git.sur5r.net Git - openldap/blob - libraries/libldap/cyrus.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1999-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <stdlib.h>
  10 #include <stdio.h>
  11
  12 #include <ac/socket.h>
  13 #include <ac/string.h>
  14 #include <ac/time.h>
  15 #include <ac/errno.h>
  16
  17 #include "ldap-int.h"
  18 #ifdef LDAP_R_COMPILE
  19 #include "ldap_pvt_thread.h"
  20 #endif
  21
  22 #ifdef HAVE_CYRUS_SASL
  23 #include <sasl.h>
  24
  25 /*
  26 * Various Cyrus SASL related stuff.
  27 */
  28
  29 #define SASL_MAX_BUFF_SIZE      65536
  30 #define SASL_MIN_BUFF_SIZE      4096
  31
  32 int ldap_int_sasl_init( void )
  33 {
  34         /* XXX not threadsafe */
  35         static int sasl_initialized = 0;
  36
  37         static sasl_callback_t client_callbacks[] = {
  38 #ifdef SASL_CB_GETREALM
  39                 { SASL_CB_GETREALM, NULL, NULL },
  40 #endif
  41                 { SASL_CB_USER, NULL, NULL },
  42                 { SASL_CB_AUTHNAME, NULL, NULL },
  43                 { SASL_CB_PASS, NULL, NULL },
  44                 { SASL_CB_ECHOPROMPT, NULL, NULL },
  45                 { SASL_CB_NOECHOPROMPT, NULL, NULL },
  46                 { SASL_CB_LIST_END, NULL, NULL }
  47         };
  48
  49         if ( sasl_initialized ) {
  50                 return 0;
  51         }
  52
  53 #ifndef CSRIMALLOC
  54         sasl_set_alloc(
  55                 ber_memalloc,
  56                 ber_memcalloc,
  57                 ber_memrealloc,
  58                 ber_memfree );
  59 #endif /* CSRIMALLOC */
  60
  61 #ifdef LDAP_R_COMPILE
  62         sasl_set_mutex(
  63                 ldap_pvt_sasl_mutex_new,
  64                 ldap_pvt_sasl_mutex_lock,
  65                 ldap_pvt_sasl_mutex_unlock,
  66                 ldap_pvt_sasl_mutex_dispose );
  67 #endif
  68
  69         if ( sasl_client_init( client_callbacks ) == SASL_OK ) {
  70                 sasl_initialized = 1;
  71                 return 0;
  72         }
  73
  74         return -1;
  75 }
  76
  77 /*
  78  * SASL encryption support for LBER Sockbufs
  79  */
  80
  81 struct sb_sasl_data {
  82         sasl_conn_t             *sasl_context;
  83         Sockbuf_Buf             sec_buf_in;
  84         Sockbuf_Buf             buf_in;
  85         Sockbuf_Buf             buf_out;
  86 };
  87
  88 static int
  89 sb_sasl_setup( Sockbuf_IO_Desc *sbiod, void *arg )
  90 {
  91         struct sb_sasl_data     *p;
  92
  93         assert( sbiod != NULL );
  94
  95         p = LBER_MALLOC( sizeof( *p ) );
  96         if ( p == NULL )
  97                 return -1;
  98         p->sasl_context = (sasl_conn_t *)arg;
  99         ber_pvt_sb_buf_init( &p->sec_buf_in );
 100         ber_pvt_sb_buf_init( &p->buf_in );
 101         ber_pvt_sb_buf_init( &p->buf_out );
 102         if ( ber_pvt_sb_grow_buffer( &p->sec_buf_in, SASL_MIN_BUFF_SIZE ) < 0 ) {
 103                 errno = ENOMEM;
 104                 return -1;
 105         }
 106
 107         sbiod->sbiod_pvt = p;
 108
 109         return 0;
 110 }
 111
 112 static int
 113 sb_sasl_remove( Sockbuf_IO_Desc *sbiod )
 114 {
 115         struct sb_sasl_data     *p;
 116
 117         assert( sbiod != NULL );
 118
 119         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 120         ber_pvt_sb_buf_destroy( &p->sec_buf_in );
 121         ber_pvt_sb_buf_destroy( &p->buf_in );
 122         ber_pvt_sb_buf_destroy( &p->buf_out );
 123         LBER_FREE( p );
 124         sbiod->sbiod_pvt = NULL;
 125         return 0;
 126 }
 127
 128 static ber_len_t
 129 sb_sasl_pkt_length( const char *buf, int debuglevel )
 130 {
 131         ber_len_t               size;
 132         long                    tmp;
 133
 134         assert( buf != NULL );
 135
 136         tmp = *((long *)buf);
 137         size = ntohl( tmp );
 138
 139         if ( size > SASL_MAX_BUFF_SIZE ) {
 140                 /* somebody is trying to mess me up. */
 141                 ber_log_printf( LDAP_DEBUG_ANY, debuglevel,
 142                         "sb_sasl_pkt_length: received illegal packet length "
 143                         "of %lu bytes\n", (unsigned long)size );
 144                 size = 16; /* this should lead to an error. */
 145 }
 146
 147         return size + 4; /* include the size !!! */
 148 }
 149
 150 /* Drop a processed packet from the input buffer */
 151 static void
 152 sb_sasl_drop_packet ( Sockbuf_Buf *sec_buf_in, int debuglevel )
 153 {
 154         ber_slen_t                      len;
 155
 156         len = sec_buf_in->buf_ptr - sec_buf_in->buf_end;
 157         if ( len > 0 )
 158                 memmove( sec_buf_in->buf_base, sec_buf_in->buf_base +
 159                         sec_buf_in->buf_end, len );
 160
 161         if ( len >= 4 ) {
 162                 sec_buf_in->buf_end = sb_sasl_pkt_length( sec_buf_in->buf_base,
 163                         debuglevel);
 164         }
 165         else {
 166                 sec_buf_in->buf_end = 0;
 167         }
 168         sec_buf_in->buf_ptr = len;
 169 }
 170
 171 static ber_slen_t
 172 sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 173 {
 174         struct sb_sasl_data     *p;
 175         ber_slen_t              ret, bufptr;
 176
 177         assert( sbiod != NULL );
 178         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 179
 180         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 181
 182         /* Are there anything left in the buffer? */
 183         ret = ber_pvt_sb_copy_out( &p->buf_in, buf, len );
 184         bufptr = ret;
 185         len -= ret;
 186
 187         if ( len == 0 )
 188                 return bufptr;
 189
 190         ber_pvt_sb_buf_destroy( &p->buf_in );
 191
 192         /* Read the length of the packet */
 193         while ( p->sec_buf_in.buf_ptr < 4 ) {
 194                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base,
 195                         4 - p->sec_buf_in.buf_ptr );
 196 #ifdef EINTR
 197                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 198                         continue;
 199 #endif
 200                 if ( ret <= 0 )
 201                         return ret;
 202
 203                 p->sec_buf_in.buf_ptr += ret;
 204         }
 205
 206         /* The new packet always starts at p->sec_buf_in.buf_base */
 207         ret = sb_sasl_pkt_length( p->sec_buf_in.buf_base,
 208                 sbiod->sbiod_sb->sb_debug );
 209
 210         /* Grow the packet buffer if neccessary */
 211         if ( ( p->sec_buf_in.buf_size < ret ) &&
 212                         ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 ) {
 213                 errno = ENOMEM;
 214                 return -1;
 215         }
 216         p->sec_buf_in.buf_end = ret;
 217
 218         /* Did we read the whole encrypted packet? */
 219         while ( p->sec_buf_in.buf_ptr < p->sec_buf_in.buf_end ) {
 220                 /* No, we have got only a part of it */
 221                 ret = p->sec_buf_in.buf_end - p->sec_buf_in.buf_ptr;
 222
 223                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base +
 224                         p->sec_buf_in.buf_ptr, ret );
 225 #ifdef EINTR
 226                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 227                         continue;
 228 #endif
 229                 if ( ret <= 0 )
 230                         return ret;
 231
 232                 p->sec_buf_in.buf_ptr += ret;
 233         }
 234
 235         /* Decode the packet */
 236         ret = sasl_decode( p->sasl_context, p->sec_buf_in.buf_base,
 237                 p->sec_buf_in.buf_end, &p->buf_in.buf_base,
 238                 (unsigned *)&p->buf_in.buf_end );
 239         if ( ret != SASL_OK ) {
 240                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 241                         "sb_sasl_read: failed to decode packet: %s\n",
 242                         sasl_errstring( ret, NULL, NULL ) );
 243                 sb_sasl_drop_packet( &p->sec_buf_in,
 244                         sbiod->sbiod_sb->sb_debug );
 245                 errno = EIO;
 246                 return -1;
 247         }
 248
 249         /* Drop the packet from the input buffer */
 250         sb_sasl_drop_packet( &p->sec_buf_in, sbiod->sbiod_sb->sb_debug );
 251
 252         p->buf_in.buf_size = p->buf_in.buf_end;
 253
 254         bufptr += ber_pvt_sb_copy_out( &p->buf_in, (char*) buf + bufptr, len );
 255
 256         return bufptr;
 257 }
 258
 259 static ber_slen_t
 260 sb_sasl_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 261 {
 262         struct sb_sasl_data     *p;
 263         int                     ret;
 264
 265         assert( sbiod != NULL );
 266         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 267
 268         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 269
 270         /* Are there anything left in the buffer? */
 271         if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
 272                 ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 273                 if ( ret <= 0 )
 274                         return ret;
 275         }
 276
 277         /* now encode the next packet. */
 278         ber_pvt_sb_buf_destroy( &p->buf_out );
 279         ret = sasl_encode( p->sasl_context, buf, len, &p->buf_out.buf_base,
 280                 (unsigned *)&p->buf_out.buf_size );
 281         if ( ret != SASL_OK ) {
 282                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 283                         "sb_sasl_write: failed to encode packet: %s\n",
 284                         sasl_errstring( ret, NULL, NULL ) );
 285                 return -1;
 286         }
 287         p->buf_out.buf_end = p->buf_out.buf_size;
 288
 289         ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 290         if ( ret <= 0 )
 291                 return ret;
 292         return len;
 293 }
 294
 295 static int
 296 sb_sasl_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 297 {
 298         struct sb_sasl_data     *p;
 299
 300         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 301
 302         if ( opt == LBER_SB_OPT_DATA_READY ) {
 303                 if ( p->buf_in.buf_ptr != p->buf_in.buf_end )
 304                         return 1;
 305         }
 306
 307         return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
 308 }
 309
 310 Sockbuf_IO ldap_pvt_sockbuf_io_sasl = {
 311         sb_sasl_setup,          /* sbi_setup */
 312         sb_sasl_remove,         /* sbi_remove */
 313         sb_sasl_ctrl,           /* sbi_ctrl */
 314         sb_sasl_read,           /* sbi_read */
 315         sb_sasl_write,          /* sbi_write */
 316         NULL                    /* sbi_close */
 317 };
 318
 319 int ldap_pvt_sasl_install( Sockbuf *sb, void *ctx_arg )
 320 {
 321         Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_install\n",
 322                 0, 0, 0 );
 323
 324         /* don't install the stuff unless security has been negotiated */
 325
 326         if ( !ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO,
 327                         &ldap_pvt_sockbuf_io_sasl ) )
 328                 ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_sasl,
 329                         LBER_SBIOD_LEVEL_APPLICATION, ctx_arg );
 330
 331         return LDAP_SUCCESS;
 332 }
 333
 334 static int
 335 sasl_err2ldap( int saslerr )
 336 {
 337         int rc;
 338
 339         switch (saslerr) {
 340                 case SASL_CONTINUE:
 341                         rc = LDAP_MORE_RESULTS_TO_RETURN;
 342                         break;
 343                 case SASL_INTERACT:
 344                         rc = LDAP_LOCAL_ERROR;
 345                         break;
 346                 case SASL_OK:
 347                         rc = LDAP_SUCCESS;
 348                         break;
 349                 case SASL_FAIL:
 350                         rc = LDAP_LOCAL_ERROR;
 351                         break;
 352                 case SASL_NOMEM:
 353                         rc = LDAP_NO_MEMORY;
 354                         break;
 355                 case SASL_NOMECH:
 356                         rc = LDAP_AUTH_UNKNOWN;
 357                         break;
 358                 case SASL_BADAUTH:
 359                         rc = LDAP_AUTH_UNKNOWN;
 360                         break;
 361                 case SASL_NOAUTHZ:
 362                         rc = LDAP_PARAM_ERROR;
 363                         break;
 364                 case SASL_TOOWEAK:
 365                 case SASL_ENCRYPT:
 366                         rc = LDAP_AUTH_UNKNOWN;
 367                         break;
 368                 default:
 369                         rc = LDAP_LOCAL_ERROR;
 370                         break;
 371         }
 372
 373         assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
 374         return rc;
 375 }
 376
 377 int
 378 ldap_int_sasl_open(
 379         LDAP *ld,
 380         LDAPConn *lc,
 381         const char * host,
 382         ber_len_t ssf )
 383 {
 384         int rc;
 385         sasl_conn_t *ctx;
 386
 387         sasl_callback_t *session_callbacks =
 388                 ber_memcalloc( 2, sizeof( sasl_callback_t ) );
 389
 390         if( session_callbacks == NULL ) return LDAP_NO_MEMORY;
 391
 392         session_callbacks[0].id = SASL_CB_USER;
 393         session_callbacks[0].proc = NULL;
 394         session_callbacks[0].context = ld;
 395
 396         session_callbacks[1].id = SASL_CB_LIST_END;
 397         session_callbacks[1].proc = NULL;
 398         session_callbacks[1].context = NULL;
 399
 400         assert( lc->lconn_sasl_ctx == NULL );
 401
 402         if ( host == NULL ) {
 403                 ld->ld_errno = LDAP_UNAVAILABLE;
 404                 return ld->ld_errno;
 405         }
 406
 407         rc = sasl_client_new( "ldap", host, session_callbacks,
 408                 SASL_SECURITY_LAYER, &ctx );
 409
 410         if ( rc != SASL_OK ) {
 411                 ld->ld_errno = sasl_err2ldap( rc );
 412                 return ld->ld_errno;
 413         }
 414
 415         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: %s\n",
 416                 host, 0, 0 );
 417
 418         lc->lconn_sasl_ctx = ctx;
 419
 420         if( ssf ) {
 421                 sasl_external_properties_t extprops;
 422                 memset(&extprops, 0L, sizeof(extprops));
 423                 extprops.ssf = ssf;
 424
 425                 (void) sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 426                         (void *) &extprops );
 427
 428                 Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: ssf=%ld\n",
 429                         (long) ssf, 0, 0 );
 430         }
 431
 432         return LDAP_SUCCESS;
 433 }
 434
 435 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 436 {
 437         sasl_conn_t *ctx = lc->lconn_sasl_ctx;
 438         assert( ctx != NULL );
 439
 440         if( ctx ) {
 441                 sasl_dispose( &ctx );
 442                 lc->lconn_sasl_ctx = NULL;
 443         }
 444
 445         return LDAP_SUCCESS;
 446 }
 447
 448 int
 449 ldap_int_sasl_bind(
 450         LDAP                    *ld,
 451         const char              *dn,
 452         const char              *mechs,
 453         LDAPControl             **sctrls,
 454         LDAPControl             **cctrls,
 455         unsigned                flags,
 456         LDAP_SASL_INTERACT_PROC *interact,
 457         void * defaults )
 458 {
 459         char *data;
 460         const char *mech = NULL;
 461         const char *pmech = NULL;
 462         int                     saslrc, rc;
 463         sasl_ssf_t              *ssf = NULL;
 464         sasl_conn_t     *ctx;
 465         sasl_interact_t *prompts = NULL;
 466         unsigned credlen;
 467         struct berval ccred;
 468         ber_socket_t            sd;
 469
 470         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
 471                 mechs ? mechs : "<null>", 0, 0 );
 472
 473         /* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
 474         if (ld->ld_version < LDAP_VERSION3) {
 475                 ld->ld_errno = LDAP_NOT_SUPPORTED;
 476                 return ld->ld_errno;
 477         }
 478
 479         ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
 480
 481         if ( sd == AC_SOCKET_INVALID ) {
 482                 /* not connected yet */
 483                 int rc = ldap_open_defconn( ld );
 484
 485                 if( rc < 0 ) return ld->ld_errno;
 486                 ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
 487
 488                 if( sd == AC_SOCKET_INVALID ) {
 489                         ld->ld_errno = LDAP_UNAVAILABLE;
 490                         return ld->ld_errno;
 491                 }
 492         }
 493
 494         ctx = ld->ld_defconn->lconn_sasl_ctx;
 495
 496         if( ctx == NULL ) {
 497                 ld->ld_errno = LDAP_UNAVAILABLE;
 498                 return ld->ld_errno;
 499         }
 500
 501         /* (re)set security properties */
 502         sasl_setprop( ctx, SASL_SEC_PROPS,
 503                 &ld->ld_options.ldo_sasl_secprops );
 504
 505         ccred.bv_val = NULL;
 506         ccred.bv_len = 0;
 507
 508         do {
 509                 saslrc = sasl_client_start( ctx,
 510                         mechs,
 511                         NULL,
 512                         &prompts,
 513                         &ccred.bv_val,
 514                         &credlen,
 515                         &mech );
 516
 517                 if( pmech == NULL && mech != NULL ) {
 518                         pmech = mech;
 519
 520                         if( flags != LDAP_SASL_QUIET ) {
 521                                 fprintf(stderr,
 522                                         "SASL/%s authentication started\n",
 523                                         pmech );
 524                         }
 525                 }
 526
 527                 if( saslrc == SASL_INTERACT ) {
 528                         int res;
 529                         if( !interact ) break;
 530                         res = (interact)( ld, flags, defaults, prompts );
 531                         if( res != LDAP_SUCCESS ) {
 532                                 break;
 533                         }
 534                 }
 535         } while ( saslrc == SASL_INTERACT );
 536
 537         ccred.bv_len = credlen;
 538
 539         if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 540                 ld->ld_errno = sasl_err2ldap( saslrc );
 541                 return ld->ld_errno;
 542         }
 543
 544         do {
 545                 struct berval *scred;
 546                 unsigned credlen;
 547
 548                 scred = NULL;
 549
 550                 rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
 551
 552                 if ( ccred.bv_val != NULL ) {
 553                         LDAP_FREE( ccred.bv_val );
 554                         ccred.bv_val = NULL;
 555                 }
 556
 557                 if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
 558                         if( scred ) {
 559                                 /* and server provided us with data? */
 560                                 Debug( LDAP_DEBUG_TRACE,
 561                                         "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 562                                         rc, saslrc, scred->bv_len );
 563                                 ber_bvfree( scred );
 564                         }
 565                         return ld->ld_errno;
 566                 }
 567
 568                 if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
 569                         /* we're done, no need to step */
 570                         if( scred ) {
 571                                 /* but server provided us with data! */
 572                                 Debug( LDAP_DEBUG_TRACE,
 573                                         "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 574                                         rc, saslrc, scred->bv_len );
 575                                 ber_bvfree( scred );
 576                                 return ld->ld_errno = LDAP_LOCAL_ERROR;
 577                         }
 578                         break;
 579                 }
 580
 581                 do {
 582                         saslrc = sasl_client_step( ctx,
 583                                 (scred == NULL) ? NULL : scred->bv_val,
 584                                 (scred == NULL) ? 0 : scred->bv_len,
 585                                 &prompts,
 586                                 &ccred.bv_val,
 587                                 &credlen );
 588
 589                         Debug( LDAP_DEBUG_TRACE, "sasl_client_start: %d\n",
 590                                 saslrc, 0, 0 );
 591
 592                         if( saslrc == SASL_INTERACT ) {
 593                                 int res;
 594                                 if( !interact ) break;
 595                                 res = (interact)( ld, flags, defaults, prompts );
 596                                 if( res != LDAP_SUCCESS ) {
 597                                         break;
 598                                 }
 599                         }
 600                 } while ( saslrc == SASL_INTERACT );
 601
 602                 ccred.bv_len = credlen;
 603                 ber_bvfree( scred );
 604
 605                 if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 606                         ld->ld_errno = sasl_err2ldap( saslrc );
 607                         return ld->ld_errno;
 608                 }
 609         } while ( rc == LDAP_SASL_BIND_IN_PROGRESS );
 610
 611         if ( rc != LDAP_SUCCESS ) {
 612                 return rc;
 613         }
 614
 615         if ( saslrc != SASL_OK ) {
 616                 return ld->ld_errno = sasl_err2ldap( saslrc );
 617         }
 618
 619         if( flags != LDAP_SASL_QUIET ) {
 620                 saslrc = sasl_getprop( ctx, SASL_USERNAME, (void **) &data );
 621                 if( saslrc == SASL_OK && data && *data ) {
 622                         fprintf( stderr, "SASL username: %s\n", data );
 623                 }
 624
 625                 saslrc = sasl_getprop( ctx, SASL_REALM, (void **) &data );
 626                 if( saslrc == SASL_OK && data && *data ) {
 627                         fprintf( stderr, "SASL realm: %s\n", data );
 628                 }
 629         }
 630
 631         saslrc = sasl_getprop( ctx, SASL_SSF, (void **) &ssf );
 632         if( saslrc == SASL_OK ) {
 633                 if( flags != LDAP_SASL_QUIET ) {
 634                         fprintf( stderr, "SASL SSF: %lu\n",
 635                                 (unsigned long) *ssf );
 636                 }
 637
 638                 if( ssf && *ssf ) {
 639                         if( flags != LDAP_SASL_QUIET ) {
 640                                 fprintf( stderr, "SASL installing layers\n" );
 641                         }
 642                         ldap_pvt_sasl_install( ld->ld_sb, ctx );
 643                 }
 644         }
 645
 646         return rc;
 647 }
 648
 649 int ldap_pvt_sasl_secprops(
 650         const char *in,
 651         sasl_security_properties_t *secprops )
 652 {
 653         int i;
 654         char **props = ldap_str2charray( in, "," );
 655         unsigned sflags = 0;
 656         int got_sflags = 0;
 657         sasl_ssf_t max_ssf;
 658         int got_max_ssf = 0;
 659         sasl_ssf_t min_ssf;
 660         int got_min_ssf = 0;
 661         unsigned maxbufsize;
 662         int got_maxbufsize = 0;
 663
 664         if( props == NULL || secprops == NULL ) {
 665                 return LDAP_PARAM_ERROR;
 666         }
 667
 668         for( i=0; props[i]; i++ ) {
 669                 if( !strcasecmp(props[i], "none") ) {
 670                         got_sflags++;
 671
 672                 } else if( !strcasecmp(props[i], "noplain") ) {
 673                         got_sflags++;
 674                         sflags |= SASL_SEC_NOPLAINTEXT;
 675
 676                 } else if( !strcasecmp(props[i], "noactive") ) {
 677                         got_sflags++;
 678                         sflags |= SASL_SEC_NOACTIVE;
 679
 680                 } else if( !strcasecmp(props[i], "nodict") ) {
 681                         got_sflags++;
 682                         sflags |= SASL_SEC_NODICTIONARY;
 683
 684                 } else if( !strcasecmp(props[i], "forwardsec") ) {
 685                         got_sflags++;
 686                         sflags |= SASL_SEC_FORWARD_SECRECY;
 687
 688                 } else if( !strcasecmp(props[i], "noanonymous")) {
 689                         got_sflags++;
 690                         sflags |= SASL_SEC_NOANONYMOUS;
 691
 692                 } else if( !strcasecmp(props[i], "passcred") ) {
 693                         got_sflags++;
 694                         sflags |= SASL_SEC_PASS_CREDENTIALS;
 695
 696                 } else if( !strncasecmp(props[i],
 697                         "minssf=", sizeof("minssf")) )
 698                 {
 699                         if( isdigit( props[i][sizeof("minssf")] ) ) {
 700                                 got_min_ssf++;
 701                                 min_ssf = atoi( &props[i][sizeof("minssf")] );
 702                         } else {
 703                                 return LDAP_NOT_SUPPORTED;
 704                         }
 705
 706                 } else if( !strncasecmp(props[i],
 707                         "maxssf=", sizeof("maxssf")) )
 708                 {
 709                         if( isdigit( props[i][sizeof("maxssf")] ) ) {
 710                                 got_max_ssf++;
 711                                 max_ssf = atoi( &props[i][sizeof("maxssf")] );
 712                         } else {
 713                                 return LDAP_NOT_SUPPORTED;
 714                         }
 715
 716                 } else if( !strncasecmp(props[i],
 717                         "maxbufsize=", sizeof("maxbufsize")) )
 718                 {
 719                         if( isdigit( props[i][sizeof("maxbufsize")] ) ) {
 720                                 got_maxbufsize++;
 721                                 maxbufsize = atoi( &props[i][sizeof("maxbufsize")] );
 722                         } else {
 723                                 return LDAP_NOT_SUPPORTED;
 724                         }
 725
 726                 } else {
 727                         return LDAP_NOT_SUPPORTED;
 728                 }
 729         }
 730
 731         if(got_sflags) {
 732                 secprops->security_flags = sflags;
 733         }
 734         if(got_min_ssf) {
 735                 secprops->min_ssf = min_ssf;
 736         }
 737         if(got_max_ssf) {
 738                 secprops->max_ssf = max_ssf;
 739         }
 740         if(got_maxbufsize) {
 741                 secprops->maxbufsize = maxbufsize;
 742         }
 743
 744         ldap_charray_free( props );
 745         return LDAP_SUCCESS;
 746 }
 747
 748 int
 749 ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
 750 {
 751         int rc;
 752
 753         switch( option ) {
 754         case LDAP_OPT_X_SASL_SECPROPS:
 755                 rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
 756                 if( rc == LDAP_SUCCESS ) return 0;
 757         }
 758
 759         return -1;
 760 }
 761
 762 int
 763 ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 764 {
 765         if ( ld == NULL )
 766                 return -1;
 767
 768         switch ( option ) {
 769                 case LDAP_OPT_X_SASL_MECH: {
 770                         *(char **)arg = ld->ld_options.ldo_def_sasl_mech
 771                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
 772                 } break;
 773                 case LDAP_OPT_X_SASL_REALM: {
 774                         *(char **)arg = ld->ld_options.ldo_def_sasl_realm
 775                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
 776                 } break;
 777                 case LDAP_OPT_X_SASL_AUTHCID: {
 778                         *(char **)arg = ld->ld_options.ldo_def_sasl_authcid
 779                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
 780                 } break;
 781                 case LDAP_OPT_X_SASL_AUTHZID: {
 782                         *(char **)arg = ld->ld_options.ldo_def_sasl_authzid
 783                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
 784                 } break;
 785
 786                 case LDAP_OPT_X_SASL_SSF: {
 787                         int sc;
 788                         sasl_ssf_t      *ssf;
 789                         sasl_conn_t *ctx;
 790
 791                         if( ld->ld_defconn == NULL ) {
 792                                 return -1;
 793                         }
 794
 795                         ctx = ld->ld_defconn->lconn_sasl_ctx;
 796
 797                         if ( ctx == NULL ) {
 798                                 return -1;
 799                         }
 800
 801                         sc = sasl_getprop( ctx, SASL_SSF,
 802                                 (void **) &ssf );
 803
 804                         if ( sc != SASL_OK ) {
 805                                 return -1;
 806                         }
 807
 808                         *(ber_len_t *)arg = *ssf;
 809                 } break;
 810
 811                 case LDAP_OPT_X_SASL_SSF_EXTERNAL:
 812                         /* this option is write only */
 813                         return -1;
 814
 815                 case LDAP_OPT_X_SASL_SSF_MIN:
 816                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.min_ssf;
 817                         break;
 818                 case LDAP_OPT_X_SASL_SSF_MAX:
 819                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.max_ssf;
 820                         break;
 821                 case LDAP_OPT_X_SASL_MAXBUFSIZE:
 822                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize;
 823                         break;
 824
 825                 case LDAP_OPT_X_SASL_SECPROPS:
 826                         /* this option is write only */
 827                         return -1;
 828
 829                 default:
 830                         return -1;
 831         }
 832         return 0;
 833 }
 834
 835 int
 836 ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 837 {
 838         if ( ld == NULL )
 839                 return -1;
 840
 841         switch ( option ) {
 842         case LDAP_OPT_X_SASL_SSF:
 843                 /* This option is read-only */
 844                 return -1;
 845
 846         case LDAP_OPT_X_SASL_SSF_EXTERNAL: {
 847                 int sc;
 848                 sasl_external_properties_t extprops;
 849                 sasl_conn_t *ctx;
 850
 851                 if( ld->ld_defconn == NULL ) {
 852                         return -1;
 853                 }
 854
 855                 ctx = ld->ld_defconn->lconn_sasl_ctx;
 856
 857                 if ( ctx == NULL ) {
 858                         return -1;
 859                 }
 860
 861                 memset(&extprops, 0L, sizeof(extprops));
 862
 863                 extprops.ssf = * (ber_len_t *) arg;
 864
 865                 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 866                         (void *) &extprops );
 867
 868                 if ( sc != SASL_OK ) {
 869                         return -1;
 870                 }
 871                 } break;
 872
 873         case LDAP_OPT_X_SASL_SSF_MIN:
 874                 ld->ld_options.ldo_sasl_secprops.min_ssf = *(ber_len_t *)arg;
 875                 break;
 876         case LDAP_OPT_X_SASL_SSF_MAX:
 877                 ld->ld_options.ldo_sasl_secprops.max_ssf = *(ber_len_t *)arg;
 878                 break;
 879         case LDAP_OPT_X_SASL_MAXBUFSIZE:
 880                 ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg;
 881                 break;
 882
 883         case LDAP_OPT_X_SASL_SECPROPS: {
 884                 int sc;
 885                 sc = ldap_pvt_sasl_secprops( (char *) arg,
 886                         &ld->ld_options.ldo_sasl_secprops );
 887
 888                 return sc == LDAP_SUCCESS ? 0 : -1;
 889                 }
 890
 891         default:
 892                 return -1;
 893         }
 894         return 0;
 895 }
 896
 897 #ifdef LDAP_R_COMPILE
 898 void *ldap_pvt_sasl_mutex_new(void)
 899 {
 900         ldap_pvt_thread_mutex_t *mutex;
 901
 902         mutex = (ldap_pvt_thread_mutex_t *) LDAP_MALLOC(
 903                 sizeof(ldap_pvt_thread_mutex_t) );
 904
 905         if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
 906                 return mutex;
 907         }
 908         return NULL;
 909 }
 910
 911 int ldap_pvt_sasl_mutex_lock(void *mutex)
 912 {
 913         return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex )
 914                 ? SASL_FAIL : SASL_OK;
 915 }
 916
 917 int ldap_pvt_sasl_mutex_unlock(void *mutex)
 918 {
 919         return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex )
 920                 ? SASL_FAIL : SASL_OK;
 921 }
 922
 923 void ldap_pvt_sasl_mutex_dispose(void *mutex)
 924 {
 925         (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
 926         LDAP_FREE( mutex );
 927 }
 928 #endif
 929
 930 #else
 931 int ldap_int_sasl_init( void )
 932 { return LDAP_SUCCESS; }
 933
 934 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 935 { return LDAP_SUCCESS; }
 936
 937 int
 938 ldap_int_sasl_bind(
 939         LDAP                    *ld,
 940         const char              *dn,
 941         const char              *mechs,
 942         LDAPControl             **sctrls,
 943         LDAPControl             **cctrls,
 944         unsigned                flags,
 945         LDAP_SASL_INTERACT_PROC *interact,
 946         void * defaults )
 947 { return LDAP_NOT_SUPPORTED; }
 948 #endif /* HAVE_CYRUS_SASL */