#include <ac/string.h>
#include <ac/time.h>
#include <ac/errno.h>
+#include <ac/ctype.h>
#include "ldap-int.h"
#ifdef LDAP_R_COMPILE
/* Grow the packet buffer if neccessary */
if ( ( p->sec_buf_in.buf_size < ret ) &&
- ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 ) {
+ ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 )
+ {
errno = ENOMEM;
return -1;
}
if ( !ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO,
&ldap_pvt_sockbuf_io_sasl ) )
+ {
+#ifdef LDAP_DEBUG
+ ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
+ LBER_SBIOD_LEVEL_APPLICATION, (void *)"sasl_" );
+#endif
ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_sasl,
LBER_SBIOD_LEVEL_APPLICATION, ctx_arg );
+ }
return LDAP_SUCCESS;
}
case SASL_CONTINUE:
rc = LDAP_MORE_RESULTS_TO_RETURN;
break;
+ case SASL_INTERACT:
+ rc = LDAP_LOCAL_ERROR;
+ break;
case SASL_OK:
rc = LDAP_SUCCESS;
break;
assert( lc->lconn_sasl_ctx == NULL );
if ( host == NULL ) {
- ld->ld_errno = LDAP_UNAVAILABLE;
+ ld->ld_errno = LDAP_LOCAL_ERROR;
return ld->ld_errno;
}
- rc = sasl_client_new( "ldap", host,
- session_callbacks,
-#ifdef LDAP_SASL_SECURITY_LAYER
- SASL_SECURITY_LAYER,
-#else
- 0,
-#endif
- &ctx );
+ rc = sasl_client_new( "ldap", host, session_callbacks,
+ SASL_SECURITY_LAYER, &ctx );
if ( rc != SASL_OK ) {
ld->ld_errno = sasl_err2ldap( rc );
int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
{
sasl_conn_t *ctx = lc->lconn_sasl_ctx;
- assert( ctx != NULL );
- if( ctx ) {
+ if( ctx != NULL ) {
sasl_dispose( &ctx );
lc->lconn_sasl_ctx = NULL;
}
sasl_conn_t *ctx;
sasl_interact_t *prompts = NULL;
unsigned credlen;
- struct berval ccred, *scred;
+ struct berval ccred;
ber_socket_t sd;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
if ( sd == AC_SOCKET_INVALID ) {
/* not connected yet */
- int rc = ldap_open_defconn( ld );
-
+ int rc;
+
+ rc = ldap_open_defconn( ld );
if( rc < 0 ) return ld->ld_errno;
+
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
if( sd == AC_SOCKET_INVALID ) {
- ld->ld_errno = LDAP_UNAVAILABLE;
+ ld->ld_errno = LDAP_LOCAL_ERROR;
return ld->ld_errno;
}
}
ctx = ld->ld_defconn->lconn_sasl_ctx;
if( ctx == NULL ) {
- ld->ld_errno = LDAP_UNAVAILABLE;
+ ld->ld_errno = LDAP_LOCAL_ERROR;
return ld->ld_errno;
}
}
if( saslrc == SASL_INTERACT ) {
+ int res;
if( !interact ) break;
- rc = (interact)( ld, flags, defaults, prompts );
- if( rc != LDAP_SUCCESS ) {
+ res = (interact)( ld, flags, defaults, prompts );
+ if( res != LDAP_SUCCESS ) {
break;
}
}
return ld->ld_errno;
}
- scred = NULL;
-
do {
+ struct berval *scred;
unsigned credlen;
+ scred = NULL;
+
rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
- if ( rc == LDAP_SUCCESS ) {
- break;
- } else if ( rc != LDAP_SASL_BIND_IN_PROGRESS ) {
- if ( ccred.bv_val != NULL ) {
- LDAP_FREE( ccred.bv_val );
+ if ( ccred.bv_val != NULL ) {
+ LDAP_FREE( ccred.bv_val );
+ ccred.bv_val = NULL;
+ }
+
+ if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
+ if( scred ) {
+ /* and server provided us with data? */
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
+ rc, saslrc, scred->bv_len );
+ ber_bvfree( scred );
}
return ld->ld_errno;
}
- if ( ccred.bv_val != NULL ) {
- LDAP_FREE( ccred.bv_val );
- ccred.bv_val = NULL;
+ if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
+ /* we're done, no need to step */
+ if( scred ) {
+ /* but server provided us with data! */
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
+ rc, saslrc, scred->bv_len );
+ ber_bvfree( scred );
+ return ld->ld_errno = LDAP_LOCAL_ERROR;
+ }
+ break;
}
do {
if( saslrc == SASL_INTERACT ) {
int res;
if( !interact ) break;
- rc = (interact)( ld, flags, defaults, prompts );
+ res = (interact)( ld, flags, defaults, prompts );
if( res != LDAP_SUCCESS ) {
break;
}
}
} while ( rc == LDAP_SASL_BIND_IN_PROGRESS );
- assert ( rc == LDAP_SUCCESS );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
- /* likely should add a quiet option */
+ if ( saslrc != SASL_OK ) {
+ return ld->ld_errno = sasl_err2ldap( saslrc );
+ }
if( flags != LDAP_SASL_QUIET ) {
saslrc = sasl_getprop( ctx, SASL_USERNAME, (void **) &data );
(unsigned long) *ssf );
}
-#ifdef LDAP_SASL_SECURITY_LAYER
if( ssf && *ssf ) {
if( flags != LDAP_SASL_QUIET ) {
fprintf( stderr, "SASL installing layers\n" );
}
ldap_pvt_sasl_install( ld->ld_sb, ctx );
}
-#endif
}
return rc;
}
+int
+ldap_int_sasl_external(
+ LDAP *ld,
+ const char * authid,
+ ber_len_t ssf )
+{
+ int sc;
+ sasl_conn_t *ctx;
+ sasl_external_properties_t extprops;
+
+ if( ld->ld_defconn == NULL ) {
+ return LDAP_LOCAL_ERROR;
+ }
+
+ ctx = ld->ld_defconn->lconn_sasl_ctx;
+
+ if ( ctx == NULL ) {
+ return LDAP_LOCAL_ERROR;
+ }
+
+ memset( &extprops, '\0', sizeof(extprops) );
+ extprops.ssf = ssf;
+ extprops.auth_id = (char *) authid;
+
+ sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
+ (void *) &extprops );
+
+ if ( sc != SASL_OK ) {
+ return LDAP_LOCAL_ERROR;
+ }
+
+ return LDAP_SUCCESS;
+}
+
+
int ldap_pvt_sasl_secprops(
const char *in,
sasl_security_properties_t *secprops )
char **props = ldap_str2charray( in, "," );
unsigned sflags = 0;
int got_sflags = 0;
- sasl_ssf_t max_ssf;
+ sasl_ssf_t max_ssf = 0;
int got_max_ssf = 0;
- sasl_ssf_t min_ssf;
+ sasl_ssf_t min_ssf = 0;
int got_min_ssf = 0;
- unsigned maxbufsize;
+ unsigned maxbufsize = 0;
int got_maxbufsize = 0;
if( props == NULL || secprops == NULL ) {
"minssf=", sizeof("minssf")) )
{
if( isdigit( props[i][sizeof("minssf")] ) ) {
- got_max_ssf++;
+ got_min_ssf++;
min_ssf = atoi( &props[i][sizeof("minssf")] );
} else {
return LDAP_NOT_SUPPORTED;
const char *dn,
const char *mechs,
LDAPControl **sctrls,
- LDAPControl **cctrls )
+ LDAPControl **cctrls,
+ unsigned flags,
+ LDAP_SASL_INTERACT_PROC *interact,
+ void * defaults )
{ return LDAP_NOT_SUPPORTED; }
+
+int
+ldap_int_sasl_external(
+ LDAP *ld,
+ const char * authid,
+ ber_len_t ssf )
+{ return LDAP_SUCCESS; }
+
#endif /* HAVE_CYRUS_SASL */
projects / openldap / blobdiff