git.sur5r.net Git - openldap/blob - libraries/libldap/cyrus.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2005 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15
  16 #include "portable.h"
  17
  18 #include <stdio.h>
  19
  20 #include <ac/socket.h>
  21 #include <ac/stdlib.h>
  22 #include <ac/string.h>
  23 #include <ac/time.h>
  24 #include <ac/errno.h>
  25 #include <ac/ctype.h>
  26 #include <ac/unistd.h>
  27
  28 #ifdef HAVE_LIMITS_H
  29 #include <limits.h>
  30 #endif
  31
  32 #include "ldap-int.h"
  33
  34 #ifdef HAVE_CYRUS_SASL
  35
  36 #ifdef HAVE_LIMITS_H
  37 #include <limits.h>
  38 #endif
  39
  40 #ifndef INT_MAX
  41 #define INT_MAX 2147483647      /* 32 bit signed max */
  42 #endif
  43
  44 #ifdef LDAP_R_COMPILE
  45 ldap_pvt_thread_mutex_t ldap_int_sasl_mutex;
  46 #endif
  47
  48 #ifdef HAVE_SASL_SASL_H
  49 #include <sasl/sasl.h>
  50 #else
  51 #include <sasl.h>
  52 #endif
  53
  54 #if SASL_VERSION_MAJOR >= 2
  55 #define SASL_CONST const
  56 #else
  57 #define SASL_CONST
  58 #endif
  59
  60 /*
  61 * Various Cyrus SASL related stuff.
  62 */
  63
  64 static const sasl_callback_t client_callbacks[] = {
  65 #ifdef SASL_CB_GETREALM
  66         { SASL_CB_GETREALM, NULL, NULL },
  67 #endif
  68         { SASL_CB_USER, NULL, NULL },
  69         { SASL_CB_AUTHNAME, NULL, NULL },
  70         { SASL_CB_PASS, NULL, NULL },
  71         { SASL_CB_ECHOPROMPT, NULL, NULL },
  72         { SASL_CB_NOECHOPROMPT, NULL, NULL },
  73         { SASL_CB_LIST_END, NULL, NULL }
  74 };
  75
  76 int ldap_int_sasl_init( void )
  77 {
  78         /* XXX not threadsafe */
  79         static int sasl_initialized = 0;
  80
  81 #ifdef HAVE_SASL_VERSION
  82         /* stringify the version number, sasl.h doesn't do it for us */
  83 #define VSTR0(maj, min, pat)    #maj "." #min "." #pat
  84 #define VSTR(maj, min, pat)     VSTR0(maj, min, pat)
  85 #define SASL_VERSION_STRING     VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
  86                                 SASL_VERSION_STEP)
  87         { int rc;
  88         sasl_version( NULL, &rc );
  89         if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
  90                 (rc & 0xffff) < SASL_VERSION_STEP) {
  91                 char version[sizeof("xxx.xxx.xxxxx")];
  92                 sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
  93                         rc & 0xffff );
  94
  95                 Debug( LDAP_DEBUG_ANY,
  96                 "ldap_int_sasl_init: SASL library version mismatch:"
  97                 " expected " SASL_VERSION_STRING ","
  98                 " got %s\n", version, 0, 0 );
  99                 return -1;
 100         }
 101         }
 102 #endif
 103         if ( sasl_initialized ) {
 104                 return 0;
 105         }
 106
 107 /* SASL 2 takes care of its own memory completely internally */
 108 #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
 109         sasl_set_alloc(
 110                 ber_memalloc,
 111                 ber_memcalloc,
 112                 ber_memrealloc,
 113                 ber_memfree );
 114 #endif /* CSRIMALLOC */
 115
 116 #ifdef LDAP_R_COMPILE
 117         sasl_set_mutex(
 118                 ldap_pvt_sasl_mutex_new,
 119                 ldap_pvt_sasl_mutex_lock,
 120                 ldap_pvt_sasl_mutex_unlock,
 121                 ldap_pvt_sasl_mutex_dispose );
 122 #endif
 123
 124         if ( sasl_client_init( NULL ) == SASL_OK ) {
 125                 sasl_initialized = 1;
 126                 return 0;
 127         }
 128
 129 #if SASL_VERSION_MAJOR < 2
 130         /* A no-op to make sure we link with Cyrus 1.5 */
 131         sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL );
 132 #endif
 133         return -1;
 134 }
 135
 136 /*
 137  * SASL encryption support for LBER Sockbufs
 138  */
 139
 140 struct sb_sasl_data {
 141         sasl_conn_t             *sasl_context;
 142         unsigned                *sasl_maxbuf;
 143         Sockbuf_Buf             sec_buf_in;
 144         Sockbuf_Buf             buf_in;
 145         Sockbuf_Buf             buf_out;
 146 };
 147
 148 static int
 149 sb_sasl_setup( Sockbuf_IO_Desc *sbiod, void *arg )
 150 {
 151         struct sb_sasl_data     *p;
 152
 153         assert( sbiod != NULL );
 154
 155         p = LBER_MALLOC( sizeof( *p ) );
 156         if ( p == NULL )
 157                 return -1;
 158         p->sasl_context = (sasl_conn_t *)arg;
 159         ber_pvt_sb_buf_init( &p->sec_buf_in );
 160         ber_pvt_sb_buf_init( &p->buf_in );
 161         ber_pvt_sb_buf_init( &p->buf_out );
 162         if ( ber_pvt_sb_grow_buffer( &p->sec_buf_in, SASL_MIN_BUFF_SIZE ) < 0 ) {
 163                 LBER_FREE( p );
 164                 errno = ENOMEM;
 165                 return -1;
 166         }
 167         sasl_getprop( p->sasl_context, SASL_MAXOUTBUF,
 168                 (SASL_CONST void **) &p->sasl_maxbuf );
 169
 170         sbiod->sbiod_pvt = p;
 171
 172         return 0;
 173 }
 174
 175 static int
 176 sb_sasl_remove( Sockbuf_IO_Desc *sbiod )
 177 {
 178         struct sb_sasl_data     *p;
 179
 180         assert( sbiod != NULL );
 181
 182         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 183 #if SASL_VERSION_MAJOR >= 2
 184         /*
 185          * SASLv2 encode/decode buffers are managed by
 186          * libsasl2. Ensure they are not freed by liblber.
 187          */
 188         p->buf_in.buf_base = NULL;
 189         p->buf_out.buf_base = NULL;
 190 #endif
 191         ber_pvt_sb_buf_destroy( &p->sec_buf_in );
 192         ber_pvt_sb_buf_destroy( &p->buf_in );
 193         ber_pvt_sb_buf_destroy( &p->buf_out );
 194         LBER_FREE( p );
 195         sbiod->sbiod_pvt = NULL;
 196         return 0;
 197 }
 198
 199 static ber_len_t
 200 sb_sasl_pkt_length( const unsigned char *buf, int debuglevel )
 201 {
 202         ber_len_t               size;
 203
 204         assert( buf != NULL );
 205
 206         size = buf[0] << 24
 207                 | buf[1] << 16
 208                 | buf[2] << 8
 209                 | buf[3];
 210
 211         if ( size > SASL_MAX_BUFF_SIZE ) {
 212                 /* somebody is trying to mess me up. */
 213                 ber_log_printf( LDAP_DEBUG_ANY, debuglevel,
 214                         "sb_sasl_pkt_length: received illegal packet length "
 215                         "of %lu bytes\n", (unsigned long)size );
 216                 size = 16; /* this should lead to an error. */
 217         }
 218
 219         return size + 4; /* include the size !!! */
 220 }
 221
 222 /* Drop a processed packet from the input buffer */
 223 static void
 224 sb_sasl_drop_packet ( Sockbuf_Buf *sec_buf_in, int debuglevel )
 225 {
 226         ber_slen_t                      len;
 227
 228         len = sec_buf_in->buf_ptr - sec_buf_in->buf_end;
 229         if ( len > 0 )
 230                 AC_MEMCPY( sec_buf_in->buf_base, sec_buf_in->buf_base +
 231                         sec_buf_in->buf_end, len );
 232
 233         if ( len >= 4 ) {
 234                 sec_buf_in->buf_end = sb_sasl_pkt_length(
 235                         (unsigned char *) sec_buf_in->buf_base, debuglevel);
 236         }
 237         else {
 238                 sec_buf_in->buf_end = 0;
 239         }
 240         sec_buf_in->buf_ptr = len;
 241 }
 242
 243 static ber_slen_t
 244 sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 245 {
 246         struct sb_sasl_data     *p;
 247         ber_slen_t              ret, bufptr;
 248
 249         assert( sbiod != NULL );
 250         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 251
 252         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 253
 254         /* Are there anything left in the buffer? */
 255         ret = ber_pvt_sb_copy_out( &p->buf_in, buf, len );
 256         bufptr = ret;
 257         len -= ret;
 258
 259         if ( len == 0 )
 260                 return bufptr;
 261
 262 #if SASL_VERSION_MAJOR >= 2
 263         ber_pvt_sb_buf_init( &p->buf_in );
 264 #else
 265         ber_pvt_sb_buf_destroy( &p->buf_in );
 266 #endif
 267
 268         /* Read the length of the packet */
 269         while ( p->sec_buf_in.buf_ptr < 4 ) {
 270                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base +
 271                         p->sec_buf_in.buf_ptr,
 272                         4 - p->sec_buf_in.buf_ptr );
 273 #ifdef EINTR
 274                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 275                         continue;
 276 #endif
 277                 if ( ret <= 0 )
 278                         return bufptr ? bufptr : ret;
 279
 280                 p->sec_buf_in.buf_ptr += ret;
 281         }
 282
 283         /* The new packet always starts at p->sec_buf_in.buf_base */
 284         ret = sb_sasl_pkt_length( (unsigned char *) p->sec_buf_in.buf_base,
 285                 sbiod->sbiod_sb->sb_debug );
 286
 287         /* Grow the packet buffer if neccessary */
 288         if ( ( p->sec_buf_in.buf_size < (ber_len_t) ret ) &&
 289                 ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 )
 290         {
 291                 errno = ENOMEM;
 292                 return -1;
 293         }
 294         p->sec_buf_in.buf_end = ret;
 295
 296         /* Did we read the whole encrypted packet? */
 297         while ( p->sec_buf_in.buf_ptr < p->sec_buf_in.buf_end ) {
 298                 /* No, we have got only a part of it */
 299                 ret = p->sec_buf_in.buf_end - p->sec_buf_in.buf_ptr;
 300
 301                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base +
 302                         p->sec_buf_in.buf_ptr, ret );
 303 #ifdef EINTR
 304                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 305                         continue;
 306 #endif
 307                 if ( ret <= 0 )
 308                         return bufptr ? bufptr : ret;
 309
 310                 p->sec_buf_in.buf_ptr += ret;
 311         }
 312
 313         /* Decode the packet */
 314         {
 315                 unsigned tmpsize = p->buf_in.buf_end;
 316                 ret = sasl_decode( p->sasl_context, p->sec_buf_in.buf_base,
 317                         p->sec_buf_in.buf_end,
 318                         (SASL_CONST char **)&p->buf_in.buf_base,
 319                         (unsigned *)&tmpsize );
 320                 p->buf_in.buf_end = tmpsize;
 321         }
 322
 323         /* Drop the packet from the input buffer */
 324         sb_sasl_drop_packet( &p->sec_buf_in, sbiod->sbiod_sb->sb_debug );
 325
 326         if ( ret != SASL_OK ) {
 327                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 328                         "sb_sasl_read: failed to decode packet: %s\n",
 329                         sasl_errstring( ret, NULL, NULL ) );
 330                 errno = EIO;
 331                 return -1;
 332         }
 333
 334         p->buf_in.buf_size = p->buf_in.buf_end;
 335
 336         bufptr += ber_pvt_sb_copy_out( &p->buf_in, (char*) buf + bufptr, len );
 337
 338         return bufptr;
 339 }
 340
 341 static ber_slen_t
 342 sb_sasl_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 343 {
 344         struct sb_sasl_data     *p;
 345         int                     ret;
 346
 347         assert( sbiod != NULL );
 348         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 349
 350         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 351
 352         /* Are there anything left in the buffer? */
 353         if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
 354                 ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 355                 if ( ret < 0 ) return ret;
 356
 357                 /* Still have something left?? */
 358                 if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
 359                         errno = EAGAIN;
 360                         return -1;
 361                 }
 362         }
 363
 364         /* now encode the next packet. */
 365 #if SASL_VERSION_MAJOR >= 2
 366         ber_pvt_sb_buf_init( &p->buf_out );
 367 #else
 368         ber_pvt_sb_buf_destroy( &p->buf_out );
 369 #endif
 370         if ( len > *p->sasl_maxbuf - 100 ) {
 371                 len = *p->sasl_maxbuf - 100;    /* For safety margin */
 372         }
 373
 374         {
 375                 unsigned tmpsize = p->buf_out.buf_size;
 376                 ret = sasl_encode( p->sasl_context, buf, len,
 377                         (SASL_CONST char **)&p->buf_out.buf_base,
 378                         &tmpsize );
 379                 p->buf_out.buf_size = tmpsize;
 380         }
 381
 382         if ( ret != SASL_OK ) {
 383                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 384                         "sb_sasl_write: failed to encode packet: %s\n",
 385                         sasl_errstring( ret, NULL, NULL ) );
 386                 errno = EIO;
 387                 return -1;
 388         }
 389         p->buf_out.buf_end = p->buf_out.buf_size;
 390
 391         ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 392
 393         /* return number of bytes encoded, not written, to ensure
 394          * no byte is encoded twice (even if only sent once).
 395          */
 396         return len;
 397 }
 398
 399 static int
 400 sb_sasl_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 401 {
 402         struct sb_sasl_data     *p;
 403
 404         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 405
 406         if ( opt == LBER_SB_OPT_DATA_READY ) {
 407                 if ( p->buf_in.buf_ptr != p->buf_in.buf_end ) return 1;
 408         }
 409
 410         return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
 411 }
 412
 413 Sockbuf_IO ldap_pvt_sockbuf_io_sasl = {
 414         sb_sasl_setup,          /* sbi_setup */
 415         sb_sasl_remove,         /* sbi_remove */
 416         sb_sasl_ctrl,           /* sbi_ctrl */
 417         sb_sasl_read,           /* sbi_read */
 418         sb_sasl_write,          /* sbi_write */
 419         NULL                    /* sbi_close */
 420 };
 421
 422 int ldap_pvt_sasl_install( Sockbuf *sb, void *ctx_arg )
 423 {
 424         Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_install\n",
 425                 0, 0, 0 );
 426
 427         /* don't install the stuff unless security has been negotiated */
 428
 429         if ( !ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO,
 430                         &ldap_pvt_sockbuf_io_sasl ) )
 431         {
 432 #ifdef LDAP_DEBUG
 433                 ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 434                         LBER_SBIOD_LEVEL_APPLICATION, (void *)"sasl_" );
 435 #endif
 436                 ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_sasl,
 437                         LBER_SBIOD_LEVEL_APPLICATION, ctx_arg );
 438         }
 439
 440         return LDAP_SUCCESS;
 441 }
 442
 443 void ldap_pvt_sasl_remove( Sockbuf *sb )
 444 {
 445         ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_sasl,
 446                 LBER_SBIOD_LEVEL_APPLICATION );
 447 #ifdef LDAP_DEBUG
 448         ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
 449                 LBER_SBIOD_LEVEL_APPLICATION );
 450 #endif
 451 }
 452
 453 static int
 454 sasl_err2ldap( int saslerr )
 455 {
 456         int rc;
 457
 458         switch (saslerr) {
 459                 case SASL_CONTINUE:
 460                         rc = LDAP_MORE_RESULTS_TO_RETURN;
 461                         break;
 462                 case SASL_INTERACT:
 463                         rc = LDAP_LOCAL_ERROR;
 464                         break;
 465                 case SASL_OK:
 466                         rc = LDAP_SUCCESS;
 467                         break;
 468                 case SASL_FAIL:
 469                         rc = LDAP_LOCAL_ERROR;
 470                         break;
 471                 case SASL_NOMEM:
 472                         rc = LDAP_NO_MEMORY;
 473                         break;
 474                 case SASL_NOMECH:
 475                         rc = LDAP_AUTH_UNKNOWN;
 476                         break;
 477                 case SASL_BADAUTH:
 478                         rc = LDAP_AUTH_UNKNOWN;
 479                         break;
 480                 case SASL_NOAUTHZ:
 481                         rc = LDAP_PARAM_ERROR;
 482                         break;
 483                 case SASL_TOOWEAK:
 484                 case SASL_ENCRYPT:
 485                         rc = LDAP_AUTH_UNKNOWN;
 486                         break;
 487                 default:
 488                         rc = LDAP_LOCAL_ERROR;
 489                         break;
 490         }
 491
 492         assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
 493         return rc;
 494 }
 495
 496 int
 497 ldap_int_sasl_open(
 498         LDAP *ld,
 499         LDAPConn *lc,
 500         const char * host )
 501 {
 502         int rc;
 503         sasl_conn_t *ctx;
 504
 505         assert( lc->lconn_sasl_authctx == NULL );
 506
 507         if ( host == NULL ) {
 508                 ld->ld_errno = LDAP_LOCAL_ERROR;
 509                 return ld->ld_errno;
 510         }
 511
 512         if ( ldap_int_sasl_init() ) {
 513                 ld->ld_errno = LDAP_LOCAL_ERROR;
 514                 return ld->ld_errno;
 515         }
 516
 517 #if SASL_VERSION_MAJOR >= 2
 518         rc = sasl_client_new( "ldap", host, NULL, NULL,
 519                 client_callbacks, 0, &ctx );
 520 #else
 521         rc = sasl_client_new( "ldap", host, client_callbacks,
 522                 SASL_SECURITY_LAYER, &ctx );
 523 #endif
 524
 525         if ( rc != SASL_OK ) {
 526                 ld->ld_errno = sasl_err2ldap( rc );
 527                 return ld->ld_errno;
 528         }
 529
 530         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: host=%s\n",
 531                 host, 0, 0 );
 532
 533         lc->lconn_sasl_authctx = ctx;
 534
 535         return LDAP_SUCCESS;
 536 }
 537
 538 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 539 {
 540         sasl_conn_t *ctx = lc->lconn_sasl_authctx;
 541
 542         if( ctx != NULL ) {
 543                 sasl_dispose( &ctx );
 544                 if ( lc->lconn_sasl_sockctx &&
 545                         lc->lconn_sasl_authctx != lc->lconn_sasl_sockctx ) {
 546                         ctx = lc->lconn_sasl_sockctx;
 547                         sasl_dispose( &ctx );
 548                 }
 549                 lc->lconn_sasl_sockctx = NULL;
 550                 lc->lconn_sasl_authctx = NULL;
 551         }
 552
 553         return LDAP_SUCCESS;
 554 }
 555
 556 int
 557 ldap_int_sasl_bind(
 558         LDAP                    *ld,
 559         const char              *dn,
 560         const char              *mechs,
 561         LDAPControl             **sctrls,
 562         LDAPControl             **cctrls,
 563         unsigned                flags,
 564         LDAP_SASL_INTERACT_PROC *interact,
 565         void * defaults )
 566 {
 567         char *data;
 568         const char *mech = NULL;
 569         const char *pmech = NULL;
 570         int                     saslrc, rc;
 571         sasl_ssf_t              *ssf = NULL;
 572         sasl_conn_t     *ctx, *oldctx = NULL;
 573         sasl_interact_t *prompts = NULL;
 574         unsigned credlen;
 575         struct berval ccred;
 576         ber_socket_t            sd;
 577         void    *ssl;
 578
 579         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
 580                 mechs ? mechs : "<null>", 0, 0 );
 581
 582         /* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
 583         if (ld->ld_version < LDAP_VERSION3) {
 584                 ld->ld_errno = LDAP_NOT_SUPPORTED;
 585                 return ld->ld_errno;
 586         }
 587
 588         ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
 589
 590         if ( sd == AC_SOCKET_INVALID ) {
 591                 /* not connected yet */
 592                 int rc;
 593
 594                 rc = ldap_open_defconn( ld );
 595                 if( rc < 0 ) return ld->ld_errno;
 596
 597                 ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb, LBER_SB_OPT_GET_FD, &sd );
 598
 599                 if( sd == AC_SOCKET_INVALID ) {
 600                         ld->ld_errno = LDAP_LOCAL_ERROR;
 601                         return ld->ld_errno;
 602                 }
 603         }
 604
 605         oldctx = ld->ld_defconn->lconn_sasl_authctx;
 606
 607         /* If we already have an authentication context, clear it out */
 608         if( oldctx ) {
 609                 if ( oldctx != ld->ld_defconn->lconn_sasl_sockctx ) {
 610                         sasl_dispose( &oldctx );
 611                 }
 612                 ld->ld_defconn->lconn_sasl_authctx = NULL;
 613         }
 614
 615         { char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, "localhost" );
 616         rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
 617         LDAP_FREE( saslhost );
 618         }
 619
 620         if ( rc != LDAP_SUCCESS ) return rc;
 621
 622         ctx = ld->ld_defconn->lconn_sasl_authctx;
 623
 624         /* Check for TLS */
 625         ssl = ldap_pvt_tls_sb_ctx( ld->ld_defconn->lconn_sb );
 626         if ( ssl ) {
 627                 struct berval authid = BER_BVNULL;
 628                 ber_len_t fac;
 629
 630                 fac = ldap_pvt_tls_get_strength( ssl );
 631                 /* failure is OK, we just can't use SASL EXTERNAL */
 632                 (void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 );
 633
 634                 (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
 635                 LDAP_FREE( authid.bv_val );
 636         }
 637
 638 #if !defined(_WIN32)
 639         /* Check for local */
 640         if ( ldap_pvt_url_scheme2proto( ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC ) {
 641                 char authid[sizeof("uidNumber=4294967295+gidNumber=4294967295,"
 642                         "cn=peercred,cn=external,cn=auth")];
 643                 sprintf( authid, "uidNumber=%d+gidNumber=%d,"
 644                         "cn=peercred,cn=external,cn=auth",
 645                         (int) geteuid(), (int) getegid() );
 646                 (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid, LDAP_PVT_SASL_LOCAL_SSF );
 647         }
 648 #endif
 649
 650         /* (re)set security properties */
 651         sasl_setprop( ctx, SASL_SEC_PROPS,
 652                 &ld->ld_options.ldo_sasl_secprops );
 653
 654         ccred.bv_val = NULL;
 655         ccred.bv_len = 0;
 656
 657         do {
 658                 saslrc = sasl_client_start( ctx,
 659                         mechs,
 660 #if SASL_VERSION_MAJOR < 2
 661                         NULL,
 662 #endif
 663                         &prompts,
 664                         (SASL_CONST char **)&ccred.bv_val,
 665                         &credlen,
 666                         &mech );
 667
 668                 if( pmech == NULL && mech != NULL ) {
 669                         pmech = mech;
 670
 671                         if( flags != LDAP_SASL_QUIET ) {
 672                                 fprintf(stderr,
 673                                         "SASL/%s authentication started\n",
 674                                         pmech );
 675                         }
 676                 }
 677
 678                 if( saslrc == SASL_INTERACT ) {
 679                         int res;
 680                         if( !interact ) break;
 681                         res = (interact)( ld, flags, defaults, prompts );
 682
 683                         if( res != LDAP_SUCCESS ) break;
 684                 }
 685         } while ( saslrc == SASL_INTERACT );
 686
 687         ccred.bv_len = credlen;
 688
 689         if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 690                 rc = ld->ld_errno = sasl_err2ldap( saslrc );
 691 #if SASL_VERSION_MAJOR >= 2
 692                 if ( ld->ld_error ) {
 693                         LDAP_FREE( ld->ld_error );
 694                 }
 695                 ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 696 #endif
 697                 goto done;
 698         }
 699
 700         do {
 701                 struct berval *scred;
 702                 unsigned credlen;
 703
 704                 scred = NULL;
 705
 706                 rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
 707
 708                 if ( ccred.bv_val != NULL ) {
 709 #if SASL_VERSION_MAJOR < 2
 710                         LDAP_FREE( ccred.bv_val );
 711 #endif
 712                         ccred.bv_val = NULL;
 713                 }
 714
 715                 if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
 716                         if( scred ) {
 717                                 if ( scred->bv_len ) {
 718                                         /* and server provided us with data? */
 719                                         Debug( LDAP_DEBUG_TRACE,
 720                                                 "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 721                                                 rc, saslrc, scred->bv_len );
 722                                 }
 723                                 ber_bvfree( scred );
 724                         }
 725                         rc = ld->ld_errno;
 726                         goto done;
 727                 }
 728
 729                 if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
 730                         /* we're done, no need to step */
 731                         if( scred ) {
 732                                 if ( scred->bv_len ) {
 733                                         /* but server provided us with data! */
 734                                         Debug( LDAP_DEBUG_TRACE,
 735                                                 "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 736                                                 rc, saslrc, scred->bv_len );
 737                                 }
 738                                 ber_bvfree( scred );
 739                                 rc = ld->ld_errno = LDAP_LOCAL_ERROR;
 740                                 goto done;
 741                         }
 742                         break;
 743                 }
 744
 745                 do {
 746                         saslrc = sasl_client_step( ctx,
 747                                 (scred == NULL) ? NULL : scred->bv_val,
 748                                 (scred == NULL) ? 0 : scred->bv_len,
 749                                 &prompts,
 750                                 (SASL_CONST char **)&ccred.bv_val,
 751                                 &credlen );
 752
 753                         Debug( LDAP_DEBUG_TRACE, "sasl_client_step: %d\n",
 754                                 saslrc, 0, 0 );
 755
 756                         if( saslrc == SASL_INTERACT ) {
 757                                 int res;
 758                                 if( !interact ) break;
 759                                 res = (interact)( ld, flags, defaults, prompts );
 760                                 if( res != LDAP_SUCCESS ) break;
 761                         }
 762                 } while ( saslrc == SASL_INTERACT );
 763
 764                 ccred.bv_len = credlen;
 765                 ber_bvfree( scred );
 766
 767                 if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 768                         ld->ld_errno = sasl_err2ldap( saslrc );
 769 #if SASL_VERSION_MAJOR >= 2
 770                         if ( ld->ld_error ) {
 771                                 LDAP_FREE( ld->ld_error );
 772                         }
 773                         ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 774 #endif
 775                         rc = ld->ld_errno;
 776                         goto done;
 777                 }
 778         } while ( rc == LDAP_SASL_BIND_IN_PROGRESS );
 779
 780         if ( rc != LDAP_SUCCESS ) goto done;
 781
 782         if ( saslrc != SASL_OK ) {
 783 #if SASL_VERSION_MAJOR >= 2
 784                 if ( ld->ld_error ) {
 785                         LDAP_FREE( ld->ld_error );
 786                 }
 787                 ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
 788 #endif
 789                 rc = ld->ld_errno = sasl_err2ldap( saslrc );
 790                 goto done;
 791         }
 792
 793         if( flags != LDAP_SASL_QUIET ) {
 794                 saslrc = sasl_getprop( ctx, SASL_USERNAME, (SASL_CONST void **) &data );
 795                 if( saslrc == SASL_OK && data && *data ) {
 796                         fprintf( stderr, "SASL username: %s\n", data );
 797                 }
 798
 799 #if SASL_VERSION_MAJOR < 2
 800                 saslrc = sasl_getprop( ctx, SASL_REALM, (SASL_CONST void **) &data );
 801                 if( saslrc == SASL_OK && data && *data ) {
 802                         fprintf( stderr, "SASL realm: %s\n", data );
 803                 }
 804 #endif
 805         }
 806
 807         saslrc = sasl_getprop( ctx, SASL_SSF, (SASL_CONST void **) &ssf );
 808         if( saslrc == SASL_OK ) {
 809                 if( flags != LDAP_SASL_QUIET ) {
 810                         fprintf( stderr, "SASL SSF: %lu\n",
 811                                 (unsigned long) *ssf );
 812                 }
 813
 814                 if( ssf && *ssf ) {
 815                         if( flags != LDAP_SASL_QUIET ) {
 816                                 fprintf( stderr, "SASL installing layers\n" );
 817                         }
 818                         if ( ld->ld_defconn->lconn_sasl_sockctx ) {
 819                                 oldctx = ld->ld_defconn->lconn_sasl_sockctx;
 820                                 sasl_dispose( &oldctx );
 821                                 ldap_pvt_sasl_remove( ld->ld_defconn->lconn_sb );
 822                         }
 823                         ldap_pvt_sasl_install( ld->ld_defconn->lconn_sb, ctx );
 824                         ld->ld_defconn->lconn_sasl_sockctx = ctx;
 825                 }
 826         }
 827         ld->ld_defconn->lconn_sasl_authctx = ctx;
 828
 829 done:
 830         return rc;
 831 }
 832
 833 int
 834 ldap_int_sasl_external(
 835         LDAP *ld,
 836         LDAPConn *conn,
 837         const char * authid,
 838         ber_len_t ssf )
 839 {
 840         int sc;
 841         sasl_conn_t *ctx;
 842 #if SASL_VERSION_MAJOR < 2
 843         sasl_external_properties_t extprops;
 844 #endif
 845
 846         ctx = conn->lconn_sasl_authctx;
 847
 848         if ( ctx == NULL ) {
 849                 return LDAP_LOCAL_ERROR;
 850         }
 851
 852 #if SASL_VERSION_MAJOR >= 2
 853         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf );
 854         if ( sc == SASL_OK )
 855                 sc = sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid );
 856 #else
 857         memset( &extprops, '\0', sizeof(extprops) );
 858         extprops.ssf = ssf;
 859         extprops.auth_id = (char *) authid;
 860
 861         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 862                 (void *) &extprops );
 863 #endif
 864
 865         if ( sc != SASL_OK ) {
 866                 return LDAP_LOCAL_ERROR;
 867         }
 868
 869         return LDAP_SUCCESS;
 870 }
 871
 872
 873 #define GOT_MINSSF      1
 874 #define GOT_MAXSSF      2
 875 #define GOT_MAXBUF      4
 876
 877 static struct {
 878         struct berval key;
 879         int sflag;
 880         int ival;
 881         int idef;
 882 } sprops[] = {
 883         { BER_BVC("none"), 0, 0, 0 },
 884         { BER_BVC("nodict"), SASL_SEC_NODICTIONARY, 0, 0 },
 885         { BER_BVC("noplain"), SASL_SEC_NOPLAINTEXT, 0, 0 },
 886         { BER_BVC("noactive"), SASL_SEC_NOACTIVE, 0, 0 },
 887         { BER_BVC("passcred"), SASL_SEC_PASS_CREDENTIALS, 0, 0 },
 888         { BER_BVC("forwardsec"), SASL_SEC_FORWARD_SECRECY, 0, 0 },
 889         { BER_BVC("noanonymous"), SASL_SEC_NOANONYMOUS, 0, 0 },
 890         { BER_BVC("minssf="), 0, GOT_MINSSF, 0 },
 891         { BER_BVC("maxssf="), 0, GOT_MAXSSF, INT_MAX },
 892         { BER_BVC("maxbufsize="), 0, GOT_MAXBUF, 65536 },
 893         { BER_BVNULL, 0, 0, 0 }
 894 };
 895
 896 void ldap_pvt_sasl_secprops_unparse(
 897         sasl_security_properties_t *secprops,
 898         struct berval *out )
 899 {
 900         int i, l = 0;
 901         int comma;
 902         char *ptr;
 903
 904         if ( secprops == NULL || out == NULL ) {
 905                 return;
 906         }
 907
 908         comma = 0;
 909         for ( i=0; !BER_BVISNULL( &sprops[i].key ); i++ ) {
 910                 if ( sprops[i].ival ) {
 911                         int v = 0;
 912
 913                         switch( sprops[i].ival ) {
 914                         case GOT_MINSSF: v = secprops->min_ssf; break;
 915                         case GOT_MAXSSF: v = secprops->max_ssf; break;
 916                         case GOT_MAXBUF: v = secprops->maxbufsize; break;
 917                         }
 918                         /* It is the default, ignore it */
 919                         if ( v == sprops[i].idef ) continue;
 920
 921                         l += sprops[i].key.bv_len + 24;
 922                 } else if ( sprops[i].sflag ) {
 923                         if ( sprops[i].sflag & secprops->security_flags ) {
 924                                 l += sprops[i].key.bv_len;
 925                         }
 926                 } else if ( secprops->security_flags == 0 ) {
 927                         l += sprops[i].key.bv_len;
 928                 }
 929                 if ( comma ) l++;
 930                 comma = 1;
 931         }
 932         l++;
 933
 934         out->bv_val = LDAP_MALLOC( l );
 935         if ( out->bv_val == NULL ) {
 936                 out->bv_len = 0;
 937                 return;
 938         }
 939
 940         ptr = out->bv_val;
 941         comma = 0;
 942         for ( i=0; !BER_BVISNULL( &sprops[i].key ); i++ ) {
 943                 if ( sprops[i].ival ) {
 944                         int v = 0;
 945
 946                         switch( sprops[i].ival ) {
 947                         case GOT_MINSSF: v = secprops->min_ssf; break;
 948                         case GOT_MAXSSF: v = secprops->max_ssf; break;
 949                         case GOT_MAXBUF: v = secprops->maxbufsize; break;
 950                         }
 951                         /* It is the default, ignore it */
 952                         if ( v == sprops[i].idef ) continue;
 953
 954                         if ( comma ) *ptr++ = ',';
 955                         ptr += sprintf(ptr, "%s%d", sprops[i].key.bv_val, v );
 956                         comma = 1;
 957                 } else if ( sprops[i].sflag ) {
 958                         if ( sprops[i].sflag & secprops->security_flags ) {
 959                                 if ( comma ) *ptr++ = ',';
 960                                 ptr += sprintf(ptr, "%s", sprops[i].key.bv_val );
 961                                 comma = 1;
 962                         }
 963                 } else if ( secprops->security_flags == 0 ) {
 964                         if ( comma ) *ptr++ = ',';
 965                         ptr += sprintf(ptr, "%s", sprops[i].key.bv_val );
 966                         comma = 1;
 967                 }
 968         }
 969         out->bv_len = ptr - out->bv_val;
 970 }
 971
 972 int ldap_pvt_sasl_secprops(
 973         const char *in,
 974         sasl_security_properties_t *secprops )
 975 {
 976         int i, j, l;
 977         char **props = ldap_str2charray( in, "," );
 978         unsigned sflags = 0;
 979         int got_sflags = 0;
 980         sasl_ssf_t max_ssf = 0;
 981         int got_max_ssf = 0;
 982         sasl_ssf_t min_ssf = 0;
 983         int got_min_ssf = 0;
 984         unsigned maxbufsize = 0;
 985         int got_maxbufsize = 0;
 986
 987         if( props == NULL || secprops == NULL ) {
 988                 return LDAP_PARAM_ERROR;
 989         }
 990
 991         for( i=0; props[i]; i++ ) {
 992                 l = strlen( props[i] );
 993                 for ( j=0; !BER_BVISNULL( &sprops[j].key ); j++ ) {
 994                         if ( l < sprops[j].key.bv_len ) continue;
 995                         if ( strncasecmp( props[i], sprops[j].key.bv_val,
 996                                 sprops[j].key.bv_len )) continue;
 997                         if ( sprops[j].ival ) {
 998                                 int v;
 999                                 char *next = NULL;
1000                                 if ( !isdigit( props[i][sprops[j].key.bv_len] )) continue;
1001                                 v = strtoul( &props[i][sprops[j].key.bv_len], &next, 10 );
1002                                 if ( next == NULL || next[ 0 ] != '\0' ) continue;
1003                                 switch( sprops[j].ival ) {
1004                                 case GOT_MINSSF:
1005                                         min_ssf = v; got_min_ssf++; break;
1006                                 case GOT_MAXSSF:
1007                                         max_ssf = v; got_max_ssf++; break;
1008                                 case GOT_MAXBUF:
1009                                         maxbufsize = v; got_maxbufsize++; break;
1010                                 }
1011                         } else {
1012                                 if ( props[i][sprops[j].key.bv_len] ) continue;
1013                                 if ( sprops[j].sflag )
1014                                         sflags |= sprops[j].sflag;
1015                                 else
1016                                         sflags = 0;
1017                                 got_sflags++;
1018                         }
1019                         break;
1020                 }
1021                 if ( BER_BVISNULL( &sprops[j].key )) {
1022                         return LDAP_NOT_SUPPORTED;
1023                 }
1024         }
1025
1026         if(got_sflags) {
1027                 secprops->security_flags = sflags;
1028         }
1029         if(got_min_ssf) {
1030                 secprops->min_ssf = min_ssf;
1031         }
1032         if(got_max_ssf) {
1033                 secprops->max_ssf = max_ssf;
1034         }
1035         if(got_maxbufsize) {
1036                 secprops->maxbufsize = maxbufsize;
1037         }
1038
1039         ldap_charray_free( props );
1040         return LDAP_SUCCESS;
1041 }
1042
1043 int
1044 ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
1045 {
1046         int rc;
1047
1048         switch( option ) {
1049         case LDAP_OPT_X_SASL_SECPROPS:
1050                 rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
1051                 if( rc == LDAP_SUCCESS ) return 0;
1052         }
1053
1054         return -1;
1055 }
1056
1057 int
1058 ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
1059 {
1060         if ( ld == NULL )
1061                 return -1;
1062
1063         switch ( option ) {
1064                 case LDAP_OPT_X_SASL_MECH: {
1065                         *(char **)arg = ld->ld_options.ldo_def_sasl_mech
1066                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
1067                 } break;
1068                 case LDAP_OPT_X_SASL_REALM: {
1069                         *(char **)arg = ld->ld_options.ldo_def_sasl_realm
1070                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
1071                 } break;
1072                 case LDAP_OPT_X_SASL_AUTHCID: {
1073                         *(char **)arg = ld->ld_options.ldo_def_sasl_authcid
1074                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
1075                 } break;
1076                 case LDAP_OPT_X_SASL_AUTHZID: {
1077                         *(char **)arg = ld->ld_options.ldo_def_sasl_authzid
1078                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
1079                 } break;
1080
1081                 case LDAP_OPT_X_SASL_SSF: {
1082                         int sc;
1083                         sasl_ssf_t      *ssf;
1084                         sasl_conn_t *ctx;
1085
1086                         if( ld->ld_defconn == NULL ) {
1087                                 return -1;
1088                         }
1089
1090                         ctx = ld->ld_defconn->lconn_sasl_sockctx;
1091
1092                         if ( ctx == NULL ) {
1093                                 return -1;
1094                         }
1095
1096                         sc = sasl_getprop( ctx, SASL_SSF,
1097                                 (SASL_CONST void **) &ssf );
1098
1099                         if ( sc != SASL_OK ) {
1100                                 return -1;
1101                         }
1102
1103                         *(ber_len_t *)arg = *ssf;
1104                 } break;
1105
1106                 case LDAP_OPT_X_SASL_SSF_EXTERNAL:
1107                         /* this option is write only */
1108                         return -1;
1109
1110                 case LDAP_OPT_X_SASL_SSF_MIN:
1111                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.min_ssf;
1112                         break;
1113                 case LDAP_OPT_X_SASL_SSF_MAX:
1114                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.max_ssf;
1115                         break;
1116                 case LDAP_OPT_X_SASL_MAXBUFSIZE:
1117                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize;
1118                         break;
1119
1120                 case LDAP_OPT_X_SASL_SECPROPS:
1121                         /* this option is write only */
1122                         return -1;
1123
1124                 default:
1125                         return -1;
1126         }
1127         return 0;
1128 }
1129
1130 int
1131 ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
1132 {
1133         if ( ld == NULL )
1134                 return -1;
1135
1136         switch ( option ) {
1137         case LDAP_OPT_X_SASL_SSF:
1138                 /* This option is read-only */
1139                 return -1;
1140
1141         case LDAP_OPT_X_SASL_SSF_EXTERNAL: {
1142                 int sc;
1143 #if SASL_VERSION_MAJOR < 2
1144                 sasl_external_properties_t extprops;
1145 #endif
1146                 sasl_conn_t *ctx;
1147
1148                 if( ld->ld_defconn == NULL ) {
1149                         return -1;
1150                 }
1151
1152                 ctx = ld->ld_defconn->lconn_sasl_authctx;
1153
1154                 if ( ctx == NULL ) {
1155                         return -1;
1156                 }
1157
1158 #if SASL_VERSION_MAJOR >= 2
1159                 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, arg);
1160 #else
1161                 memset(&extprops, 0L, sizeof(extprops));
1162
1163                 extprops.ssf = * (ber_len_t *) arg;
1164
1165                 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
1166                         (void *) &extprops );
1167 #endif
1168
1169                 if ( sc != SASL_OK ) {
1170                         return -1;
1171                 }
1172                 } break;
1173
1174         case LDAP_OPT_X_SASL_SSF_MIN:
1175                 ld->ld_options.ldo_sasl_secprops.min_ssf = *(ber_len_t *)arg;
1176                 break;
1177         case LDAP_OPT_X_SASL_SSF_MAX:
1178                 ld->ld_options.ldo_sasl_secprops.max_ssf = *(ber_len_t *)arg;
1179                 break;
1180         case LDAP_OPT_X_SASL_MAXBUFSIZE:
1181                 ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg;
1182                 break;
1183
1184         case LDAP_OPT_X_SASL_SECPROPS: {
1185                 int sc;
1186                 sc = ldap_pvt_sasl_secprops( (char *) arg,
1187                         &ld->ld_options.ldo_sasl_secprops );
1188
1189                 return sc == LDAP_SUCCESS ? 0 : -1;
1190                 }
1191
1192         default:
1193                 return -1;
1194         }
1195         return 0;
1196 }
1197
1198 #ifdef LDAP_R_COMPILE
1199 #define LDAP_DEBUG_R_SASL
1200 void *ldap_pvt_sasl_mutex_new(void)
1201 {
1202         ldap_pvt_thread_mutex_t *mutex;
1203
1204         mutex = (ldap_pvt_thread_mutex_t *) LDAP_MALLOC(
1205                 sizeof(ldap_pvt_thread_mutex_t) );
1206
1207         if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
1208                 return mutex;
1209         }
1210 #ifndef LDAP_DEBUG_R_SASL
1211         assert( 0 );
1212 #endif /* !LDAP_DEBUG_R_SASL */
1213         return NULL;
1214 }
1215
1216 int ldap_pvt_sasl_mutex_lock(void *mutex)
1217 {
1218 #ifdef LDAP_DEBUG_R_SASL
1219         if ( mutex == NULL ) {
1220                 return SASL_OK;
1221         }
1222 #else /* !LDAP_DEBUG_R_SASL */
1223         assert( mutex != NULL );
1224 #endif /* !LDAP_DEBUG_R_SASL */
1225         return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex )
1226                 ? SASL_FAIL : SASL_OK;
1227 }
1228
1229 int ldap_pvt_sasl_mutex_unlock(void *mutex)
1230 {
1231 #ifdef LDAP_DEBUG_R_SASL
1232         if ( mutex == NULL ) {
1233                 return SASL_OK;
1234         }
1235 #else /* !LDAP_DEBUG_R_SASL */
1236         assert( mutex != NULL );
1237 #endif /* !LDAP_DEBUG_R_SASL */
1238         return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex )
1239                 ? SASL_FAIL : SASL_OK;
1240 }
1241
1242 void ldap_pvt_sasl_mutex_dispose(void *mutex)
1243 {
1244 #ifdef LDAP_DEBUG_R_SASL
1245         if ( mutex == NULL ) {
1246                 return;
1247         }
1248 #else /* !LDAP_DEBUG_R_SASL */
1249         assert( mutex != NULL );
1250 #endif /* !LDAP_DEBUG_R_SASL */
1251         (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
1252         LDAP_FREE( mutex );
1253 }
1254 #endif
1255
1256 #else
1257 int ldap_int_sasl_init( void )
1258 { return LDAP_SUCCESS; }
1259
1260 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
1261 { return LDAP_SUCCESS; }
1262
1263 int
1264 ldap_int_sasl_bind(
1265         LDAP                    *ld,
1266         const char              *dn,
1267         const char              *mechs,
1268         LDAPControl             **sctrls,
1269         LDAPControl             **cctrls,
1270         unsigned                flags,
1271         LDAP_SASL_INTERACT_PROC *interact,
1272         void * defaults )
1273 { return LDAP_NOT_SUPPORTED; }
1274
1275 int
1276 ldap_int_sasl_external(
1277         LDAP *ld,
1278         LDAPConn *conn,
1279         const char * authid,
1280         ber_len_t ssf )
1281 { return LDAP_SUCCESS; }
1282
1283 #endif /* HAVE_CYRUS_SASL */