP_NO_SUCH_ATTRIBUTE;
303  }
304 
305  err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, nullptr);
306  if (err) {
307  ;
308  } else if (!err && (err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
309  requestBV, nullptr, nullptr, &replyOID, &replyBV))) {
310  /* Call the ldap_extended_operation (synchronously) */
311  ;
312  } else if (!replyOID) {
313  /* Make sure there is a return OID */
314  err = LDAP_NOT_SUPPORTED;
315  } else if (strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) {
316  /* Is this what we were expecting to get back. */
317  err = LDAP_NOT_SUPPORTED;
318  } else if (!replyBV) {
319  /* Do we have a good returned berval? */
320 
321  /* No; returned berval means we experienced a rather drastic error. */
322  /* Return operations error. */
323  err = LDAP_OPERATIONS_ERROR;
324  } else {
325 
326  err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
327 
328  if (serverVersion != NMAS_LDAP_EXT_VERSION) {
329  err = LDAP_OPERATIONS_ERROR;
330  }
331  }
332 
333  if (replyBV) {
334  ber_bvfree(replyBV);
335  }
336 
337  /* Free the return OID string if one was returned. */
338  if (replyOID) {
339  ldap_memfree(replyOID);
340  }
341 
342  /* Free memory allocated while building the request ber and berval. */
343  if (requestBV) {
344  ber_bvfree(requestBV);
345  }
346 
347  /* Return the appropriate error/success code. */
348  return err;
349 }
350 
351 /**********************************************************************
352  Attempts to get the Simple Password
353 **********************************************************************/
354 
355 static int nmasldap_get_simple_pwd(
356  LDAP *ld,
357  char *objectDN,
358  size_t pwdLen,
359  char *pwd )
360 {
361  int err = 0;
362  unsigned int methodID = 0;
363  unsigned int methodIDLen = sizeof(methodID);
364  char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
365  char *pwdBuf=nullptr;
366  size_t pwdBufLen, bufferLen;
367 
368  bufferLen = pwdBufLen = pwdLen+2;
369  pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
370  if (pwdBuf == nullptr) {
371  return LDAP_NO_MEMORY;
372  }
373 
374  err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
375  if (err == 0) {
376  if (pwdBufLen > 1) {
377  switch (pwdBuf[0]) {
378  case 1: /* cleartext password */
379  break;
380  case 2: /* SHA1 HASH */
381  case 3: /* MD5_ID */
382  case 4: /* UNIXCrypt_ID */
383  case 8: /* SSHA_ID */
384  default: /* Unknown digest */
385  err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */
386  break;
387  }
388  if (!err) {
389  if (pwdLen >= pwdBufLen) {
390  memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */
391  pwd[pwdBufLen - 1] = '\0';
392  } else {
393  err = LDAP_NO_MEMORY;
394  }
395  }
396  }
397  }
398 
399  if (pwdBuf != nullptr) {
400  Mem::ZeroSensitiveMemory(pwdBuf, bufferLen);
401  free(pwdBuf);
402  }
403 
404  return err;
405 }
406 
407 /**********************************************************************
408  Attempts to get the Universal Password
409 **********************************************************************/
410 
411 static int nmasldap_get_password(
412  LDAP *ld,
413  char *objectDN,
414  size_t *pwdSize, /* in bytes */
415  unsigned char *pwd )
416 {
417  int err = 0;
418 
419  struct berval *requestBV = nullptr;
420  char *replyOID = nullptr;
421  struct berval *replyBV = nullptr;
422  int serverVersion;
423  char *pwdBuf;
424  size_t pwdBufLen, bufferLen;
425 
426  /* Validate char parameters. */
427  if (objectDN == nullptr || (strlen(objectDN) == 0) || pwdSize == nullptr || ld == nullptr) {
428  return LDAP_NO_SUCH_ATTRIBUTE;
429  }
430 
431  bufferLen = pwdBufLen = *pwdSize;
432  pwdBuf = (char*)SMB_MALLOC_ARRAY(char, pwdBufLen+2);
433  if (pwdBuf == nullptr) {
434  return LDAP_NO_MEMORY;
435  }
436 
437  err = berEncodePasswordData(&requestBV, objectDN, nullptr, nullptr);
438  if (err) {
439  ;
440  } else if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, nullptr, nullptr, &replyOID, &replyBV))) {
441  ; /* Call the ldap_extended_operation (synchronously) */
442  } else if (!replyOID) {
443  /* Make sure there is a return OID */
444  err = LDAP_NOT_SUPPORTED;
445  } else if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
446  /* Is this what we were expecting to get back. */
447  err = LDAP_NOT_SUPPORTED;
448  } else if (!replyBV) {
449  /* Do we have a good returned berval? */
450  /* No; returned berval means we experienced a rather drastic error. */
451  /* Return operations error. */
452  err = LDAP_OPERATIONS_ERROR;
453  } else {
454  err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
455 
456  if (serverVersion != NMAS_LDAP_EXT_VERSION) {
457  err = LDAP_OPERATIONS_ERROR;
458 
459  } else if (!err && pwdBufLen != 0) {
460  if (*pwdSize >= pwdBufLen+1 && pwd != nullptr) {
461  memcpy(pwd, pwdBuf, pwdBufLen);
462  pwd[pwdBufLen] = 0; /* add null termination */
463  } else {
464  err = LDAP_OPERATIONS_ERROR;
465  }
466  *pwdSize = pwdBufLen; /* does not include null termination */
467  }
468  }
469 
470  if (replyBV) {
471  ber_bvfree(replyBV);
472  }
473 
474  /* Free the return OID string if one was returned. */
475  if (replyOID) {
476  ldap_memfree(replyOID);
477  }
478 
479  /* Free memory allocated while building the request ber and berval. */
480  if (requestBV) {
481  ber_bvfree(requestBV);
482  }
483 
484  if (pwdBuf != nullptr) {
485  Mem::ZeroSensitiveMemory(pwdBuf, bufferLen);
486  free(pwdBuf);
487  }
488 
489  /* Return the appropriate error/success code. */
490  return err;
491 }
492 
493 /**********************************************************************
494  Get the user's password from NDS.
495  *********************************************************************/
496 
497 int nds_get_password(
498  LDAP *ld,
499  char *object_dn,
500  size_t *pwd_len,
501  char *pwd )
502 {
503  int rc = -1;
504 
505  rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
506  if (rc == LDAP_SUCCESS) {
507  DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
508  } else {
509  DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
510  }
511 
512  if (rc != LDAP_SUCCESS) {
513  rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
514  if (rc == LDAP_SUCCESS) {
515  DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
516  } else {
517  /* We couldn't get the password */
518  DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
519  return LDAP_INVALID_CREDENTIALS;
520  }
521  }
522 
523  /* We got the password */
524  return LDAP_SUCCESS;
525 }
526 
NMASLDAP_GET_PASSWORD_RESPONSE
#define NMASLDAP_GET_PASSWORD_RESPONSE
Definition: edir_ldapext.cc:68
NMASLDAP_GET_LOGIN_CONFIG_REQUEST
#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST
Definition: edir_ldapext.cc:63
NMASLDAP_GET_LOGIN_CONFIG_RESPONSE
#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE
Definition: edir_ldapext.cc:64
Mem::ZeroSensitiveMemory
void ZeroSensitiveMemory(void *dst, const size_t len)
Definition: Sensitive.h:19
berEncodePasswordData
static int berEncodePasswordData(struct berval **requestBV, const char *objectDN, const char *password, const char *password2)
Definition: edir_ldapext.cc:80
nmasldap_get_password
static int nmasldap_get_password(LDAP *ld, char *objectDN, size_t *pwdSize, unsigned char *pwd)
Definition: edir_ldapext.cc:411
DEBUG
#define DEBUG(level, args)
Definition: edir_ldapext.cc:73
NMASLDAP_GET_PASSWORD_REQUEST
#define NMASLDAP_GET_PASSWORD_REQUEST
Definition: edir_ldapext.cc:67
nmasldap_get_simple_pwd
static int nmasldap_get_simple_pwd(LDAP *ld, char *objectDN, size_t pwdLen, char *pwd)
Definition: edir_ldapext.cc:355
NMAS_LDAP_EXT_VERSION
#define NMAS_LDAP_EXT_VERSION
Definition: edir_ldapext.cc:70
nds_get_password
int nds_get_password(LDAP *ld, char *object_dn, size_t *pwd_len, char *pwd)
Definition: edir_ldapext.cc:497
digest_common.h
berDecodeLoginData
static int berDecodeLoginData(struct berval *replyBV, int *serverVersion, size_t *retDataLen, void *retData)
Definition: edir_ldapext.cc:231
berEncodeLoginData
static int berEncodeLoginData(struct berval **requestBV, char *objectDN, unsigned int methodIDLen, unsigned int *methodID, char *tag, size_t putDataLen, void *putData)
Definition: edir_ldapext.cc:149
SMB_MALLOC_ARRAY
#define SMB_MALLOC_ARRAY(type, nelem)
Definition: edir_ldapext.cc:72
ld
static LDAP * ld
Definition: ldap_backend.cc:57
edir_ldapext.h
getLoginConfig
static int getLoginConfig(LDAP *ld, char *objectDN, unsigned int methodIDLen, unsigned int *methodID, char *tag, size_t *dataLen, void *data)
Definition: edir_ldapext.cc:285
int
int unsigned int
Definition: stub_fd.cc:19

 

Introduction

Documentation

Support

Miscellaneous