req->creds.password, &session_info);
}
- /* When we add authentication here, we also need to handle telling the backends */
-
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (!reply) {
return NT_STATUS_NO_MEMORY;
resp->response.errormessage = errstr;
resp->response.dn = NULL;
resp->response.referral = NULL;
-
- /* This looks wrong... */
- resp->SASL.secblob = data_blob(NULL, 0);
+ resp->SASL.secblob = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}
if (NT_STATUS_IS_OK(status)) {
+ DATA_BLOB input = data_blob(NULL, 0);
+ DATA_BLOB output = data_blob(NULL, 0);
+
+ if (req->creds.SASL.secblob) {
+ input = *req->creds.SASL.secblob;
+ }
+
+ resp->SASL.secblob = talloc(reply, DATA_BLOB);
+ NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
+
status = gensec_update(conn->gensec, reply,
- req->creds.SASL.secblob, &resp->SASL.secblob);
+ input, &output);
+
+ /* TODO: gensec should really handle the difference between NULL and length=0 better! */
+ if (output.data) {
+ resp->SASL.secblob = talloc(reply, DATA_BLOB);
+ NT_STATUS_HAVE_NO_MEMORY(resp->SASL.secblob);
+ *resp->SASL.secblob = output;
+ } else {
+ resp->SASL.secblob = NULL;
+ }
} else {
- resp->SASL.secblob = data_blob(NULL, 0);
+ resp->SASL.secblob = NULL;
}
if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
resp->response.dn = NULL;
resp->response.errormessage = talloc_asprintf(reply, "Bad AuthenticationChoice [%d]", req->mechanism);
resp->response.referral = NULL;
- resp->SASL.secblob = data_blob(NULL, 0);
+ resp->SASL.secblob = NULL;
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
asn1_push_tag(&data, ASN1_CONTEXT(3));
asn1_write_OctetString(&data, r->creds.SASL.mechanism,
strlen(r->creds.SASL.mechanism));
- /* The value of data indicates if this
- * optional element exists at all. In SASL
- * there is a difference between NULL and
- * zero-legnth, but our APIs don't express it
- * well */
- if (r->creds.SASL.secblob.data) {
- asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
- r->creds.SASL.secblob.length);
+ if (r->creds.SASL.secblob) {
+ asn1_write_OctetString(&data, r->creds.SASL.secblob->data,
+ r->creds.SASL.secblob->length);
}
asn1_pop_tag(&data);
break;
struct ldap_BindResponse *r = &msg->r.BindResponse;
asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
ldap_encode_response(&data, &r->response);
- /* The value of data indicates if this
- * optional element exists at all. In SASL
- * there is a difference between NULL and
- * zero-legnth, but our APIs don't express it
- * well */
- if (r->SASL.secblob.data) {
- asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+ if (r->SASL.secblob) {
+ asn1_write_ContextSimple(&data, 7, r->SASL.secblob);
}
asn1_pop_tag(&data);
break;
asn1_write_OctetString(&data, r->dn, strlen(r->dn));
asn1_write_OctetString(&data, r->newrdn, strlen(r->newrdn));
asn1_write_BOOLEAN(&data, r->deleteolddn);
- if (r->newsuperior != NULL) {
+ if (r->newsuperior) {
asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(0));
asn1_write(&data, r->newsuperior,
strlen(r->newsuperior));
asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(0));
asn1_write(&data, r->oid, strlen(r->oid));
asn1_pop_tag(&data);
- asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(1));
- asn1_write(&data, r->value.data, r->value.length);
- asn1_pop_tag(&data);
+ if (r->value) {
+ asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(1));
+ asn1_write(&data, r->value->data, r->value->length);
+ asn1_pop_tag(&data);
+ }
asn1_pop_tag(&data);
break;
}
struct ldap_ExtendedResponse *r = &msg->r.ExtendedResponse;
asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
ldap_encode_response(&data, &r->response);
+ if (r->oid) {
+ asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(10));
+ asn1_write(&data, r->oid, strlen(r->oid));
+ asn1_pop_tag(&data);
+ }
+ if (r->value) {
+ asn1_push_tag(&data, ASN1_CONTEXT_SIMPLE(11));
+ asn1_write(&data, r->value->data, r->value->length);
+ asn1_pop_tag(&data);
+ }
asn1_pop_tag(&data);
break;
}
r->mechanism = LDAP_AUTH_MECH_SASL;
asn1_read_OctetString_talloc(msg, data, &r->creds.SASL.mechanism);
if (asn1_peek_tag(data, ASN1_OCTET_STRING)) { /* optional */
- asn1_read_OctetString(data, &r->creds.SASL.secblob);
- if (r->creds.SASL.secblob.data) {
- talloc_steal(msg, r->creds.SASL.secblob.data);
+ DATA_BLOB tmp_blob = data_blob(NULL, 0);
+ asn1_read_OctetString(data, &tmp_blob);
+ r->creds.SASL.secblob = talloc(msg, DATA_BLOB);
+ if (!r->creds.SASL.secblob) {
+ return False;
}
+ *r->creds.SASL.secblob = data_blob_talloc(r->creds.SASL.secblob,
+ tmp_blob.data, tmp_blob.length);
+ data_blob_free(&tmp_blob);
} else {
- r->creds.SASL.secblob = data_blob(NULL, 0);
+ r->creds.SASL.secblob = NULL;
}
asn1_end_tag(data);
}
if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(7))) {
DATA_BLOB tmp_blob = data_blob(NULL, 0);
asn1_read_ContextSimple(data, 7, &tmp_blob);
- r->SASL.secblob = data_blob_talloc(msg, tmp_blob.data, tmp_blob.length);
+ r->SASL.secblob = talloc(msg, DATA_BLOB);
+ if (!r->SASL.secblob) {
+ return False;
+ }
+ *r->SASL.secblob = data_blob_talloc(r->SASL.secblob,
+ tmp_blob.data, tmp_blob.length);
data_blob_free(&tmp_blob);
} else {
- r->SASL.secblob = data_blob(NULL, 0);
+ r->SASL.secblob = NULL;
}
asn1_end_tag(data);
break;
if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(1))) {
asn1_read_ContextSimple(data, 1, &tmp_blob);
- r->value = data_blob_talloc(msg, tmp_blob.data, tmp_blob.length);
+ r->value = talloc(msg, DATA_BLOB);
+ if (!r->value) {
+ return False;
+ }
+ *r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
data_blob_free(&tmp_blob);
} else {
- r->value = data_blob(NULL, 0);
+ r->value = NULL;
}
asn1_end_tag(data);
case ASN1_APPLICATION(LDAP_TAG_ExtendedResponse): {
struct ldap_ExtendedResponse *r = &msg->r.ExtendedResponse;
+ DATA_BLOB tmp_blob = data_blob(NULL, 0);
+
msg->type = LDAP_TAG_ExtendedResponse;
asn1_start_tag(data, tag);
ldap_decode_response(msg, data, &r->response);
- /* I have to come across an operation that actually sends
- * something back to really see what's going on. The currently
- * needed pwdchange does not send anything back. */
- r->name = NULL;
- r->value.data = NULL;
- r->value.length = 0;
+
+ if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(10))) {
+ asn1_read_ContextSimple(data, 1, &tmp_blob);
+ r->oid = blob2string_talloc(msg, tmp_blob);
+ data_blob_free(&tmp_blob);
+ if (!r->oid) {
+ return False;
+ }
+ } else {
+ r->oid = NULL;
+ }
+
+ if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(11))) {
+ asn1_read_ContextSimple(data, 1, &tmp_blob);
+ r->value = talloc(msg, DATA_BLOB);
+ if (!r->value) {
+ return False;
+ }
+ *r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
+ data_blob_free(&tmp_blob);
+ } else {
+ r->value = NULL;
+ }
+
asn1_end_tag(data);
break;
}
}
lac->src_attr_len = source_attribute.length;
if (lac->src_attr_len) {
- lac->source_attribute = talloc_strndup(lac, (char *)source_attribute.data, source_attribute.length);
+ lac->source_attribute = talloc_strndup(lac, (const char *)source_attribute.data, source_attribute.length);
if (!(lac->source_attribute)) {
return False;
return False;
}
ctrl->oid = talloc_strndup(mem_ctx, (char *)oid.data, oid.length);
- if (!(ctrl->oid)) {
+ if (!ctrl->oid) {
return False;
}
ctrl->value = NULL;
+ if (!asn1_peek_tag(data, ASN1_OCTET_STRING)) {
+ goto end_tag;
+ }
+
+ if (!asn1_read_OctetString(data, &value)) {
+ return False;
+ }
+
for (i = 0; ldap_known_controls[i].oid != NULL; i++) {
if (strcmp(ldap_known_controls[i].oid, ctrl->oid) == 0) {
-
- if (!asn1_read_OctetString(data, &value)) {
- return False;
- }
- if (!ldap_known_controls[i].decode(mem_ctx, value, &(ctrl->value))) {
+ if (!ldap_known_controls[i].decode(mem_ctx, value, &ctrl->value)) {
return False;
}
break;
return False;
}
+end_tag:
if (!asn1_end_tag(data)) {
return False;
}
if (!asn1_push_tag(data, ASN1_SEQUENCE(0))) {
return False;
}
-
+
if (!asn1_write_OctetString(data, ctrl->oid, strlen(ctrl->oid))) {
return False;
}
-
+
if (ctrl->critical) {
if (!asn1_write_BOOLEAN(data, ctrl->critical)) {
return False;
}
}
+ if (!ctrl->value) {
+ goto pop_tag;
+ }
+
for (i = 0; ldap_known_controls[i].oid != NULL; i++) {
if (strcmp(ldap_known_controls[i].oid, ctrl->oid) == 0) {
if (!ldap_known_controls[i].encode(mem_ctx, ctrl->value, &value)) {
return False;
}
- if (value.length != 0) {
- if (!asn1_write_OctetString(data, value.data, value.length)) {
- return False;
- }
+ if (!asn1_write_OctetString(data, value.data, value.length)) {
+ return False;
}
+pop_tag:
if (!asn1_pop_tag(data)) {
return False;
}
git.samba.org / abartlet / samba.git / .git / commitdiff