source4/libcli/ldap/ldap.c

   1 /*
   2    Unix SMB/CIFS mplementation.
   3    LDAP protocol helper functions for SAMBA
   4
   5    Copyright (C) Andrew Tridgell  2004
   6    Copyright (C) Volker Lendecke 2004
   7    Copyright (C) Stefan Metzmacher 2004
   8    Copyright (C) Simo Sorce 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23
  24 */
  25
  26 #include "includes.h"
  27 #include "libcli/util/asn_1.h"
  28 #include "libcli/ldap/ldap.h"
  29
  30
  31 static BOOL ldap_push_filter(struct asn1_data *data, struct ldb_parse_tree *tree)
  32 {
  33         int i;
  34
  35         switch (tree->operation) {
  36         case LDB_OP_AND:
  37         case LDB_OP_OR:
  38                 asn1_push_tag(data, ASN1_CONTEXT(tree->operation==LDB_OP_AND?0:1));
  39                 for (i=0; i<tree->u.list.num_elements; i++) {
  40                         if (!ldap_push_filter(data, tree->u.list.elements[i])) {
  41                                 return False;
  42                         }
  43                 }
  44                 asn1_pop_tag(data);
  45                 break;
  46
  47         case LDB_OP_NOT:
  48                 asn1_push_tag(data, ASN1_CONTEXT(2));
  49                 if (!ldap_push_filter(data, tree->u.isnot.child)) {
  50                         return False;
  51                 }
  52                 asn1_pop_tag(data);
  53                 break;
  54
  55         case LDB_OP_EQUALITY:
  56                 /* equality test */
  57                 asn1_push_tag(data, ASN1_CONTEXT(3));
  58                 asn1_write_OctetString(data, tree->u.equality.attr,
  59                                       strlen(tree->u.equality.attr));
  60                 asn1_write_OctetString(data, tree->u.equality.value.data,
  61                                       tree->u.equality.value.length);
  62                 asn1_pop_tag(data);
  63                 break;
  64
  65         case LDB_OP_SUBSTRING:
  66                 /*
  67                   SubstringFilter ::= SEQUENCE {
  68                           type            AttributeDescription,
  69                           -- at least one must be present
  70                           substrings      SEQUENCE OF CHOICE {
  71                                   initial [0] LDAPString,
  72                                   any     [1] LDAPString,
  73                                   final   [2] LDAPString } }
  74                 */
  75                 asn1_push_tag(data, ASN1_CONTEXT(4));
  76                 asn1_write_OctetString(data, tree->u.substring.attr, strlen(tree->u.substring.attr));
  77                 asn1_push_tag(data, ASN1_SEQUENCE(0));
  78                 i = 0;
  79                 if ( ! tree->u.substring.start_with_wildcard) {
  80                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(0));
  81                         asn1_write_LDAPString(data, (char *)tree->u.substring.chunks[i]->data);
  82                         asn1_pop_tag(data);
  83                         i++;
  84                 }
  85                 while (tree->u.substring.chunks[i]) {
  86                         int ctx;
  87
  88                         if (( ! tree->u.substring.chunks[i + 1]) &&
  89                             (tree->u.substring.end_with_wildcard == 0)) {
  90                                 ctx = 2;
  91                         } else {
  92                                 ctx = 1;
  93                         }
  94                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(ctx));
  95                         asn1_write_LDAPString(data, (char *)tree->u.substring.chunks[i]->data);
  96                         asn1_pop_tag(data);
  97                         i++;
  98                 }
  99                 asn1_pop_tag(data);
 100                 asn1_pop_tag(data);
 101                 break;
 102
 103         case LDB_OP_GREATER:
 104                 /* greaterOrEqual test */
 105                 asn1_push_tag(data, ASN1_CONTEXT(5));
 106                 asn1_write_OctetString(data, tree->u.comparison.attr,
 107                                       strlen(tree->u.comparison.attr));
 108                 asn1_write_OctetString(data, tree->u.comparison.value.data,
 109                                       tree->u.comparison.value.length);
 110                 asn1_pop_tag(data);
 111                 break;
 112
 113         case LDB_OP_LESS:
 114                 /* lessOrEqual test */
 115                 asn1_push_tag(data, ASN1_CONTEXT(6));
 116                 asn1_write_OctetString(data, tree->u.comparison.attr,
 117                                       strlen(tree->u.comparison.attr));
 118                 asn1_write_OctetString(data, tree->u.comparison.value.data,
 119                                       tree->u.comparison.value.length);
 120                 asn1_pop_tag(data);
 121                 break;
 122
 123         case LDB_OP_PRESENT:
 124                 /* present test */
 125                 asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(7));
 126                 asn1_write_LDAPString(data, tree->u.present.attr);
 127                 asn1_pop_tag(data);
 128                 return !data->has_error;
 129
 130         case LDB_OP_APPROX:
 131                 /* approx test */
 132                 asn1_push_tag(data, ASN1_CONTEXT(8));
 133                 asn1_write_OctetString(data, tree->u.comparison.attr,
 134                                       strlen(tree->u.comparison.attr));
 135                 asn1_write_OctetString(data, tree->u.comparison.value.data,
 136                                       tree->u.comparison.value.length);
 137                 asn1_pop_tag(data);
 138                 break;
 139
 140         case LDB_OP_EXTENDED:
 141                 /*
 142                   MatchingRuleAssertion ::= SEQUENCE {
 143                   matchingRule    [1] MatchingRuleID OPTIONAL,
 144                   type            [2] AttributeDescription OPTIONAL,
 145                   matchValue      [3] AssertionValue,
 146                   dnAttributes    [4] BOOLEAN DEFAULT FALSE
 147                   }
 148                 */
 149                 asn1_push_tag(data, ASN1_CONTEXT(9));
 150                 if (tree->u.extended.rule_id) {
 151                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(1));
 152                         asn1_write_LDAPString(data, tree->u.extended.rule_id);
 153                         asn1_pop_tag(data);
 154                 }
 155                 if (tree->u.extended.attr) {
 156                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(2));
 157                         asn1_write_LDAPString(data, tree->u.extended.attr);
 158                         asn1_pop_tag(data);
 159                 }
 160                 asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(3));
 161                 asn1_write_LDAPString(data, (char *)tree->u.extended.value.data);
 162                 asn1_pop_tag(data);
 163                 asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(4));
 164                 asn1_write_uint8(data, tree->u.extended.dnAttributes);
 165                 asn1_pop_tag(data);
 166                 asn1_pop_tag(data);
 167                 break;
 168
 169         default:
 170                 return False;
 171         }
 172         return !data->has_error;
 173 }
 174
 175 static void ldap_encode_response(struct asn1_data *data, struct ldap_Result *result)
 176 {
 177         asn1_write_enumerated(data, result->resultcode);
 178         asn1_write_OctetString(data, result->dn,
 179                                (result->dn) ? strlen(result->dn) : 0);
 180         asn1_write_OctetString(data, result->errormessage,
 181                                (result->errormessage) ?
 182                                strlen(result->errormessage) : 0);
 183         if (result->referral) {
 184                 asn1_push_tag(data, ASN1_CONTEXT(3));
 185                 asn1_write_OctetString(data, result->referral,
 186                                        strlen(result->referral));
 187                 asn1_pop_tag(data);
 188         }
 189 }
 190
 191 BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ctx)
 192 {
 193         struct asn1_data *data = asn1_init(mem_ctx);
 194         int i, j;
 195
 196         asn1_push_tag(data, ASN1_SEQUENCE(0));
 197         asn1_write_Integer(data, msg->messageid);
 198
 199         switch (msg->type) {
 200         case LDAP_TAG_BindRequest: {
 201                 struct ldap_BindRequest *r = &msg->r.BindRequest;
 202                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 203                 asn1_write_Integer(data, r->version);
 204                 asn1_write_OctetString(data, r->dn,
 205                                        (r->dn != NULL) ? strlen(r->dn) : 0);
 206
 207                 switch (r->mechanism) {
 208                 case LDAP_AUTH_MECH_SIMPLE:
 209                         /* context, primitive */
 210                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(0));
 211                         asn1_write(data, r->creds.password,
 212                                    strlen(r->creds.password));
 213                         asn1_pop_tag(data);
 214                         break;
 215                 case LDAP_AUTH_MECH_SASL:
 216                         /* context, constructed */
 217                         asn1_push_tag(data, ASN1_CONTEXT(3));
 218                         asn1_write_OctetString(data, r->creds.SASL.mechanism,
 219                                                strlen(r->creds.SASL.mechanism));
 220                         if (r->creds.SASL.secblob) {
 221                                 asn1_write_OctetString(data, r->creds.SASL.secblob->data,
 222                                                        r->creds.SASL.secblob->length);
 223                         }
 224                         asn1_pop_tag(data);
 225                         break;
 226                 default:
 227                         return False;
 228                 }
 229
 230                 asn1_pop_tag(data);
 231                 break;
 232         }
 233         case LDAP_TAG_BindResponse: {
 234                 struct ldap_BindResponse *r = &msg->r.BindResponse;
 235                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 236                 ldap_encode_response(data, &r->response);
 237                 if (r->SASL.secblob) {
 238                         asn1_write_ContextSimple(data, 7, r->SASL.secblob);
 239                 }
 240                 asn1_pop_tag(data);
 241                 break;
 242         }
 243         case LDAP_TAG_UnbindRequest: {
 244 /*              struct ldap_UnbindRequest *r = &msg->r.UnbindRequest; */
 245                 break;
 246         }
 247         case LDAP_TAG_SearchRequest: {
 248                 struct ldap_SearchRequest *r = &msg->r.SearchRequest;
 249                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 250                 asn1_write_OctetString(data, r->basedn, strlen(r->basedn));
 251                 asn1_write_enumerated(data, r->scope);
 252                 asn1_write_enumerated(data, r->deref);
 253                 asn1_write_Integer(data, r->sizelimit);
 254                 asn1_write_Integer(data, r->timelimit);
 255                 asn1_write_BOOLEAN(data, r->attributesonly);
 256
 257                 if (!ldap_push_filter(data, r->tree)) {
 258                         return False;
 259                 }
 260
 261                 asn1_push_tag(data, ASN1_SEQUENCE(0));
 262                 for (i=0; i<r->num_attributes; i++) {
 263                         asn1_write_OctetString(data, r->attributes[i],
 264                                                strlen(r->attributes[i]));
 265                 }
 266                 asn1_pop_tag(data);
 267                 asn1_pop_tag(data);
 268                 break;
 269         }
 270         case LDAP_TAG_SearchResultEntry: {
 271                 struct ldap_SearchResEntry *r = &msg->r.SearchResultEntry;
 272                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 273                 asn1_write_OctetString(data, r->dn, strlen(r->dn));
 274                 asn1_push_tag(data, ASN1_SEQUENCE(0));
 275                 for (i=0; i<r->num_attributes; i++) {
 276                         struct ldb_message_element *attr = &r->attributes[i];
 277                         asn1_push_tag(data, ASN1_SEQUENCE(0));
 278                         asn1_write_OctetString(data, attr->name,
 279                                                strlen(attr->name));
 280                         asn1_push_tag(data, ASN1_SEQUENCE(1));
 281                         for (j=0; j<attr->num_values; j++) {
 282                                 asn1_write_OctetString(data,
 283                                                        attr->values[j].data,
 284                                                        attr->values[j].length);
 285                         }
 286                         asn1_pop_tag(data);
 287                         asn1_pop_tag(data);
 288                 }
 289                 asn1_pop_tag(data);
 290                 asn1_pop_tag(data);
 291                 break;
 292         }
 293         case LDAP_TAG_SearchResultDone: {
 294                 struct ldap_Result *r = &msg->r.SearchResultDone;
 295                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 296                 ldap_encode_response(data, r);
 297                 asn1_pop_tag(data);
 298                 break;
 299         }
 300         case LDAP_TAG_ModifyRequest: {
 301                 struct ldap_ModifyRequest *r = &msg->r.ModifyRequest;
 302                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 303                 asn1_write_OctetString(data, r->dn, strlen(r->dn));
 304                 asn1_push_tag(data, ASN1_SEQUENCE(0));
 305
 306                 for (i=0; i<r->num_mods; i++) {
 307                         struct ldb_message_element *attrib = &r->mods[i].attrib;
 308                         asn1_push_tag(data, ASN1_SEQUENCE(0));
 309                         asn1_write_enumerated(data, r->mods[i].type);
 310                         asn1_push_tag(data, ASN1_SEQUENCE(0));
 311                         asn1_write_OctetString(data, attrib->name,
 312                                                strlen(attrib->name));
 313                         asn1_push_tag(data, ASN1_SET);
 314                         for (j=0; j<attrib->num_values; j++) {
 315                                 asn1_write_OctetString(data,
 316                                                        attrib->values[j].data,
 317                                                        attrib->values[j].length);
 318
 319                         }
 320                         asn1_pop_tag(data);
 321                         asn1_pop_tag(data);
 322                         asn1_pop_tag(data);
 323                 }
 324
 325                 asn1_pop_tag(data);
 326                 asn1_pop_tag(data);
 327                 break;
 328         }
 329         case LDAP_TAG_ModifyResponse: {
 330                 struct ldap_Result *r = &msg->r.ModifyResponse;
 331                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 332                 ldap_encode_response(data, r);
 333                 asn1_pop_tag(data);
 334                 break;
 335         }
 336         case LDAP_TAG_AddRequest: {
 337                 struct ldap_AddRequest *r = &msg->r.AddRequest;
 338                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 339                 asn1_write_OctetString(data, r->dn, strlen(r->dn));
 340                 asn1_push_tag(data, ASN1_SEQUENCE(0));
 341
 342                 for (i=0; i<r->num_attributes; i++) {
 343                         struct ldb_message_element *attrib = &r->attributes[i];
 344                         asn1_push_tag(data, ASN1_SEQUENCE(0));
 345                         asn1_write_OctetString(data, attrib->name,
 346                                                strlen(attrib->name));
 347                         asn1_push_tag(data, ASN1_SET);
 348                         for (j=0; j<r->attributes[i].num_values; j++) {
 349                                 asn1_write_OctetString(data,
 350                                                        attrib->values[j].data,
 351                                                        attrib->values[j].length);
 352                         }
 353                         asn1_pop_tag(data);
 354                         asn1_pop_tag(data);
 355                 }
 356                 asn1_pop_tag(data);
 357                 asn1_pop_tag(data);
 358                 break;
 359         }
 360         case LDAP_TAG_AddResponse: {
 361                 struct ldap_Result *r = &msg->r.AddResponse;
 362                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 363                 ldap_encode_response(data, r);
 364                 asn1_pop_tag(data);
 365                 break;
 366         }
 367         case LDAP_TAG_DelRequest: {
 368                 struct ldap_DelRequest *r = &msg->r.DelRequest;
 369                 asn1_push_tag(data, ASN1_APPLICATION_SIMPLE(msg->type));
 370                 asn1_write(data, r->dn, strlen(r->dn));
 371                 asn1_pop_tag(data);
 372                 break;
 373         }
 374         case LDAP_TAG_DelResponse: {
 375                 struct ldap_Result *r = &msg->r.DelResponse;
 376                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 377                 ldap_encode_response(data, r);
 378                 asn1_pop_tag(data);
 379                 break;
 380         }
 381         case LDAP_TAG_ModifyDNRequest: {
 382                 struct ldap_ModifyDNRequest *r = &msg->r.ModifyDNRequest;
 383                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 384                 asn1_write_OctetString(data, r->dn, strlen(r->dn));
 385                 asn1_write_OctetString(data, r->newrdn, strlen(r->newrdn));
 386                 asn1_write_BOOLEAN(data, r->deleteolddn);
 387                 if (r->newsuperior) {
 388                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(0));
 389                         asn1_write(data, r->newsuperior,
 390                                    strlen(r->newsuperior));
 391                         asn1_pop_tag(data);
 392                 }
 393                 asn1_pop_tag(data);
 394                 break;
 395         }
 396         case LDAP_TAG_ModifyDNResponse: {
 397                 struct ldap_Result *r = &msg->r.ModifyDNResponse;
 398                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 399                 ldap_encode_response(data, r);
 400                 asn1_pop_tag(data);
 401                 break;
 402         }
 403         case LDAP_TAG_CompareRequest: {
 404                 struct ldap_CompareRequest *r = &msg->r.CompareRequest;
 405                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 406                 asn1_write_OctetString(data, r->dn, strlen(r->dn));
 407                 asn1_push_tag(data, ASN1_SEQUENCE(0));
 408                 asn1_write_OctetString(data, r->attribute,
 409                                        strlen(r->attribute));
 410                 asn1_write_OctetString(data, r->value.data,
 411                                        r->value.length);
 412                 asn1_pop_tag(data);
 413                 asn1_pop_tag(data);
 414                 break;
 415         }
 416         case LDAP_TAG_CompareResponse: {
 417                 struct ldap_Result *r = &msg->r.ModifyDNResponse;
 418                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 419                 ldap_encode_response(data, r);
 420                 asn1_pop_tag(data);
 421                 break;
 422         }
 423         case LDAP_TAG_AbandonRequest: {
 424                 struct ldap_AbandonRequest *r = &msg->r.AbandonRequest;
 425                 asn1_push_tag(data, ASN1_APPLICATION_SIMPLE(msg->type));
 426                 asn1_write_implicit_Integer(data, r->messageid);
 427                 asn1_pop_tag(data);
 428                 break;
 429         }
 430         case LDAP_TAG_SearchResultReference: {
 431                 struct ldap_SearchResRef *r = &msg->r.SearchResultReference;
 432                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 433                 asn1_write_OctetString(data, r->referral, strlen(r->referral));
 434                 asn1_pop_tag(data);
 435                 break;
 436         }
 437         case LDAP_TAG_ExtendedRequest: {
 438                 struct ldap_ExtendedRequest *r = &msg->r.ExtendedRequest;
 439                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 440                 asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(0));
 441                 asn1_write(data, r->oid, strlen(r->oid));
 442                 asn1_pop_tag(data);
 443                 if (r->value) {
 444                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(1));
 445                         asn1_write(data, r->value->data, r->value->length);
 446                         asn1_pop_tag(data);
 447                 }
 448                 asn1_pop_tag(data);
 449                 break;
 450         }
 451         case LDAP_TAG_ExtendedResponse: {
 452                 struct ldap_ExtendedResponse *r = &msg->r.ExtendedResponse;
 453                 asn1_push_tag(data, ASN1_APPLICATION(msg->type));
 454                 ldap_encode_response(data, &r->response);
 455                 if (r->oid) {
 456                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(10));
 457                         asn1_write(data, r->oid, strlen(r->oid));
 458                         asn1_pop_tag(data);
 459                 }
 460                 if (r->value) {
 461                         asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(11));
 462                         asn1_write(data, r->value->data, r->value->length);
 463                         asn1_pop_tag(data);
 464                 }
 465                 asn1_pop_tag(data);
 466                 break;
 467         }
 468         default:
 469                 return False;
 470         }
 471
 472         if (msg->controls != NULL) {
 473                 asn1_push_tag(data, ASN1_CONTEXT(0));
 474
 475                 for (i = 0; msg->controls[i] != NULL; i++) {
 476                         if (!ldap_encode_control(mem_ctx, data, msg->controls[i])) {
 477                                 return False;
 478                         }
 479                 }
 480
 481                 asn1_pop_tag(data);
 482         }
 483
 484         asn1_pop_tag(data);
 485
 486         if (data->has_error) {
 487                 asn1_free(data);
 488                 return False;
 489         }
 490
 491         *result = data_blob_talloc(mem_ctx, data->data, data->length);
 492         asn1_free(data);
 493         return True;
 494 }
 495
 496 static const char *blob2string_talloc(TALLOC_CTX *mem_ctx,
 497                                       DATA_BLOB blob)
 498 {
 499         char *result = talloc_size(mem_ctx, blob.length+1);
 500         memcpy(result, blob.data, blob.length);
 501         result[blob.length] = '\0';
 502         return result;
 503 }
 504
 505 static BOOL asn1_read_OctetString_talloc(TALLOC_CTX *mem_ctx,
 506                                          struct asn1_data *data,
 507                                          const char **result)
 508 {
 509         DATA_BLOB string;
 510         if (!asn1_read_OctetString(data, mem_ctx, &string))
 511                 return False;
 512         *result = blob2string_talloc(mem_ctx, string);
 513         data_blob_free(&string);
 514         return True;
 515 }
 516
 517 static void ldap_decode_response(TALLOC_CTX *mem_ctx,
 518                                  struct asn1_data *data,
 519                                  struct ldap_Result *result)
 520 {
 521         asn1_read_enumerated(data, &result->resultcode);
 522         asn1_read_OctetString_talloc(mem_ctx, data, &result->dn);
 523         asn1_read_OctetString_talloc(mem_ctx, data, &result->errormessage);
 524         if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
 525                 asn1_start_tag(data, ASN1_CONTEXT(3));
 526                 asn1_read_OctetString_talloc(mem_ctx, data, &result->referral);
 527                 asn1_end_tag(data);
 528         } else {
 529                 result->referral = NULL;
 530         }
 531 }
 532
 533 static struct ldb_val **ldap_decode_substring(TALLOC_CTX *mem_ctx, struct ldb_val **chunks, int chunk_num, char *value)
 534 {
 535
 536         chunks = talloc_realloc(mem_ctx, chunks, struct ldb_val *, chunk_num + 2);
 537         if (chunks == NULL) {
 538                 return NULL;
 539         }
 540
 541         chunks[chunk_num] = talloc(mem_ctx, struct ldb_val);
 542         if (chunks[chunk_num] == NULL) {
 543                 return NULL;
 544         }
 545
 546         chunks[chunk_num]->data = (uint8_t *)talloc_strdup(mem_ctx, value);
 547         if (chunks[chunk_num]->data == NULL) {
 548                 return NULL;
 549         }
 550         chunks[chunk_num]->length = strlen(value);
 551
 552         chunks[chunk_num + 1] = '\0';
 553
 554         return chunks;
 555 }
 556
 557
 558 /*
 559   parse the ASN.1 formatted search string into a ldb_parse_tree
 560 */
 561 static struct ldb_parse_tree *ldap_decode_filter_tree(TALLOC_CTX *mem_ctx,
 562                                                       struct asn1_data *data)
 563 {
 564         uint8_t filter_tag;
 565         struct ldb_parse_tree *ret;
 566
 567         if (!asn1_peek_uint8(data, &filter_tag)) {
 568                 return NULL;
 569         }
 570
 571         filter_tag &= 0x1f;     /* strip off the asn1 stuff */
 572
 573         ret = talloc(mem_ctx, struct ldb_parse_tree);
 574         if (ret == NULL) return NULL;
 575
 576         switch(filter_tag) {
 577         case 0:
 578         case 1:
 579                 /* AND or OR of one or more filters */
 580                 ret->operation = (filter_tag == 0)?LDB_OP_AND:LDB_OP_OR;
 581                 ret->u.list.num_elements = 0;
 582                 ret->u.list.elements = NULL;
 583
 584                 if (!asn1_start_tag(data, ASN1_CONTEXT(filter_tag))) {
 585                         goto failed;
 586                 }
 587
 588                 while (asn1_tag_remaining(data) > 0) {
 589                         struct ldb_parse_tree *subtree;
 590                         subtree = ldap_decode_filter_tree(ret, data);
 591                         if (subtree == NULL) {
 592                                 goto failed;
 593                         }
 594                         ret->u.list.elements =
 595                                 talloc_realloc(ret, ret->u.list.elements,
 596                                                struct ldb_parse_tree *,
 597                                                ret->u.list.num_elements+1);
 598                         if (ret->u.list.elements == NULL) {
 599                                 goto failed;
 600                         }
 601                         talloc_steal(ret->u.list.elements, subtree);
 602                         ret->u.list.elements[ret->u.list.num_elements] = subtree;
 603                         ret->u.list.num_elements++;
 604                 }
 605                 if (!asn1_end_tag(data)) {
 606                         goto failed;
 607                 }
 608                 break;
 609
 610         case 2:
 611                 /* 'not' operation */
 612                 if (!asn1_start_tag(data, ASN1_CONTEXT(filter_tag))) {
 613                         goto failed;
 614                 }
 615
 616                 ret->operation = LDB_OP_NOT;
 617                 ret->u.isnot.child = ldap_decode_filter_tree(ret, data);
 618                 if (ret->u.isnot.child == NULL) {
 619                         goto failed;
 620                 }
 621                 if (!asn1_end_tag(data)) {
 622                         goto failed;
 623                 }
 624                 break;
 625
 626         case 3: {
 627                 /* equalityMatch */
 628                 const char *attrib;
 629                 DATA_BLOB value;
 630
 631                 asn1_start_tag(data, ASN1_CONTEXT(filter_tag));
 632                 asn1_read_OctetString_talloc(mem_ctx, data, &attrib);
 633                 asn1_read_OctetString(data, mem_ctx, &value);
 634                 asn1_end_tag(data);
 635                 if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
 636                         goto failed;
 637                 }
 638
 639                 ret->operation = LDB_OP_EQUALITY;
 640                 ret->u.equality.attr = talloc_steal(ret, attrib);
 641                 ret->u.equality.value.data = talloc_steal(ret, value.data);
 642                 ret->u.equality.value.length = value.length;
 643                 break;
 644         }
 645         case 4: {
 646                 /* substrings */
 647                 DATA_BLOB attr;
 648                 uint8_t subs_tag;
 649                 char *value;
 650                 int chunk_num = 0;
 651
 652                 if (!asn1_start_tag(data, ASN1_CONTEXT(filter_tag))) {
 653                         goto failed;
 654                 }
 655                 if (!asn1_read_OctetString(data, mem_ctx, &attr)) {
 656                         goto failed;
 657                 }
 658
 659                 ret->operation = LDB_OP_SUBSTRING;
 660                 ret->u.substring.attr = talloc_strndup(ret, (char *)attr.data, attr.length);
 661                 ret->u.substring.chunks = NULL;
 662                 ret->u.substring.start_with_wildcard = 1;
 663                 ret->u.substring.end_with_wildcard = 1;
 664
 665                 if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) {
 666                         goto failed;
 667                 }
 668
 669                 while (asn1_tag_remaining(data)) {
 670                         asn1_peek_uint8(data, &subs_tag);
 671                         subs_tag &= 0x1f;       /* strip off the asn1 stuff */
 672                         if (subs_tag > 2) goto failed;
 673
 674                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(subs_tag));
 675                         asn1_read_LDAPString(data, mem_ctx, &value);
 676                         asn1_end_tag(data);
 677
 678                         switch (subs_tag) {
 679                         case 0:
 680                                 if (ret->u.substring.chunks != NULL) {
 681                                         /* initial value found in the middle */
 682                                         goto failed;
 683                                 }
 684
 685                                 ret->u.substring.chunks = ldap_decode_substring(ret, NULL, 0, value);
 686                                 if (ret->u.substring.chunks == NULL) {
 687                                         goto failed;
 688                                 }
 689
 690                                 ret->u.substring.start_with_wildcard = 0;
 691                                 chunk_num = 1;
 692                                 break;
 693
 694                         case 1:
 695                                 if (ret->u.substring.end_with_wildcard == 0) {
 696                                         /* "any" value found after a "final" value */
 697                                         goto failed;
 698                                 }
 699
 700                                 ret->u.substring.chunks = ldap_decode_substring(ret,
 701                                                                                 ret->u.substring.chunks,
 702                                                                                 chunk_num,
 703                                                                                 value);
 704                                 if (ret->u.substring.chunks == NULL) {
 705                                         goto failed;
 706                                 }
 707
 708                                 chunk_num++;
 709                                 break;
 710
 711                         case 2:
 712                                 ret->u.substring.chunks = ldap_decode_substring(ret,
 713                                                                                 ret->u.substring.chunks,
 714                                                                                 chunk_num,
 715                                                                                 value);
 716                                 if (ret->u.substring.chunks == NULL) {
 717                                         goto failed;
 718                                 }
 719
 720                                 ret->u.substring.end_with_wildcard = 0;
 721                                 break;
 722
 723                         default:
 724                                 goto failed;
 725                         }
 726
 727                 }
 728
 729                 if (!asn1_end_tag(data)) { /* SEQUENCE */
 730                         goto failed;
 731                 }
 732
 733                 if (!asn1_end_tag(data)) {
 734                         goto failed;
 735                 }
 736                 break;
 737         }
 738         case 5: {
 739                 /* greaterOrEqual */
 740                 const char *attrib;
 741                 DATA_BLOB value;
 742
 743                 asn1_start_tag(data, ASN1_CONTEXT(filter_tag));
 744                 asn1_read_OctetString_talloc(mem_ctx, data, &attrib);
 745                 asn1_read_OctetString(data, mem_ctx, &value);
 746                 asn1_end_tag(data);
 747                 if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
 748                         goto failed;
 749                 }
 750
 751                 ret->operation = LDB_OP_GREATER;
 752                 ret->u.comparison.attr = talloc_steal(ret, attrib);
 753                 ret->u.comparison.value.data = talloc_steal(ret, value.data);
 754                 ret->u.comparison.value.length = value.length;
 755                 break;
 756         }
 757         case 6: {
 758                 /* lessOrEqual */
 759                 const char *attrib;
 760                 DATA_BLOB value;
 761
 762                 asn1_start_tag(data, ASN1_CONTEXT(filter_tag));
 763                 asn1_read_OctetString_talloc(mem_ctx, data, &attrib);
 764                 asn1_read_OctetString(data, mem_ctx, &value);
 765                 asn1_end_tag(data);
 766                 if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
 767                         goto failed;
 768                 }
 769
 770                 ret->operation = LDB_OP_LESS;
 771                 ret->u.comparison.attr = talloc_steal(ret, attrib);
 772                 ret->u.comparison.value.data = talloc_steal(ret, value.data);
 773                 ret->u.comparison.value.length = value.length;
 774                 break;
 775         }
 776         case 7: {
 777                 /* Normal presence, "attribute=*" */
 778                 char *attr;
 779
 780                 if (!asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(filter_tag))) {
 781                         goto failed;
 782                 }
 783                 if (!asn1_read_LDAPString(data, ret, &attr)) {
 784                         goto failed;
 785                 }
 786
 787                 ret->operation = LDB_OP_PRESENT;
 788                 ret->u.present.attr = talloc_steal(ret, attr);
 789
 790                 if (!asn1_end_tag(data)) {
 791                         goto failed;
 792                 }
 793                 break;
 794         }
 795         case 8: {
 796                 /* approx */
 797                 const char *attrib;
 798                 DATA_BLOB value;
 799
 800                 asn1_start_tag(data, ASN1_CONTEXT(filter_tag));
 801                 asn1_read_OctetString_talloc(mem_ctx, data, &attrib);
 802                 asn1_read_OctetString(data, mem_ctx, &value);
 803                 asn1_end_tag(data);
 804                 if ((data->has_error) || (attrib == NULL) || (value.data == NULL)) {
 805                         goto failed;
 806                 }
 807
 808                 ret->operation = LDB_OP_APPROX;
 809                 ret->u.comparison.attr = talloc_steal(ret, attrib);
 810                 ret->u.comparison.value.data = talloc_steal(ret, value.data);
 811                 ret->u.comparison.value.length = value.length;
 812                 break;
 813         }
 814         case 9: {
 815                 char *oid = NULL, *attr = NULL, *value;
 816                 uint8_t dnAttributes;
 817                 /* an extended search */
 818                 if (!asn1_start_tag(data, ASN1_CONTEXT(filter_tag))) {
 819                         goto failed;
 820                 }
 821
 822                 /* FIXME: read carefully rfc2251.txt there are a number of 'MUST's
 823                    we need to check we properly implement --SSS */
 824                 /* either oid or type must be defined */
 825                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(1))) { /* optional */
 826                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(1));
 827                         asn1_read_LDAPString(data, ret, &oid);
 828                         asn1_end_tag(data);
 829                 }
 830                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(2))) {      /* optional  */
 831                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(2));
 832                         asn1_read_LDAPString(data, ret, &attr);
 833                         asn1_end_tag(data);
 834                 }
 835                 asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(3));
 836                 asn1_read_LDAPString(data, ret, &value);
 837                 asn1_end_tag(data);
 838                 /* dnAttributes is marked as BOOLEAN DEFAULT FALSE
 839                    it is not marked as OPTIONAL but openldap tools
 840                    do not set this unless it is to be set as TRUE
 841                    NOTE: openldap tools do not work with AD as it
 842                    seems that AD always requires the dnAttributes
 843                    boolean value to be set */
 844                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(4))) {
 845                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(4));
 846                         asn1_read_uint8(data, &dnAttributes);
 847                         asn1_end_tag(data);
 848                 } else {
 849                         dnAttributes = 0;
 850                 }
 851                 if ((oid == NULL && attr == NULL) || (value == NULL)) {
 852                         goto failed;
 853                 }
 854
 855                 if (oid) {
 856                         ret->operation               = LDB_OP_EXTENDED;
 857
 858                         /* From the RFC2251: If the type field is
 859                            absent and matchingRule is present, the matchValue is compared
 860                            against all attributes in an entry which support that matchingRule
 861                         */
 862                         if (attr) {
 863                                 ret->u.extended.attr = talloc_steal(ret, attr);
 864                         } else {
 865                                 ret->u.extended.attr = talloc_strdup(ret, "*");
 866                         }
 867                         ret->u.extended.rule_id      = talloc_steal(ret, oid);
 868                         ret->u.extended.value.data   = talloc_steal(ret, value);
 869                         ret->u.extended.value.length = strlen(value);
 870                         ret->u.extended.dnAttributes = dnAttributes;
 871                 } else {
 872                         ret->operation               = LDB_OP_EQUALITY;
 873                         ret->u.equality.attr         = talloc_steal(ret, attr);
 874                         ret->u.equality.value.data   = talloc_steal(ret, value);
 875                         ret->u.equality.value.length = strlen(value);
 876                 }
 877                 if (!asn1_end_tag(data)) {
 878                         goto failed;
 879                 }
 880                 break;
 881         }
 882
 883         default:
 884                 DEBUG(0,("Unsupported LDAP filter operation 0x%x\n", filter_tag));
 885                 goto failed;
 886         }
 887
 888         return ret;
 889
 890 failed:
 891         talloc_free(ret);
 892         return NULL;
 893 }
 894
 895
 896 static void ldap_decode_attrib(TALLOC_CTX *mem_ctx, struct asn1_data *data,
 897                                struct ldb_message_element *attrib)
 898 {
 899         asn1_start_tag(data, ASN1_SEQUENCE(0));
 900         asn1_read_OctetString_talloc(mem_ctx, data, &attrib->name);
 901         asn1_start_tag(data, ASN1_SET);
 902         while (asn1_peek_tag(data, ASN1_OCTET_STRING)) {
 903                 DATA_BLOB blob;
 904                 asn1_read_OctetString(data, mem_ctx, &blob);
 905                 add_value_to_attrib(mem_ctx, &blob, attrib);
 906         }
 907         asn1_end_tag(data);
 908         asn1_end_tag(data);
 909
 910 }
 911
 912 static void ldap_decode_attribs(TALLOC_CTX *mem_ctx, struct asn1_data *data,
 913                                 struct ldb_message_element **attributes,
 914                                 int *num_attributes)
 915 {
 916         asn1_start_tag(data, ASN1_SEQUENCE(0));
 917         while (asn1_peek_tag(data, ASN1_SEQUENCE(0))) {
 918                 struct ldb_message_element attrib;
 919                 ZERO_STRUCT(attrib);
 920                 ldap_decode_attrib(mem_ctx, data, &attrib);
 921                 add_attrib_to_array_talloc(mem_ctx, &attrib,
 922                                            attributes, num_attributes);
 923         }
 924         asn1_end_tag(data);
 925 }
 926
 927 /* This routine returns LDAP status codes */
 928
 929 NTSTATUS ldap_decode(struct asn1_data *data, struct ldap_message *msg)
 930 {
 931         uint8_t tag;
 932
 933         asn1_start_tag(data, ASN1_SEQUENCE(0));
 934         asn1_read_Integer(data, &msg->messageid);
 935
 936         if (!asn1_peek_uint8(data, &tag))
 937                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 938
 939         switch(tag) {
 940
 941         case ASN1_APPLICATION(LDAP_TAG_BindRequest): {
 942                 struct ldap_BindRequest *r = &msg->r.BindRequest;
 943                 msg->type = LDAP_TAG_BindRequest;
 944                 asn1_start_tag(data, tag);
 945                 asn1_read_Integer(data, &r->version);
 946                 asn1_read_OctetString_talloc(msg, data, &r->dn);
 947                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(0))) {
 948                         int pwlen;
 949                         r->creds.password = "";
 950                         r->mechanism = LDAP_AUTH_MECH_SIMPLE;
 951                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0));
 952                         pwlen = asn1_tag_remaining(data);
 953                         if (pwlen == -1) {
 954                                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 955                         }
 956                         if (pwlen != 0) {
 957                                 char *pw = talloc_size(msg, pwlen+1);
 958                                 if (!pw) {
 959                                         return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 960                                 }
 961                                 asn1_read(data, pw, pwlen);
 962                                 pw[pwlen] = '\0';
 963                                 r->creds.password = pw;
 964                         }
 965                         asn1_end_tag(data);
 966                 } else if (asn1_peek_tag(data, ASN1_CONTEXT(3))){
 967                         asn1_start_tag(data, ASN1_CONTEXT(3));
 968                         r->mechanism = LDAP_AUTH_MECH_SASL;
 969                         asn1_read_OctetString_talloc(msg, data, &r->creds.SASL.mechanism);
 970                         if (asn1_peek_tag(data, ASN1_OCTET_STRING)) { /* optional */
 971                                 DATA_BLOB tmp_blob = data_blob(NULL, 0);
 972                                 asn1_read_OctetString(data, msg, &tmp_blob);
 973                                 r->creds.SASL.secblob = talloc(msg, DATA_BLOB);
 974                                 if (!r->creds.SASL.secblob) {
 975                                         return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
 976                                 }
 977                                 *r->creds.SASL.secblob = data_blob_talloc(r->creds.SASL.secblob,
 978                                                                           tmp_blob.data, tmp_blob.length);
 979                                 data_blob_free(&tmp_blob);
 980                         } else {
 981                                 r->creds.SASL.secblob = NULL;
 982                         }
 983                         asn1_end_tag(data);
 984                 } else {
 985                         /* Neither Simple nor SASL bind */
 986                         return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
 987                 }
 988                 asn1_end_tag(data);
 989                 break;
 990         }
 991
 992         case ASN1_APPLICATION(LDAP_TAG_BindResponse): {
 993                 struct ldap_BindResponse *r = &msg->r.BindResponse;
 994                 msg->type = LDAP_TAG_BindResponse;
 995                 asn1_start_tag(data, tag);
 996                 ldap_decode_response(msg, data, &r->response);
 997                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(7))) {
 998                         DATA_BLOB tmp_blob = data_blob(NULL, 0);
 999                         asn1_read_ContextSimple(data, 7, &tmp_blob);
1000                         r->SASL.secblob = talloc(msg, DATA_BLOB);
1001                         if (!r->SASL.secblob) {
1002                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1003                         }
1004                         *r->SASL.secblob = data_blob_talloc(r->SASL.secblob,
1005                                                             tmp_blob.data, tmp_blob.length);
1006                         data_blob_free(&tmp_blob);
1007                 } else {
1008                         r->SASL.secblob = NULL;
1009                 }
1010                 asn1_end_tag(data);
1011                 break;
1012         }
1013
1014         case ASN1_APPLICATION_SIMPLE(LDAP_TAG_UnbindRequest): {
1015                 msg->type = LDAP_TAG_UnbindRequest;
1016                 asn1_start_tag(data, tag);
1017                 asn1_end_tag(data);
1018                 break;
1019         }
1020
1021         case ASN1_APPLICATION(LDAP_TAG_SearchRequest): {
1022                 struct ldap_SearchRequest *r = &msg->r.SearchRequest;
1023                 msg->type = LDAP_TAG_SearchRequest;
1024                 asn1_start_tag(data, tag);
1025                 asn1_read_OctetString_talloc(msg, data, &r->basedn);
1026                 asn1_read_enumerated(data, (int *)&(r->scope));
1027                 asn1_read_enumerated(data, (int *)&(r->deref));
1028                 asn1_read_Integer(data, &r->sizelimit);
1029                 asn1_read_Integer(data, &r->timelimit);
1030                 asn1_read_BOOLEAN(data, &r->attributesonly);
1031
1032                 r->tree = ldap_decode_filter_tree(msg, data);
1033                 if (r->tree == NULL) {
1034                         return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1035                 }
1036
1037                 asn1_start_tag(data, ASN1_SEQUENCE(0));
1038
1039                 r->num_attributes = 0;
1040                 r->attributes = NULL;
1041
1042                 while (asn1_tag_remaining(data) > 0) {
1043
1044                         const char *attr;
1045                         if (!asn1_read_OctetString_talloc(msg, data,
1046                                                           &attr))
1047                                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1048                         if (!add_string_to_array(msg, attr,
1049                                                  &r->attributes,
1050                                                  &r->num_attributes))
1051                                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1052                 }
1053
1054                 asn1_end_tag(data);
1055                 asn1_end_tag(data);
1056                 break;
1057         }
1058
1059         case ASN1_APPLICATION(LDAP_TAG_SearchResultEntry): {
1060                 struct ldap_SearchResEntry *r = &msg->r.SearchResultEntry;
1061                 msg->type = LDAP_TAG_SearchResultEntry;
1062                 r->attributes = NULL;
1063                 r->num_attributes = 0;
1064                 asn1_start_tag(data, tag);
1065                 asn1_read_OctetString_talloc(msg, data, &r->dn);
1066                 ldap_decode_attribs(msg, data, &r->attributes,
1067                                     &r->num_attributes);
1068                 asn1_end_tag(data);
1069                 break;
1070         }
1071
1072         case ASN1_APPLICATION(LDAP_TAG_SearchResultDone): {
1073                 struct ldap_Result *r = &msg->r.SearchResultDone;
1074                 msg->type = LDAP_TAG_SearchResultDone;
1075                 asn1_start_tag(data, tag);
1076                 ldap_decode_response(msg, data, r);
1077                 asn1_end_tag(data);
1078                 break;
1079         }
1080
1081         case ASN1_APPLICATION(LDAP_TAG_SearchResultReference): {
1082                 struct ldap_SearchResRef *r = &msg->r.SearchResultReference;
1083                 msg->type = LDAP_TAG_SearchResultReference;
1084                 asn1_start_tag(data, tag);
1085                 asn1_read_OctetString_talloc(msg, data, &r->referral);
1086                 asn1_end_tag(data);
1087                 break;
1088         }
1089
1090         case ASN1_APPLICATION(LDAP_TAG_ModifyRequest): {
1091                 struct ldap_ModifyRequest *r = &msg->r.ModifyRequest;
1092                 msg->type = LDAP_TAG_ModifyRequest;
1093                 asn1_start_tag(data, ASN1_APPLICATION(LDAP_TAG_ModifyRequest));
1094                 asn1_read_OctetString_talloc(msg, data, &r->dn);
1095                 asn1_start_tag(data, ASN1_SEQUENCE(0));
1096
1097                 r->num_mods = 0;
1098                 r->mods = NULL;
1099
1100                 while (asn1_tag_remaining(data) > 0) {
1101                         struct ldap_mod mod;
1102                         int v;
1103                         ZERO_STRUCT(mod);
1104                         asn1_start_tag(data, ASN1_SEQUENCE(0));
1105                         asn1_read_enumerated(data, &v);
1106                         mod.type = v;
1107                         ldap_decode_attrib(msg, data, &mod.attrib);
1108                         asn1_end_tag(data);
1109                         if (!add_mod_to_array_talloc(msg, &mod,
1110                                                      &r->mods, &r->num_mods)) {
1111                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1112                         }
1113                 }
1114
1115                 asn1_end_tag(data);
1116                 asn1_end_tag(data);
1117                 break;
1118         }
1119
1120         case ASN1_APPLICATION(LDAP_TAG_ModifyResponse): {
1121                 struct ldap_Result *r = &msg->r.ModifyResponse;
1122                 msg->type = LDAP_TAG_ModifyResponse;
1123                 asn1_start_tag(data, tag);
1124                 ldap_decode_response(msg, data, r);
1125                 asn1_end_tag(data);
1126                 break;
1127         }
1128
1129         case ASN1_APPLICATION(LDAP_TAG_AddRequest): {
1130                 struct ldap_AddRequest *r = &msg->r.AddRequest;
1131                 msg->type = LDAP_TAG_AddRequest;
1132                 asn1_start_tag(data, tag);
1133                 asn1_read_OctetString_talloc(msg, data, &r->dn);
1134
1135                 r->attributes = NULL;
1136                 r->num_attributes = 0;
1137                 ldap_decode_attribs(msg, data, &r->attributes,
1138                                     &r->num_attributes);
1139
1140                 asn1_end_tag(data);
1141                 break;
1142         }
1143
1144         case ASN1_APPLICATION(LDAP_TAG_AddResponse): {
1145                 struct ldap_Result *r = &msg->r.AddResponse;
1146                 msg->type = LDAP_TAG_AddResponse;
1147                 asn1_start_tag(data, tag);
1148                 ldap_decode_response(msg, data, r);
1149                 asn1_end_tag(data);
1150                 break;
1151         }
1152
1153         case ASN1_APPLICATION_SIMPLE(LDAP_TAG_DelRequest): {
1154                 struct ldap_DelRequest *r = &msg->r.DelRequest;
1155                 int len;
1156                 char *dn;
1157                 msg->type = LDAP_TAG_DelRequest;
1158                 asn1_start_tag(data,
1159                                ASN1_APPLICATION_SIMPLE(LDAP_TAG_DelRequest));
1160                 len = asn1_tag_remaining(data);
1161                 if (len == -1) {
1162                         return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1163                 }
1164                 dn = talloc_size(msg, len+1);
1165                 if (dn == NULL)
1166                         break;
1167                 asn1_read(data, dn, len);
1168                 dn[len] = '\0';
1169                 r->dn = dn;
1170                 asn1_end_tag(data);
1171                 break;
1172         }
1173
1174         case ASN1_APPLICATION(LDAP_TAG_DelResponse): {
1175                 struct ldap_Result *r = &msg->r.DelResponse;
1176                 msg->type = LDAP_TAG_DelResponse;
1177                 asn1_start_tag(data, tag);
1178                 ldap_decode_response(msg, data, r);
1179                 asn1_end_tag(data);
1180                 break;
1181         }
1182
1183         case ASN1_APPLICATION(LDAP_TAG_ModifyDNRequest): {
1184                 struct ldap_ModifyDNRequest *r = &msg->r.ModifyDNRequest;
1185                 msg->type = LDAP_TAG_ModifyDNRequest;
1186                 asn1_start_tag(data,
1187                                ASN1_APPLICATION(LDAP_TAG_ModifyDNRequest));
1188                 asn1_read_OctetString_talloc(msg, data, &r->dn);
1189                 asn1_read_OctetString_talloc(msg, data, &r->newrdn);
1190                 asn1_read_BOOLEAN(data, &r->deleteolddn);
1191                 r->newsuperior = NULL;
1192                 if (asn1_tag_remaining(data) > 0) {
1193                         int len;
1194                         char *newsup;
1195                         asn1_start_tag(data, ASN1_CONTEXT_SIMPLE(0));
1196                         len = asn1_tag_remaining(data);
1197                         if (len == -1) {
1198                                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1199                         }
1200                         newsup = talloc_size(msg, len+1);
1201                         if (newsup == NULL) {
1202                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1203                         }
1204                         asn1_read(data, newsup, len);
1205                         newsup[len] = '\0';
1206                         r->newsuperior = newsup;
1207                         asn1_end_tag(data);
1208                 }
1209                 asn1_end_tag(data);
1210                 break;
1211         }
1212
1213         case ASN1_APPLICATION(LDAP_TAG_ModifyDNResponse): {
1214                 struct ldap_Result *r = &msg->r.ModifyDNResponse;
1215                 msg->type = LDAP_TAG_ModifyDNResponse;
1216                 asn1_start_tag(data, tag);
1217                 ldap_decode_response(msg, data, r);
1218                 asn1_end_tag(data);
1219                 break;
1220         }
1221
1222         case ASN1_APPLICATION(LDAP_TAG_CompareRequest): {
1223                 struct ldap_CompareRequest *r = &msg->r.CompareRequest;
1224                 msg->type = LDAP_TAG_CompareRequest;
1225                 asn1_start_tag(data,
1226                                ASN1_APPLICATION(LDAP_TAG_CompareRequest));
1227                 asn1_read_OctetString_talloc(msg, data, &r->dn);
1228                 asn1_start_tag(data, ASN1_SEQUENCE(0));
1229                 asn1_read_OctetString_talloc(msg, data, &r->attribute);
1230                 asn1_read_OctetString(data, msg, &r->value);
1231                 if (r->value.data) {
1232                         talloc_steal(msg, r->value.data);
1233                 }
1234                 asn1_end_tag(data);
1235                 asn1_end_tag(data);
1236                 break;
1237         }
1238
1239         case ASN1_APPLICATION(LDAP_TAG_CompareResponse): {
1240                 struct ldap_Result *r = &msg->r.CompareResponse;
1241                 msg->type = LDAP_TAG_CompareResponse;
1242                 asn1_start_tag(data, tag);
1243                 ldap_decode_response(msg, data, r);
1244                 asn1_end_tag(data);
1245                 break;
1246         }
1247
1248         case ASN1_APPLICATION_SIMPLE(LDAP_TAG_AbandonRequest): {
1249                 struct ldap_AbandonRequest *r = &msg->r.AbandonRequest;
1250                 msg->type = LDAP_TAG_AbandonRequest;
1251                 asn1_start_tag(data, tag);
1252                 asn1_read_implicit_Integer(data, &r->messageid);
1253                 asn1_end_tag(data);
1254                 break;
1255         }
1256
1257         case ASN1_APPLICATION(LDAP_TAG_ExtendedRequest): {
1258                 struct ldap_ExtendedRequest *r = &msg->r.ExtendedRequest;
1259                 DATA_BLOB tmp_blob = data_blob(NULL, 0);
1260
1261                 msg->type = LDAP_TAG_ExtendedRequest;
1262                 asn1_start_tag(data,tag);
1263                 if (!asn1_read_ContextSimple(data, 0, &tmp_blob)) {
1264                         return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1265                 }
1266                 r->oid = blob2string_talloc(msg, tmp_blob);
1267                 data_blob_free(&tmp_blob);
1268                 if (!r->oid) {
1269                         return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1270                 }
1271
1272                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(1))) {
1273                         asn1_read_ContextSimple(data, 1, &tmp_blob);
1274                         r->value = talloc(msg, DATA_BLOB);
1275                         if (!r->value) {
1276                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1277                         }
1278                         *r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
1279                         data_blob_free(&tmp_blob);
1280                 } else {
1281                         r->value = NULL;
1282                 }
1283
1284                 asn1_end_tag(data);
1285                 break;
1286         }
1287
1288         case ASN1_APPLICATION(LDAP_TAG_ExtendedResponse): {
1289                 struct ldap_ExtendedResponse *r = &msg->r.ExtendedResponse;
1290                 DATA_BLOB tmp_blob = data_blob(NULL, 0);
1291
1292                 msg->type = LDAP_TAG_ExtendedResponse;
1293                 asn1_start_tag(data, tag);
1294                 ldap_decode_response(msg, data, &r->response);
1295
1296                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(10))) {
1297                         asn1_read_ContextSimple(data, 1, &tmp_blob);
1298                         r->oid = blob2string_talloc(msg, tmp_blob);
1299                         data_blob_free(&tmp_blob);
1300                         if (!r->oid) {
1301                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1302                         }
1303                 } else {
1304                         r->oid = NULL;
1305                 }
1306
1307                 if (asn1_peek_tag(data, ASN1_CONTEXT_SIMPLE(11))) {
1308                         asn1_read_ContextSimple(data, 1, &tmp_blob);
1309                         r->value = talloc(msg, DATA_BLOB);
1310                         if (!r->value) {
1311                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1312                         }
1313                         *r->value = data_blob_talloc(r->value, tmp_blob.data, tmp_blob.length);
1314                         data_blob_free(&tmp_blob);
1315                 } else {
1316                         r->value = NULL;
1317                 }
1318
1319                 asn1_end_tag(data);
1320                 break;
1321         }
1322         default:
1323                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1324         }
1325
1326         msg->controls = NULL;
1327
1328         if (asn1_peek_tag(data, ASN1_CONTEXT(0))) {
1329                 int i = 0;
1330                 struct ldb_control **ctrl = NULL;
1331
1332                 asn1_start_tag(data, ASN1_CONTEXT(0));
1333
1334                 while (asn1_peek_tag(data, ASN1_SEQUENCE(0))) {
1335                         DATA_BLOB value;
1336                         /* asn1_start_tag(data, ASN1_SEQUENCE(0)); */
1337
1338                         ctrl = talloc_realloc(msg, ctrl, struct ldb_control *, i+2);
1339                         if (!ctrl) {
1340                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1341                         }
1342
1343                         ctrl[i] = talloc(ctrl, struct ldb_control);
1344                         if (!ctrl[i]) {
1345                                 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR);
1346                         }
1347
1348                         if (!ldap_decode_control_wrapper(ctrl, data, ctrl[i], &value)) {
1349                                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1350                         }
1351
1352                         if (!ldap_decode_control_value(ctrl, value, ctrl[i])) {
1353                                 if (ctrl[i]->critical) {
1354                                         return NT_STATUS_LDAP(LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
1355                                 } else {
1356                                         talloc_free(ctrl[i]);
1357                                         ctrl[i] = NULL;
1358                                 }
1359                         } else {
1360                                 i++;
1361                         }
1362                 }
1363
1364                 if (ctrl != NULL) {
1365                         ctrl[i] = NULL;
1366                 }
1367
1368                 msg->controls = ctrl;
1369
1370                 asn1_end_tag(data);
1371         }
1372
1373         asn1_end_tag(data);
1374         if ((data->has_error) || (data->nesting != NULL)) {
1375                 return NT_STATUS_LDAP(LDAP_PROTOCOL_ERROR);
1376         }
1377         return NT_STATUS_OK;
1378 }
1379
1380
1381 /*
1382   return NT_STATUS_OK if a blob has enough bytes in it to be a full
1383   ldap packet. Set packet_size if true.
1384 */
1385 NTSTATUS ldap_full_packet(void *private_data, DATA_BLOB blob, size_t *packet_size)
1386 {
1387         return asn1_full_tag(blob, ASN1_SEQUENCE(0), packet_size);
1388 }