X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Fcyrus.c;h=57d0304313c6da5b1f41ba10a476713e628e7108;hb=e22dc83ac096d1239a6903199f5dc3231b0f444b;hp=d67d007823ae268a6243cffdd79ef2214dcd577e;hpb=acbb5cf689a4336af05c9f259d909d8141055bac;p=openldap diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c index d67d007823..57d0304313 100644 --- a/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2006 The OpenLDAP Foundation. + * Copyright 1998-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -133,321 +133,128 @@ int ldap_int_sasl_init( void ) return -1; } -/* - * SASL encryption support for LBER Sockbufs - */ - -struct sb_sasl_data { - sasl_conn_t *sasl_context; - unsigned *sasl_maxbuf; - Sockbuf_Buf sec_buf_in; - Sockbuf_Buf buf_in; - Sockbuf_Buf buf_out; -}; - -static int -sb_sasl_setup( Sockbuf_IO_Desc *sbiod, void *arg ) +static void +sb_sasl_cyrus_init( + struct sb_sasl_generic_data *p, + ber_len_t *min_send, + ber_len_t *max_send, + ber_len_t *max_recv) { - struct sb_sasl_data *p; + sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private; + ber_len_t maxbuf; - assert( sbiod != NULL ); + sasl_getprop( sasl_context, SASL_MAXOUTBUF, + (SASL_CONST void **)(char *) &maxbuf ); - p = LBER_MALLOC( sizeof( *p ) ); - if ( p == NULL ) - return -1; - p->sasl_context = (sasl_conn_t *)arg; - ber_pvt_sb_buf_init( &p->sec_buf_in ); - ber_pvt_sb_buf_init( &p->buf_in ); - ber_pvt_sb_buf_init( &p->buf_out ); - if ( ber_pvt_sb_grow_buffer( &p->sec_buf_in, SASL_MIN_BUFF_SIZE ) < 0 ) { - LBER_FREE( p ); - errno = ENOMEM; - return -1; - } - sasl_getprop( p->sasl_context, SASL_MAXOUTBUF, - (SASL_CONST void **) &p->sasl_maxbuf ); - - sbiod->sbiod_pvt = p; - - return 0; + *min_send = SASL_MIN_BUFF_SIZE; + *max_send = maxbuf; + *max_recv = SASL_MAX_BUFF_SIZE; } -static int -sb_sasl_remove( Sockbuf_IO_Desc *sbiod ) +static ber_int_t +sb_sasl_cyrus_encode( + struct sb_sasl_generic_data *p, + unsigned char *buf, + ber_len_t len, + Sockbuf_Buf *dst) { - struct sb_sasl_data *p; + sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private; + ber_int_t ret; + unsigned tmpsize = dst->buf_size; - assert( sbiod != NULL ); - - p = (struct sb_sasl_data *)sbiod->sbiod_pvt; -#if SASL_VERSION_MAJOR >= 2 - /* - * SASLv2 encode/decode buffers are managed by - * libsasl2. Ensure they are not freed by liblber. - */ - p->buf_in.buf_base = NULL; - p->buf_out.buf_base = NULL; -#endif - ber_pvt_sb_buf_destroy( &p->sec_buf_in ); - ber_pvt_sb_buf_destroy( &p->buf_in ); - ber_pvt_sb_buf_destroy( &p->buf_out ); - LBER_FREE( p ); - sbiod->sbiod_pvt = NULL; - return 0; -} - -static ber_len_t -sb_sasl_pkt_length( const unsigned char *buf, int debuglevel ) -{ - ber_len_t size; + ret = sasl_encode( sasl_context, (char *)buf, len, + (SASL_CONST char **)&dst->buf_base, + &tmpsize ); - assert( buf != NULL ); + dst->buf_size = tmpsize; + dst->buf_end = dst->buf_size; - size = buf[0] << 24 - | buf[1] << 16 - | buf[2] << 8 - | buf[3]; - - if ( size > SASL_MAX_BUFF_SIZE ) { - /* somebody is trying to mess me up. */ - ber_log_printf( LDAP_DEBUG_ANY, debuglevel, - "sb_sasl_pkt_length: received illegal packet length " - "of %lu bytes\n", (unsigned long)size ); - size = 16; /* this should lead to an error. */ + if ( ret != SASL_OK ) { + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_cyrus_encode: failed to encode packet: %s\n", + sasl_errstring( ret, NULL, NULL ) ); + return -1; } - return size + 4; /* include the size !!! */ -} - -/* Drop a processed packet from the input buffer */ -static void -sb_sasl_drop_packet ( Sockbuf_Buf *sec_buf_in, int debuglevel ) -{ - ber_slen_t len; - - len = sec_buf_in->buf_ptr - sec_buf_in->buf_end; - if ( len > 0 ) - AC_MEMCPY( sec_buf_in->buf_base, sec_buf_in->buf_base + - sec_buf_in->buf_end, len ); - - if ( len >= 4 ) { - sec_buf_in->buf_end = sb_sasl_pkt_length( - (unsigned char *) sec_buf_in->buf_base, debuglevel); - } - else { - sec_buf_in->buf_end = 0; - } - sec_buf_in->buf_ptr = len; + return 0; } -static ber_slen_t -sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +static ber_int_t +sb_sasl_cyrus_decode( + struct sb_sasl_generic_data *p, + const Sockbuf_Buf *src, + Sockbuf_Buf *dst) { - struct sb_sasl_data *p; - ber_slen_t ret, bufptr; - - assert( sbiod != NULL ); - assert( SOCKBUF_VALID( sbiod->sbiod_sb ) ); - - p = (struct sb_sasl_data *)sbiod->sbiod_pvt; - - /* Are there anything left in the buffer? */ - ret = ber_pvt_sb_copy_out( &p->buf_in, buf, len ); - bufptr = ret; - len -= ret; - - if ( len == 0 ) - return bufptr; - -#if SASL_VERSION_MAJOR >= 2 - ber_pvt_sb_buf_init( &p->buf_in ); -#else - ber_pvt_sb_buf_destroy( &p->buf_in ); -#endif - - /* Read the length of the packet */ - while ( p->sec_buf_in.buf_ptr < 4 ) { - ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base + - p->sec_buf_in.buf_ptr, - 4 - p->sec_buf_in.buf_ptr ); -#ifdef EINTR - if ( ( ret < 0 ) && ( errno == EINTR ) ) - continue; -#endif - if ( ret <= 0 ) - return bufptr ? bufptr : ret; - - p->sec_buf_in.buf_ptr += ret; - } + sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private; + ber_int_t ret; + unsigned tmpsize = dst->buf_size; - /* The new packet always starts at p->sec_buf_in.buf_base */ - ret = sb_sasl_pkt_length( (unsigned char *) p->sec_buf_in.buf_base, - sbiod->sbiod_sb->sb_debug ); + ret = sasl_decode( sasl_context, + src->buf_base, src->buf_end, + (SASL_CONST char **)&dst->buf_base, + (unsigned *)&tmpsize ); - /* Grow the packet buffer if neccessary */ - if ( ( p->sec_buf_in.buf_size < (ber_len_t) ret ) && - ber_pvt_sb_grow_buffer( &p->sec_buf_in, ret ) < 0 ) - { - errno = ENOMEM; - return -1; - } - p->sec_buf_in.buf_end = ret; - - /* Did we read the whole encrypted packet? */ - while ( p->sec_buf_in.buf_ptr < p->sec_buf_in.buf_end ) { - /* No, we have got only a part of it */ - ret = p->sec_buf_in.buf_end - p->sec_buf_in.buf_ptr; - - ret = LBER_SBIOD_READ_NEXT( sbiod, p->sec_buf_in.buf_base + - p->sec_buf_in.buf_ptr, ret ); -#ifdef EINTR - if ( ( ret < 0 ) && ( errno == EINTR ) ) - continue; -#endif - if ( ret <= 0 ) - return bufptr ? bufptr : ret; - - p->sec_buf_in.buf_ptr += ret; - } - - /* Decode the packet */ - { - unsigned tmpsize = p->buf_in.buf_end; - ret = sasl_decode( p->sasl_context, p->sec_buf_in.buf_base, - p->sec_buf_in.buf_end, - (SASL_CONST char **)&p->buf_in.buf_base, - (unsigned *)&tmpsize ); - p->buf_in.buf_end = tmpsize; - } - /* Drop the packet from the input buffer */ - sb_sasl_drop_packet( &p->sec_buf_in, sbiod->sbiod_sb->sb_debug ); + dst->buf_size = tmpsize; + dst->buf_end = dst->buf_size; if ( ret != SASL_OK ) { - ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug, - "sb_sasl_read: failed to decode packet: %s\n", - sasl_errstring( ret, NULL, NULL ) ); - errno = EIO; + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_cyrus_decode: failed to decode packet: %s\n", + sasl_errstring( ret, NULL, NULL ) ); return -1; } - - p->buf_in.buf_size = p->buf_in.buf_end; - bufptr += ber_pvt_sb_copy_out( &p->buf_in, (char*) buf + bufptr, len ); - - return bufptr; + return 0; } -static ber_slen_t -sb_sasl_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) +static void +sb_sasl_cyrus_reset_buf( + struct sb_sasl_generic_data *p, + Sockbuf_Buf *buf) { - struct sb_sasl_data *p; - int ret; - - assert( sbiod != NULL ); - assert( SOCKBUF_VALID( sbiod->sbiod_sb ) ); - - p = (struct sb_sasl_data *)sbiod->sbiod_pvt; - - /* Are there anything left in the buffer? */ - if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) { - ret = ber_pvt_sb_do_write( sbiod, &p->buf_out ); - if ( ret < 0 ) return ret; - - /* Still have something left?? */ - if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) { - errno = EAGAIN; - return -1; - } - } - - /* now encode the next packet. */ #if SASL_VERSION_MAJOR >= 2 - ber_pvt_sb_buf_init( &p->buf_out ); + ber_pvt_sb_buf_init( buf ); #else - ber_pvt_sb_buf_destroy( &p->buf_out ); + ber_pvt_sb_buf_destroy( buf ); #endif - if ( len > *p->sasl_maxbuf - 100 ) { - len = *p->sasl_maxbuf - 100; /* For safety margin */ - } - - { - unsigned tmpsize = p->buf_out.buf_size; - ret = sasl_encode( p->sasl_context, buf, len, - (SASL_CONST char **)&p->buf_out.buf_base, - &tmpsize ); - p->buf_out.buf_size = tmpsize; - } - - if ( ret != SASL_OK ) { - ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug, - "sb_sasl_write: failed to encode packet: %s\n", - sasl_errstring( ret, NULL, NULL ) ); - errno = EIO; - return -1; - } - p->buf_out.buf_end = p->buf_out.buf_size; - - ret = ber_pvt_sb_do_write( sbiod, &p->buf_out ); - - /* return number of bytes encoded, not written, to ensure - * no byte is encoded twice (even if only sent once). - */ - return len; } -static int -sb_sasl_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg ) +static void +sb_sasl_cyrus_fini( + struct sb_sasl_generic_data *p) { - struct sb_sasl_data *p; - - p = (struct sb_sasl_data *)sbiod->sbiod_pvt; - - if ( opt == LBER_SB_OPT_DATA_READY ) { - if ( p->buf_in.buf_ptr != p->buf_in.buf_end ) return 1; - } - - return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg ); +#if SASL_VERSION_MAJOR >= 2 + /* + * SASLv2 encode/decode buffers are managed by + * libsasl2. Ensure they are not freed by liblber. + */ + p->buf_in.buf_base = NULL; + p->buf_out.buf_base = NULL; +#endif } -Sockbuf_IO ldap_pvt_sockbuf_io_sasl = { - sb_sasl_setup, /* sbi_setup */ - sb_sasl_remove, /* sbi_remove */ - sb_sasl_ctrl, /* sbi_ctrl */ - sb_sasl_read, /* sbi_read */ - sb_sasl_write, /* sbi_write */ - NULL /* sbi_close */ -}; +static const struct sb_sasl_generic_ops sb_sasl_cyrus_ops = { + sb_sasl_cyrus_init, + sb_sasl_cyrus_encode, + sb_sasl_cyrus_decode, + sb_sasl_cyrus_reset_buf, + sb_sasl_cyrus_fini + }; int ldap_pvt_sasl_install( Sockbuf *sb, void *ctx_arg ) { - Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_install\n", - 0, 0, 0 ); - - /* don't install the stuff unless security has been negotiated */ + struct sb_sasl_generic_install install_arg; - if ( !ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, - &ldap_pvt_sockbuf_io_sasl ) ) - { -#ifdef LDAP_DEBUG - ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, - LBER_SBIOD_LEVEL_APPLICATION, (void *)"sasl_" ); -#endif - ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_sasl, - LBER_SBIOD_LEVEL_APPLICATION, ctx_arg ); - } + install_arg.ops = &sb_sasl_cyrus_ops; + install_arg.ops_private = ctx_arg; - return LDAP_SUCCESS; + return ldap_pvt_sasl_generic_install( sb, &install_arg ); } void ldap_pvt_sasl_remove( Sockbuf *sb ) { - ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_sasl, - LBER_SBIOD_LEVEL_APPLICATION ); -#ifdef LDAP_DEBUG - ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug, - LBER_SBIOD_LEVEL_APPLICATION ); -#endif + ldap_pvt_sasl_generic_remove( sb ); } static int @@ -602,23 +409,31 @@ ldap_int_sasl_bind( return ld->ld_errno; } + rc = 0; +#ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex ); +#endif ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd ); if ( sd == AC_SOCKET_INVALID ) { /* not connected yet */ - int rc; rc = ldap_open_defconn( ld ); - if( rc < 0 ) return ld->ld_errno; - ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb, - LBER_SB_OPT_GET_FD, &sd ); + if ( rc == 0 ) { + ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb, + LBER_SB_OPT_GET_FD, &sd ); - if( sd == AC_SOCKET_INVALID ) { - ld->ld_errno = LDAP_LOCAL_ERROR; - return ld->ld_errno; + if( sd == AC_SOCKET_INVALID ) { + ld->ld_errno = LDAP_LOCAL_ERROR; + rc = ld->ld_errno; + } } } +#ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex ); +#endif + if( rc != 0 ) return ld->ld_errno; oldctx = ld->ld_defconn->lconn_sasl_authctx; @@ -631,16 +446,28 @@ ldap_int_sasl_bind( } { - char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, + char *saslhost; + int nocanon = (int)LDAP_BOOL_GET( &ld->ld_options, + LDAP_BOOL_SASL_NOCANON ); + + /* If we don't need to canonicalize just use the host + * from the LDAP URI. + */ + if ( nocanon ) + saslhost = ld->ld_defconn->lconn_server->lud_host; + else + saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, "localhost" ); rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); - LDAP_FREE( saslhost ); + if ( !nocanon ) + LDAP_FREE( saslhost ); } if ( rc != LDAP_SUCCESS ) return rc; ctx = ld->ld_defconn->lconn_sasl_authctx; +#ifdef HAVE_TLS /* Check for TLS */ ssl = ldap_pvt_tls_sb_ctx( ld->ld_defconn->lconn_sb ); if ( ssl ) { @@ -654,6 +481,7 @@ ldap_int_sasl_bind( (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); LDAP_FREE( authid.bv_val ); } +#endif #if !defined(_WIN32) /* Check for local */ @@ -662,9 +490,9 @@ ldap_int_sasl_bind( { char authid[sizeof("gidNumber=4294967295+uidNumber=4294967295," "cn=peercred,cn=external,cn=auth")]; - sprintf( authid, "gidNumber=%d+uidNumber=%d," + sprintf( authid, "gidNumber=%u+uidNumber=%u," "cn=peercred,cn=external,cn=auth", - (int) getegid(), (int) geteuid() ); + getegid(), geteuid() ); (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid, LDAP_PVT_SASL_LOCAL_SSF ); } @@ -741,7 +569,7 @@ ldap_int_sasl_bind( /* and server provided us with data? */ Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n", - rc, saslrc, scred ? scred->bv_len : -1 ); + rc, saslrc, scred ? (long) scred->bv_len : -1L ); ber_bvfree( scred ); scred = NULL; } @@ -753,13 +581,31 @@ ldap_int_sasl_bind( /* we're done, no need to step */ if( scred ) { /* but we got additional data? */ - Debug( LDAP_DEBUG_TRACE, - "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n", - rc, saslrc, scred ? scred->bv_len : -1 ); - - ber_bvfree( scred ); - rc = ld->ld_errno = LDAP_LOCAL_ERROR; - goto done; +#define KLUDGE_FOR_MSAD +#ifdef KLUDGE_FOR_MSAD + /* + * MSAD provides empty additional data in violation of LDAP + * technical specifications. As no existing SASL mechanism + * allows empty data with an outcome message, just ignore it + * for now. Hopefully MS will fix their bug before someone + * defines a mechanism with possibly empty additional data. + */ + if( scred->bv_len == 0 ) { + Debug( LDAP_DEBUG_ANY, + "ldap_int_sasl_bind: ignoring " + " bogus empty data provided with SASL outcome message.\n", + rc, saslrc, scred->bv_len ); + ber_bvfree( scred ); + } else +#endif + { + Debug( LDAP_DEBUG_TRACE, + "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n", + rc, saslrc, scred->bv_len ); + rc = ld->ld_errno = LDAP_LOCAL_ERROR; + ber_bvfree( scred ); + goto done; + } } break; } @@ -821,7 +667,7 @@ ldap_int_sasl_bind( if( flags != LDAP_SASL_QUIET ) { saslrc = sasl_getprop( ctx, SASL_USERNAME, - (SASL_CONST void **) &data ); + (SASL_CONST void **)(char *) &data ); if( saslrc == SASL_OK && data && *data ) { fprintf( stderr, "SASL username: %s\n", data ); } @@ -835,7 +681,7 @@ ldap_int_sasl_bind( #endif } - saslrc = sasl_getprop( ctx, SASL_SSF, (SASL_CONST void **) &ssf ); + saslrc = sasl_getprop( ctx, SASL_SSF, (SASL_CONST void **)(char *) &ssf ); if( saslrc == SASL_OK ) { if( flags != LDAP_SASL_QUIET ) { fprintf( stderr, "SASL SSF: %lu\n", @@ -843,9 +689,6 @@ ldap_int_sasl_bind( } if( ssf && *ssf ) { - if( flags != LDAP_SASL_QUIET ) { - fprintf( stderr, "SASL installing layers\n" ); - } if ( ld->ld_defconn->lconn_sasl_sockctx ) { oldctx = ld->ld_defconn->lconn_sasl_sockctx; sasl_dispose( &oldctx ); @@ -853,6 +696,10 @@ ldap_int_sasl_bind( } ldap_pvt_sasl_install( ld->ld_defconn->lconn_sb, ctx ); ld->ld_defconn->lconn_sasl_sockctx = ctx; + + if( flags != LDAP_SASL_QUIET ) { + fprintf( stderr, "SASL data security layer installed.\n" ); + } } } ld->ld_defconn->lconn_sasl_authctx = ctx; @@ -872,6 +719,8 @@ ldap_int_sasl_external( sasl_conn_t *ctx; #if SASL_VERSION_MAJOR < 2 sasl_external_properties_t extprops; +#else + sasl_ssf_t sasl_ssf = ssf; #endif ctx = conn->lconn_sasl_authctx; @@ -881,7 +730,7 @@ ldap_int_sasl_external( } #if SASL_VERSION_MAJOR >= 2 - sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf ); + sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &sasl_ssf ); if ( sc == SASL_OK ) sc = sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid ); #else @@ -1004,8 +853,8 @@ int ldap_pvt_sasl_secprops( const char *in, sasl_security_properties_t *secprops ) { - int i, j, l; - char **props = ldap_str2charray( in, "," ); + unsigned i, j, l; + char **props; unsigned sflags = 0; int got_sflags = 0; sasl_ssf_t max_ssf = 0; @@ -1015,7 +864,11 @@ int ldap_pvt_sasl_secprops( unsigned maxbufsize = 0; int got_maxbufsize = 0; - if( props == NULL || secprops == NULL ) { + if( secprops == NULL ) { + return LDAP_PARAM_ERROR; + } + props = ldap_str2charray( in, "," ); + if( props == NULL ) { return LDAP_PARAM_ERROR; } @@ -1028,7 +881,8 @@ int ldap_pvt_sasl_secprops( if ( sprops[j].ival ) { unsigned v; char *next = NULL; - if ( !isdigit( props[i][sprops[j].key.bv_len] )) continue; + if ( !isdigit( (unsigned char)props[i][sprops[j].key.bv_len] )) + continue; v = strtoul( &props[i][sprops[j].key.bv_len], &next, 10 ); if ( next == &props[i][sprops[j].key.bv_len] || next[0] != '\0' ) continue; switch( sprops[j].ival ) { @@ -1050,6 +904,7 @@ int ldap_pvt_sasl_secprops( break; } if ( BER_BVISNULL( &sprops[j].key )) { + ldap_charray_free( props ); return LDAP_NOT_SUPPORTED; } } @@ -1088,6 +943,13 @@ ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg ) int ldap_int_sasl_get_option( LDAP *ld, int option, void *arg ) { + if ( option == LDAP_OPT_X_SASL_MECHLIST ) { + if ( ldap_int_sasl_init() ) + return -1; + *(char ***)arg = (char **)sasl_global_listmech(); + return 0; + } + if ( ld == NULL ) return -1; @@ -1125,7 +987,7 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg ) } sc = sasl_getprop( ctx, SASL_SSF, - (SASL_CONST void **) &ssf ); + (SASL_CONST void **)(char *) &ssf ); if ( sc != SASL_OK ) { return -1; @@ -1147,6 +1009,9 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg ) case LDAP_OPT_X_SASL_MAXBUFSIZE: *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize; break; + case LDAP_OPT_X_SASL_NOCANON: + *(int *)arg = (int) LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON ); + break; case LDAP_OPT_X_SASL_SECPROPS: /* this option is write only */ @@ -1164,6 +1029,9 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) if ( ld == NULL ) return -1; + if ( arg == NULL && option != LDAP_OPT_X_SASL_NOCANON ) + return -1; + switch ( option ) { case LDAP_OPT_X_SASL_SSF: /* This option is read-only */ @@ -1173,6 +1041,8 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) int sc; #if SASL_VERSION_MAJOR < 2 sasl_external_properties_t extprops; +#else + sasl_ssf_t sasl_ssf; #endif sasl_conn_t *ctx; @@ -1187,7 +1057,8 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) } #if SASL_VERSION_MAJOR >= 2 - sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, arg); + sasl_ssf = * (ber_len_t *)arg; + sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &sasl_ssf); #else memset(&extprops, 0L, sizeof(extprops)); @@ -1211,6 +1082,13 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) case LDAP_OPT_X_SASL_MAXBUFSIZE: ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg; break; + case LDAP_OPT_X_SASL_NOCANON: + if ( arg == LDAP_OPT_OFF ) { + LDAP_BOOL_CLR(&ld->ld_options, LDAP_BOOL_SASL_NOCANON ); + } else { + LDAP_BOOL_SET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON ); + } + break; case LDAP_OPT_X_SASL_SECPROPS: { int sc; @@ -1232,7 +1110,7 @@ void *ldap_pvt_sasl_mutex_new(void) { ldap_pvt_thread_mutex_t *mutex; - mutex = (ldap_pvt_thread_mutex_t *) LDAP_MALLOC( + mutex = (ldap_pvt_thread_mutex_t *) LDAP_CALLOC( 1, sizeof(ldap_pvt_thread_mutex_t) ); if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {