git.sur5r.net Git - openldap/blob - libraries/libldap/cyrus.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1999-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <stdio.h>
  10
  11 #include <ac/socket.h>
  12 #include <ac/stdlib.h>
  13 #include <ac/string.h>
  14 #include <ac/time.h>
  15 #include <ac/errno.h>
  16 #include <ac/ctype.h>
  17
  18 #include "ldap-int.h"
  19
  20 #ifdef HAVE_CYRUS_SASL
  21
  22 #ifdef LDAP_R_COMPILE
  23 ldap_pvt_thread_mutex_t ldap_int_sasl_mutex;
  24 #endif
  25
  26 #include <sasl.h>
  27
  28 /*
  29 * Various Cyrus SASL related stuff.
  30 */
  31
  32 int ldap_int_sasl_init( void )
  33 {
  34         /* XXX not threadsafe */
  35         static int sasl_initialized = 0;
  36
  37         static sasl_callback_t client_callbacks[] = {
  38 #ifdef SASL_CB_GETREALM
  39                 { SASL_CB_GETREALM, NULL, NULL },
  40 #endif
  41                 { SASL_CB_USER, NULL, NULL },
  42                 { SASL_CB_AUTHNAME, NULL, NULL },
  43                 { SASL_CB_PASS, NULL, NULL },
  44                 { SASL_CB_ECHOPROMPT, NULL, NULL },
  45                 { SASL_CB_NOECHOPROMPT, NULL, NULL },
  46                 { SASL_CB_LIST_END, NULL, NULL }
  47         };
  48
  49         if ( sasl_initialized ) {
  50                 return 0;
  51         }
  52
  53 #ifndef CSRIMALLOC
  54         sasl_set_alloc(
  55                 ber_memalloc,
  56                 ber_memcalloc,
  57                 ber_memrealloc,
  58                 ber_memfree );
  59 #endif /* CSRIMALLOC */
  60
  61 #ifdef LDAP_R_COMPILE
  62         sasl_set_mutex(
  63                 ldap_pvt_sasl_mutex_new,
  64                 ldap_pvt_sasl_mutex_lock,
  65                 ldap_pvt_sasl_mutex_unlock,
  66                 ldap_pvt_sasl_mutex_dispose );
  67
  68         ldap_pvt_thread_mutex_init( &ldap_int_sasl_mutex );
  69 #endif
  70
  71         if ( sasl_client_init( client_callbacks ) == SASL_OK ) {
  72                 sasl_initialized = 1;
  73                 return 0;
  74         }
  75
  76         return -1;
  77 }
  78
  79 /*
  80  * SASL encryption support for LBER Sockbufs
  81  */
  82
  83 struct sb_sasl_data {
  84         sasl_conn_t             *sasl_context;
  85         Sockbuf_Buf             sec_buf_in;
  86         Sockbuf_Buf             buf_in;
  87         Sockbuf_Buf             buf_out;
  88 };
  89
  90 static int
  91 sb_sasl_setup( Sockbuf_IO_Desc *sbiod, void *arg )
  92 {
  93         struct sb_sasl_data     *p;
  94
  95         assert( sbiod != NULL );
  96
  97         p = LBER_MALLOC( sizeof( *p ) );
  98         if ( p == NULL )
  99                 return -1;
 100         p->sasl_context = (sasl_conn_t *)arg;
 101         ber_pvt_sb_buf_init( &p->sec_buf_in );
 102         ber_pvt_sb_buf_init( &p->buf_in );
 103         ber_pvt_sb_buf_init( &p->buf_out );
 104         if ( ber_pvt_sb_grow_buffer( &p->sec_buf_in, SASL_MIN_BUFF_SIZE ) < 0 ) {
 105                 errno = ENOMEM;
 106                 return -1;
 107         }
 108
 109         sbiod->sbiod_pvt = p;
 110
 111         return 0;
 112 }
 113
 114 static int
 115 sb_sasl_remove( Sockbuf_IO_Desc *sbiod )
 116 {
 117         struct sb_sasl_data     *p;
 118
 119         assert( sbiod != NULL );
 120
 121         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 122         ber_pvt_sb_buf_destroy( &p->sec_buf_in );
 123         ber_pvt_sb_buf_destroy( &p->buf_in );
 124         ber_pvt_sb_buf_destroy( &p->buf_out );
 125         LBER_FREE( p );
 126         sbiod->sbiod_pvt = NULL;
 127         return 0;
 128 }
 129
 130 static ber_len_t
 131 sb_sasl_pkt_length( const unsigned char *buf, int debuglevel )
 132 {
 133         ber_len_t               size;
 134
 135         assert( buf != NULL );
 136
 137         size = buf[0] << 24
 138                 | buf[1] << 16
 139                 | buf[2] << 8
 140                 | buf[3];
 141
 142         /* we really should check against actual buffer size set
 143          * in the secopts.
 144          */
 145         if ( size > SASL_MAX_BUFF_SIZE ) {
 146                 /* somebody is trying to mess me up. */
 147                 ber_log_printf( LDAP_DEBUG_ANY, debuglevel,
 148                         "sb_sasl_pkt_length: received illegal packet length "
 149                         "of %lu bytes\n", (unsigned long)size );
 150                 size = 16; /* this should lead to an error. */
 151         }
 152
 153         return size + 4; /* include the size !!! */
 154 }
 155
 156 /* Drop a processed packet from the input buffer */
 157 static void
 158 sb_sasl_drop_packet ( Sockbuf_Buf *sec_buf_in, int debuglevel )
 159 {
 160         ber_slen_t                      len;
 161
 162         len = sec_buf_in->buf_ptr - sec_buf_in->buf_end;
 163         if ( len > 0 )
 164                 memmove( sec_buf_in->buf_base, sec_buf_in->buf_base +
 165                         sec_buf_in->buf_end, len );
 166
 167         if ( len >= 4 ) {
 168                 sec_buf_in->buf_end = sb_sasl_pkt_length( sec_buf_in->buf_base,
 169                         debuglevel);
 170         }
 171         else {
 172                 sec_buf_in->buf_end = 0;
 173         }
 174         sec_buf_in->buf_ptr = len;
 175 }
 176
 177 static ber_slen_t
 178 sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 179 {
 180         struct sb_sasl_data     *p;
 181         ber_slen_t              ret, bufptr;
 182
 183         assert( sbiod != NULL );
 184         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 185
 186         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 187
 188         /* Are there anything left in the buffer? */
 189         ret = ber_pvt_sb_copy_out( &p->buf_in, buf, len );
 190         bufptr = ret;
 191         len -= ret;
 192
 193         if ( len == 0 )
 194                 return bufptr;
 195
 196         ber_pvt_sb_buf_destroy( &p->buf_in );
 197
 198         /* Read the length of the packet */
 199         while ( p->sec_buf_in.buf_ptr < 4 ) {
 200                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base,
 201                         4 - p->sec_buf_in.buf_ptr );
 202 #ifdef EINTR
 203                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 204                         continue;
 205 #endif
 206                 if ( ret <= 0 )
 207                         return ret;
 208
 209                 p->sec_buf_in.buf_ptr += ret;
 210         }
 211
 212         /* The new packet always starts at p->sec_buf_in.buf_base */
 213         ret = sb_sasl_pkt_length( p->sec_buf_in.buf_base,
 214                 sbiod->sbiod_sb->sb_debug );
 215
 216         /* Grow the packet buffer if neccessary */
 217         if ( ( p->sec_buf_in.buf_size < (ber_len_t) ret ) &&
 218                 ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 )
 219         {
 220                 errno = ENOMEM;
 221                 return -1;
 222         }
 223         p->sec_buf_in.buf_end = ret;
 224
 225         /* Did we read the whole encrypted packet? */
 226         while ( p->sec_buf_in.buf_ptr < p->sec_buf_in.buf_end ) {
 227                 /* No, we have got only a part of it */
 228                 ret = p->sec_buf_in.buf_end - p->sec_buf_in.buf_ptr;
 229
 230                 ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base +
 231                         p->sec_buf_in.buf_ptr, ret );
 232 #ifdef EINTR
 233                 if ( ( ret < 0 ) && ( errno == EINTR ) )
 234                         continue;
 235 #endif
 236                 if ( ret <= 0 )
 237                         return ret;
 238
 239                 p->sec_buf_in.buf_ptr += ret;
 240         }
 241
 242         /* Decode the packet */
 243         ret = sasl_decode( p->sasl_context, p->sec_buf_in.buf_base,
 244                 p->sec_buf_in.buf_end, &p->buf_in.buf_base,
 245                 (unsigned *)&p->buf_in.buf_end );
 246         if ( ret != SASL_OK ) {
 247                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 248                         "sb_sasl_read: failed to decode packet: %s\n",
 249                         sasl_errstring( ret, NULL, NULL ) );
 250                 sb_sasl_drop_packet( &p->sec_buf_in,
 251                         sbiod->sbiod_sb->sb_debug );
 252                 errno = EIO;
 253                 return -1;
 254         }
 255
 256         /* Drop the packet from the input buffer */
 257         sb_sasl_drop_packet( &p->sec_buf_in, sbiod->sbiod_sb->sb_debug );
 258
 259         p->buf_in.buf_size = p->buf_in.buf_end;
 260
 261         bufptr += ber_pvt_sb_copy_out( &p->buf_in, (char*) buf + bufptr, len );
 262
 263         return bufptr;
 264 }
 265
 266 static ber_slen_t
 267 sb_sasl_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 268 {
 269         struct sb_sasl_data     *p;
 270         int                     ret;
 271
 272         assert( sbiod != NULL );
 273         assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 274
 275         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 276
 277         /* Are there anything left in the buffer? */
 278         if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
 279                 ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 280                 if ( ret <= 0 )
 281                         return ret;
 282         }
 283
 284         /* now encode the next packet. */
 285         ber_pvt_sb_buf_destroy( &p->buf_out );
 286         ret = sasl_encode( p->sasl_context, buf, len, &p->buf_out.buf_base,
 287                 (unsigned *)&p->buf_out.buf_size );
 288         if ( ret != SASL_OK ) {
 289                 ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 290                         "sb_sasl_write: failed to encode packet: %s\n",
 291                         sasl_errstring( ret, NULL, NULL ) );
 292                 return -1;
 293         }
 294         p->buf_out.buf_end = p->buf_out.buf_size;
 295
 296         ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 297         if ( ret <= 0 )
 298                 return ret;
 299         return len;
 300 }
 301
 302 static int
 303 sb_sasl_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 304 {
 305         struct sb_sasl_data     *p;
 306
 307         p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
 308
 309         if ( opt == LBER_SB_OPT_DATA_READY ) {
 310                 if ( p->buf_in.buf_ptr != p->buf_in.buf_end )
 311                         return 1;
 312         }
 313
 314         return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
 315 }
 316
 317 Sockbuf_IO ldap_pvt_sockbuf_io_sasl = {
 318         sb_sasl_setup,          /* sbi_setup */
 319         sb_sasl_remove,         /* sbi_remove */
 320         sb_sasl_ctrl,           /* sbi_ctrl */
 321         sb_sasl_read,           /* sbi_read */
 322         sb_sasl_write,          /* sbi_write */
 323         NULL                    /* sbi_close */
 324 };
 325
 326 int ldap_pvt_sasl_install( Sockbuf *sb, void *ctx_arg )
 327 {
 328         Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_install\n",
 329                 0, 0, 0 );
 330
 331         /* don't install the stuff unless security has been negotiated */
 332
 333         if ( !ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO,
 334                         &ldap_pvt_sockbuf_io_sasl ) )
 335         {
 336 #ifdef LDAP_DEBUG
 337                 ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 338                         LBER_SBIOD_LEVEL_APPLICATION, (void *)"sasl_" );
 339 #endif
 340                 ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_sasl,
 341                         LBER_SBIOD_LEVEL_APPLICATION, ctx_arg );
 342         }
 343
 344         return LDAP_SUCCESS;
 345 }
 346
 347 static int
 348 sasl_err2ldap( int saslerr )
 349 {
 350         int rc;
 351
 352         switch (saslerr) {
 353                 case SASL_CONTINUE:
 354                         rc = LDAP_MORE_RESULTS_TO_RETURN;
 355                         break;
 356                 case SASL_INTERACT:
 357                         rc = LDAP_LOCAL_ERROR;
 358                         break;
 359                 case SASL_OK:
 360                         rc = LDAP_SUCCESS;
 361                         break;
 362                 case SASL_FAIL:
 363                         rc = LDAP_LOCAL_ERROR;
 364                         break;
 365                 case SASL_NOMEM:
 366                         rc = LDAP_NO_MEMORY;
 367                         break;
 368                 case SASL_NOMECH:
 369                         rc = LDAP_AUTH_UNKNOWN;
 370                         break;
 371                 case SASL_BADAUTH:
 372                         rc = LDAP_AUTH_UNKNOWN;
 373                         break;
 374                 case SASL_NOAUTHZ:
 375                         rc = LDAP_PARAM_ERROR;
 376                         break;
 377                 case SASL_TOOWEAK:
 378                 case SASL_ENCRYPT:
 379                         rc = LDAP_AUTH_UNKNOWN;
 380                         break;
 381                 default:
 382                         rc = LDAP_LOCAL_ERROR;
 383                         break;
 384         }
 385
 386         assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
 387         return rc;
 388 }
 389
 390 int
 391 ldap_int_sasl_open(
 392         LDAP *ld,
 393         LDAPConn *lc,
 394         const char * host,
 395         ber_len_t ssf )
 396 {
 397         int rc;
 398         sasl_conn_t *ctx;
 399
 400         sasl_callback_t *session_callbacks =
 401                 ber_memcalloc( 2, sizeof( sasl_callback_t ) );
 402
 403         if( session_callbacks == NULL ) return LDAP_NO_MEMORY;
 404
 405         session_callbacks[0].id = SASL_CB_USER;
 406         session_callbacks[0].proc = NULL;
 407         session_callbacks[0].context = ld;
 408
 409         session_callbacks[1].id = SASL_CB_LIST_END;
 410         session_callbacks[1].proc = NULL;
 411         session_callbacks[1].context = NULL;
 412
 413         assert( lc->lconn_sasl_ctx == NULL );
 414
 415         if ( host == NULL ) {
 416                 ld->ld_errno = LDAP_LOCAL_ERROR;
 417                 return ld->ld_errno;
 418         }
 419
 420         rc = sasl_client_new( "ldap", host, session_callbacks,
 421                 SASL_SECURITY_LAYER, &ctx );
 422         ber_memfree( session_callbacks );
 423
 424         if ( rc != SASL_OK ) {
 425                 ld->ld_errno = sasl_err2ldap( rc );
 426                 return ld->ld_errno;
 427         }
 428
 429         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: host=%s\n",
 430                 host, 0, 0 );
 431
 432         lc->lconn_sasl_ctx = ctx;
 433
 434         if( ssf ) {
 435                 sasl_external_properties_t extprops;
 436                 memset(&extprops, 0L, sizeof(extprops));
 437                 extprops.ssf = ssf;
 438
 439                 (void) sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 440                         (void *) &extprops );
 441
 442                 Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: ssf=%ld\n",
 443                         (long) ssf, 0, 0 );
 444         }
 445
 446         return LDAP_SUCCESS;
 447 }
 448
 449 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 450 {
 451         sasl_conn_t *ctx = lc->lconn_sasl_ctx;
 452
 453         if( ctx != NULL ) {
 454                 sasl_dispose( &ctx );
 455                 lc->lconn_sasl_ctx = NULL;
 456         }
 457
 458         return LDAP_SUCCESS;
 459 }
 460
 461 int
 462 ldap_int_sasl_bind(
 463         LDAP                    *ld,
 464         const char              *dn,
 465         const char              *mechs,
 466         LDAPControl             **sctrls,
 467         LDAPControl             **cctrls,
 468         unsigned                flags,
 469         LDAP_SASL_INTERACT_PROC *interact,
 470         void * defaults )
 471 {
 472         char *data;
 473         const char *mech = NULL;
 474         const char *pmech = NULL;
 475         int                     saslrc, rc;
 476         sasl_ssf_t              *ssf = NULL;
 477         sasl_conn_t     *ctx;
 478         sasl_interact_t *prompts = NULL;
 479         unsigned credlen;
 480         struct berval ccred;
 481         ber_socket_t            sd;
 482
 483         Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
 484                 mechs ? mechs : "<null>", 0, 0 );
 485
 486         /* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
 487         if (ld->ld_version < LDAP_VERSION3) {
 488                 ld->ld_errno = LDAP_NOT_SUPPORTED;
 489                 return ld->ld_errno;
 490         }
 491
 492         ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
 493
 494         if ( sd == AC_SOCKET_INVALID ) {
 495                 /* not connected yet */
 496                 int rc;
 497
 498                 rc = ldap_open_defconn( ld );
 499                 if( rc < 0 ) return ld->ld_errno;
 500
 501                 ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
 502
 503                 if( sd == AC_SOCKET_INVALID ) {
 504                         ld->ld_errno = LDAP_LOCAL_ERROR;
 505                         return ld->ld_errno;
 506                 }
 507         }
 508
 509         ctx = ld->ld_defconn->lconn_sasl_ctx;
 510
 511         if( ctx == NULL ) {
 512                 ld->ld_errno = LDAP_LOCAL_ERROR;
 513                 return ld->ld_errno;
 514         }
 515
 516         /* (re)set security properties */
 517         sasl_setprop( ctx, SASL_SEC_PROPS,
 518                 &ld->ld_options.ldo_sasl_secprops );
 519
 520         ccred.bv_val = NULL;
 521         ccred.bv_len = 0;
 522
 523         do {
 524                 saslrc = sasl_client_start( ctx,
 525                         mechs,
 526                         NULL,
 527                         &prompts,
 528                         &ccred.bv_val,
 529                         &credlen,
 530                         &mech );
 531
 532                 if( pmech == NULL && mech != NULL ) {
 533                         pmech = mech;
 534
 535                         if( flags != LDAP_SASL_QUIET ) {
 536                                 fprintf(stderr,
 537                                         "SASL/%s authentication started\n",
 538                                         pmech );
 539                         }
 540                 }
 541
 542                 if( saslrc == SASL_INTERACT ) {
 543                         int res;
 544                         if( !interact ) break;
 545                         res = (interact)( ld, flags, defaults, prompts );
 546                         if( res != LDAP_SUCCESS ) {
 547                                 break;
 548                         }
 549                 }
 550         } while ( saslrc == SASL_INTERACT );
 551
 552         ccred.bv_len = credlen;
 553
 554         if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 555                 ld->ld_errno = sasl_err2ldap( saslrc );
 556                 return ld->ld_errno;
 557         }
 558
 559         do {
 560                 struct berval *scred;
 561                 unsigned credlen;
 562
 563                 scred = NULL;
 564
 565                 rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
 566
 567                 if ( ccred.bv_val != NULL ) {
 568                         LDAP_FREE( ccred.bv_val );
 569                         ccred.bv_val = NULL;
 570                 }
 571
 572                 if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
 573                         if( scred && scred->bv_len ) {
 574                                 /* and server provided us with data? */
 575                                 Debug( LDAP_DEBUG_TRACE,
 576                                         "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 577                                         rc, saslrc, scred->bv_len );
 578                                 ber_bvfree( scred );
 579                         }
 580                         return ld->ld_errno;
 581                 }
 582
 583                 if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
 584                         /* we're done, no need to step */
 585                         if( scred && scred->bv_len ) {
 586                                 /* but server provided us with data! */
 587                                 Debug( LDAP_DEBUG_TRACE,
 588                                         "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
 589                                         rc, saslrc, scred->bv_len );
 590                                 ber_bvfree( scred );
 591                                 return ld->ld_errno = LDAP_LOCAL_ERROR;
 592                         }
 593                         break;
 594                 }
 595
 596                 do {
 597                         saslrc = sasl_client_step( ctx,
 598                                 (scred == NULL) ? NULL : scred->bv_val,
 599                                 (scred == NULL) ? 0 : scred->bv_len,
 600                                 &prompts,
 601                                 &ccred.bv_val,
 602                                 &credlen );
 603
 604                         Debug( LDAP_DEBUG_TRACE, "sasl_client_start: %d\n",
 605                                 saslrc, 0, 0 );
 606
 607                         if( saslrc == SASL_INTERACT ) {
 608                                 int res;
 609                                 if( !interact ) break;
 610                                 res = (interact)( ld, flags, defaults, prompts );
 611                                 if( res != LDAP_SUCCESS ) {
 612                                         break;
 613                                 }
 614                         }
 615                 } while ( saslrc == SASL_INTERACT );
 616
 617                 ccred.bv_len = credlen;
 618                 ber_bvfree( scred );
 619
 620                 if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 621                         ld->ld_errno = sasl_err2ldap( saslrc );
 622                         return ld->ld_errno;
 623                 }
 624         } while ( rc == LDAP_SASL_BIND_IN_PROGRESS );
 625
 626         if ( rc != LDAP_SUCCESS ) {
 627                 return rc;
 628         }
 629
 630         if ( saslrc != SASL_OK ) {
 631                 return ld->ld_errno = sasl_err2ldap( saslrc );
 632         }
 633
 634         if( flags != LDAP_SASL_QUIET ) {
 635                 saslrc = sasl_getprop( ctx, SASL_USERNAME, (void **) &data );
 636                 if( saslrc == SASL_OK && data && *data ) {
 637                         fprintf( stderr, "SASL username: %s\n", data );
 638                 }
 639
 640                 saslrc = sasl_getprop( ctx, SASL_REALM, (void **) &data );
 641                 if( saslrc == SASL_OK && data && *data ) {
 642                         fprintf( stderr, "SASL realm: %s\n", data );
 643                 }
 644         }
 645
 646         saslrc = sasl_getprop( ctx, SASL_SSF, (void **) &ssf );
 647         if( saslrc == SASL_OK ) {
 648                 if( flags != LDAP_SASL_QUIET ) {
 649                         fprintf( stderr, "SASL SSF: %lu\n",
 650                                 (unsigned long) *ssf );
 651                 }
 652
 653                 if( ssf && *ssf ) {
 654                         if( flags != LDAP_SASL_QUIET ) {
 655                                 fprintf( stderr, "SASL installing layers\n" );
 656                         }
 657                         ldap_pvt_sasl_install( ld->ld_conns->lconn_sb, ctx );
 658                 }
 659         }
 660
 661         return rc;
 662 }
 663
 664 int
 665 ldap_int_sasl_external(
 666         LDAP *ld,
 667         LDAPConn *conn,
 668         const char * authid,
 669         ber_len_t ssf )
 670 {
 671         int sc;
 672         sasl_conn_t *ctx;
 673         sasl_external_properties_t extprops;
 674
 675         ctx = conn->lconn_sasl_ctx;
 676
 677         if ( ctx == NULL ) {
 678                 return LDAP_LOCAL_ERROR;
 679         }
 680
 681         memset( &extprops, '\0', sizeof(extprops) );
 682         extprops.ssf = ssf;
 683         extprops.auth_id = (char *) authid;
 684
 685         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 686                 (void *) &extprops );
 687
 688         if ( sc != SASL_OK ) {
 689                 return LDAP_LOCAL_ERROR;
 690         }
 691
 692         return LDAP_SUCCESS;
 693 }
 694
 695
 696 int ldap_pvt_sasl_secprops(
 697         const char *in,
 698         sasl_security_properties_t *secprops )
 699 {
 700         int i;
 701         char **props = ldap_str2charray( in, "," );
 702         unsigned sflags = 0;
 703         int got_sflags = 0;
 704         sasl_ssf_t max_ssf = 0;
 705         int got_max_ssf = 0;
 706         sasl_ssf_t min_ssf = 0;
 707         int got_min_ssf = 0;
 708         unsigned maxbufsize = 0;
 709         int got_maxbufsize = 0;
 710
 711         if( props == NULL || secprops == NULL ) {
 712                 return LDAP_PARAM_ERROR;
 713         }
 714
 715         for( i=0; props[i]; i++ ) {
 716                 if( !strcasecmp(props[i], "none") ) {
 717                         got_sflags++;
 718
 719                 } else if( !strcasecmp(props[i], "noplain") ) {
 720                         got_sflags++;
 721                         sflags |= SASL_SEC_NOPLAINTEXT;
 722
 723                 } else if( !strcasecmp(props[i], "noactive") ) {
 724                         got_sflags++;
 725                         sflags |= SASL_SEC_NOACTIVE;
 726
 727                 } else if( !strcasecmp(props[i], "nodict") ) {
 728                         got_sflags++;
 729                         sflags |= SASL_SEC_NODICTIONARY;
 730
 731                 } else if( !strcasecmp(props[i], "forwardsec") ) {
 732                         got_sflags++;
 733                         sflags |= SASL_SEC_FORWARD_SECRECY;
 734
 735                 } else if( !strcasecmp(props[i], "noanonymous")) {
 736                         got_sflags++;
 737                         sflags |= SASL_SEC_NOANONYMOUS;
 738
 739                 } else if( !strcasecmp(props[i], "passcred") ) {
 740                         got_sflags++;
 741                         sflags |= SASL_SEC_PASS_CREDENTIALS;
 742
 743                 } else if( !strncasecmp(props[i],
 744                         "minssf=", sizeof("minssf")) )
 745                 {
 746                         if( isdigit( props[i][sizeof("minssf")] ) ) {
 747                                 got_min_ssf++;
 748                                 min_ssf = atoi( &props[i][sizeof("minssf")] );
 749                         } else {
 750                                 return LDAP_NOT_SUPPORTED;
 751                         }
 752
 753                 } else if( !strncasecmp(props[i],
 754                         "maxssf=", sizeof("maxssf")) )
 755                 {
 756                         if( isdigit( props[i][sizeof("maxssf")] ) ) {
 757                                 got_max_ssf++;
 758                                 max_ssf = atoi( &props[i][sizeof("maxssf")] );
 759                         } else {
 760                                 return LDAP_NOT_SUPPORTED;
 761                         }
 762
 763                 } else if( !strncasecmp(props[i],
 764                         "maxbufsize=", sizeof("maxbufsize")) )
 765                 {
 766                         if( isdigit( props[i][sizeof("maxbufsize")] ) ) {
 767                                 got_maxbufsize++;
 768                                 maxbufsize = atoi( &props[i][sizeof("maxbufsize")] );
 769                         } else {
 770                                 return LDAP_NOT_SUPPORTED;
 771                         }
 772
 773                         if( maxbufsize && (( maxbufsize < SASL_MIN_BUFF_SIZE )
 774                                 || (maxbufsize > SASL_MAX_BUFF_SIZE )))
 775                         {
 776                                 /* bad maxbufsize */
 777                                 return LDAP_PARAM_ERROR;
 778                         }
 779
 780                 } else {
 781                         return LDAP_NOT_SUPPORTED;
 782                 }
 783         }
 784
 785         if(got_sflags) {
 786                 secprops->security_flags = sflags;
 787         }
 788         if(got_min_ssf) {
 789                 secprops->min_ssf = min_ssf;
 790         }
 791         if(got_max_ssf) {
 792                 secprops->max_ssf = max_ssf;
 793         }
 794         if(got_maxbufsize) {
 795                 secprops->maxbufsize = maxbufsize;
 796         }
 797
 798         ldap_charray_free( props );
 799         return LDAP_SUCCESS;
 800 }
 801
 802 int
 803 ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
 804 {
 805         int rc;
 806
 807         switch( option ) {
 808         case LDAP_OPT_X_SASL_SECPROPS:
 809                 rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
 810                 if( rc == LDAP_SUCCESS ) return 0;
 811         }
 812
 813         return -1;
 814 }
 815
 816 int
 817 ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 818 {
 819         if ( ld == NULL )
 820                 return -1;
 821
 822         switch ( option ) {
 823                 case LDAP_OPT_X_SASL_MECH: {
 824                         *(char **)arg = ld->ld_options.ldo_def_sasl_mech
 825                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
 826                 } break;
 827                 case LDAP_OPT_X_SASL_REALM: {
 828                         *(char **)arg = ld->ld_options.ldo_def_sasl_realm
 829                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
 830                 } break;
 831                 case LDAP_OPT_X_SASL_AUTHCID: {
 832                         *(char **)arg = ld->ld_options.ldo_def_sasl_authcid
 833                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
 834                 } break;
 835                 case LDAP_OPT_X_SASL_AUTHZID: {
 836                         *(char **)arg = ld->ld_options.ldo_def_sasl_authzid
 837                                 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
 838                 } break;
 839
 840                 case LDAP_OPT_X_SASL_SSF: {
 841                         int sc;
 842                         sasl_ssf_t      *ssf;
 843                         sasl_conn_t *ctx;
 844
 845                         if( ld->ld_defconn == NULL ) {
 846                                 return -1;
 847                         }
 848
 849                         ctx = ld->ld_defconn->lconn_sasl_ctx;
 850
 851                         if ( ctx == NULL ) {
 852                                 return -1;
 853                         }
 854
 855                         sc = sasl_getprop( ctx, SASL_SSF,
 856                                 (void **) &ssf );
 857
 858                         if ( sc != SASL_OK ) {
 859                                 return -1;
 860                         }
 861
 862                         *(ber_len_t *)arg = *ssf;
 863                 } break;
 864
 865                 case LDAP_OPT_X_SASL_SSF_EXTERNAL:
 866                         /* this option is write only */
 867                         return -1;
 868
 869                 case LDAP_OPT_X_SASL_SSF_MIN:
 870                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.min_ssf;
 871                         break;
 872                 case LDAP_OPT_X_SASL_SSF_MAX:
 873                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.max_ssf;
 874                         break;
 875                 case LDAP_OPT_X_SASL_MAXBUFSIZE:
 876                         *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize;
 877                         break;
 878
 879                 case LDAP_OPT_X_SASL_SECPROPS:
 880                         /* this option is write only */
 881                         return -1;
 882
 883                 default:
 884                         return -1;
 885         }
 886         return 0;
 887 }
 888
 889 int
 890 ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 891 {
 892         if ( ld == NULL )
 893                 return -1;
 894
 895         switch ( option ) {
 896         case LDAP_OPT_X_SASL_SSF:
 897                 /* This option is read-only */
 898                 return -1;
 899
 900         case LDAP_OPT_X_SASL_SSF_EXTERNAL: {
 901                 int sc;
 902                 sasl_external_properties_t extprops;
 903                 sasl_conn_t *ctx;
 904
 905                 if( ld->ld_defconn == NULL ) {
 906                         return -1;
 907                 }
 908
 909                 ctx = ld->ld_defconn->lconn_sasl_ctx;
 910
 911                 if ( ctx == NULL ) {
 912                         return -1;
 913                 }
 914
 915                 memset(&extprops, 0L, sizeof(extprops));
 916
 917                 extprops.ssf = * (ber_len_t *) arg;
 918
 919                 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 920                         (void *) &extprops );
 921
 922                 if ( sc != SASL_OK ) {
 923                         return -1;
 924                 }
 925                 } break;
 926
 927         case LDAP_OPT_X_SASL_SSF_MIN:
 928                 ld->ld_options.ldo_sasl_secprops.min_ssf = *(ber_len_t *)arg;
 929                 break;
 930         case LDAP_OPT_X_SASL_SSF_MAX:
 931                 ld->ld_options.ldo_sasl_secprops.max_ssf = *(ber_len_t *)arg;
 932                 break;
 933         case LDAP_OPT_X_SASL_MAXBUFSIZE:
 934                 ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg;
 935                 break;
 936
 937         case LDAP_OPT_X_SASL_SECPROPS: {
 938                 int sc;
 939                 sc = ldap_pvt_sasl_secprops( (char *) arg,
 940                         &ld->ld_options.ldo_sasl_secprops );
 941
 942                 return sc == LDAP_SUCCESS ? 0 : -1;
 943                 }
 944
 945         default:
 946                 return -1;
 947         }
 948         return 0;
 949 }
 950
 951 #ifdef LDAP_R_COMPILE
 952 void *ldap_pvt_sasl_mutex_new(void)
 953 {
 954         ldap_pvt_thread_mutex_t *mutex;
 955
 956         mutex = (ldap_pvt_thread_mutex_t *) LDAP_MALLOC(
 957                 sizeof(ldap_pvt_thread_mutex_t) );
 958
 959         if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
 960                 return mutex;
 961         }
 962         return NULL;
 963 }
 964
 965 int ldap_pvt_sasl_mutex_lock(void *mutex)
 966 {
 967         return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex )
 968                 ? SASL_FAIL : SASL_OK;
 969 }
 970
 971 int ldap_pvt_sasl_mutex_unlock(void *mutex)
 972 {
 973         return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex )
 974                 ? SASL_FAIL : SASL_OK;
 975 }
 976
 977 void ldap_pvt_sasl_mutex_dispose(void *mutex)
 978 {
 979         (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
 980         LDAP_FREE( mutex );
 981 }
 982 #endif
 983
 984 #else
 985 int ldap_int_sasl_init( void )
 986 { return LDAP_SUCCESS; }
 987
 988 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 989 { return LDAP_SUCCESS; }
 990
 991 int
 992 ldap_int_sasl_bind(
 993         LDAP                    *ld,
 994         const char              *dn,
 995         const char              *mechs,
 996         LDAPControl             **sctrls,
 997         LDAPControl             **cctrls,
 998         unsigned                flags,
 999         LDAP_SASL_INTERACT_PROC *interact,
1000         void * defaults )
1001 { return LDAP_NOT_SUPPORTED; }
1002
1003 int
1004 ldap_int_sasl_external(
1005         LDAP *ld,
1006         LDAPConn *conn,
1007         const char * authid,
1008         ber_len_t ssf )
1009 { return LDAP_SUCCESS; }
1010
1011 #endif /* HAVE_CYRUS_SASL */