X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=9e99441bfdc5ddd1c3d65563ea36ce28bae7933d;hb=f89308915aabff352eb390a1e58a71127b7ebd26;hp=29a83f5adab5134da34332cf57fc6e306f1be80a;hpb=fac77083cc65666eda3b3e92af175c4b4569e6e6;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 29a83f5ada..9e99441bfd 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1,20 +1,20 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ #include "portable.h" -#include #include - -#include "slap.h" -#include "proto-slap.h" +#include +#include #include #include +#include "slap.h" + #ifdef HAVE_CYRUS_SASL #include #include @@ -25,6 +25,7 @@ #include #endif + static sasl_security_properties_t sasl_secprops; static int @@ -60,11 +61,11 @@ slap_sasl_log( #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "SASL [conn=%d] %s: %s\n", + "SASL [conn=%ld] %s: %s\n", conn ? conn->c_connid : -1, label, message )); #else - Debug( level, "SASL [conn=%d] %s: %s\n", + Debug( level, "SASL [conn=%ld] %s: %s\n", conn ? conn->c_connid: -1, label, message ); #endif @@ -99,9 +100,10 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) /* Blatantly anonymous ID */ - len = strlen( "anonymous" ); - if( id && !strncasecmp( id, "anonymous", len) && - ( id[len] == '\0' || id[len] == '@' ) ) { + if( id && + ( id[sizeof( "anonymous" )-1] == '\0' + || id[sizeof( "anonymous" )-1] == '@' ) && + !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) { *dnptr = NULL; return( LDAP_SUCCESS ); } @@ -112,7 +114,7 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) if( flags & FLAG_GETDN_AUTHCID ) { if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech && ( strcasecmp( "EXTERNAL", conn->c_sasl_bind_mech ) == 0 ) - && len && dn[0] == '/' && dn[len-1]== '/' ) + && len && id[0] == '/' /* && id[len-1]== '/' */) { /* check SASL external for X.509 style DN and */ /* convert to dn: form */ @@ -123,7 +125,7 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) dn[0] = 'd'; dn[1] = 'n'; dn[2] = ':'; - memmove( &dn[3], tmpdn, len+1 ); + AC_MEMCPY( &dn[3], tmpdn, len+1 ); len += 3; } else { @@ -131,7 +133,7 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) dn = ch_malloc( len+3 ); dn[0] = 'u'; dn[1] = ':'; - memmove( &dn[2], id, len+1 ); + AC_MEMCPY( &dn[2], id, len+1 ); len += 2; } } else { @@ -140,8 +142,8 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) /* An authzID must be properly prefixed */ if( flags & FLAG_GETDN_AUTHZID - && strncasecmp( dn, "u:", 2 ) - && strncasecmp( dn, "dn:", 3 ) ) + && strncasecmp( dn, "u:", sizeof("u:")-1 ) + && strncasecmp( dn, "dn:", sizeof("dn:")-1 ) ) { ch_free( dn ); *dnptr = NULL; @@ -149,9 +151,8 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) } /* Username strings */ - if( !strncasecmp( dn, "u:", 2 ) ) { - int len1 = strlen( ",cn=auth" ); - len += strlen( "dn:uid=" ) + len1; + if( !strncasecmp( dn, "u:", sizeof("u:")-1 ) ) { + len += (sizeof("dn:uid=")-1) + (sizeof(",cn=auth")-1); /* Figure out how much data we have for the dn */ rc = sasl_getprop( ctx, SASL_REALM, (void **)&c ); @@ -170,11 +171,11 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) } if( c && *c ) { - len += strlen( c ) + strlen(",cn=" ); + len += strlen( c ) + (sizeof(",cn=")-1); } if( conn->c_sasl_bind_mech ) { - len += strlen( conn->c_sasl_bind_mech ) + strlen( ",cn=" ); + len += strlen( conn->c_sasl_bind_mech ) + (sizeof(",cn=")-1); } /* Build the new dn */ @@ -190,7 +191,7 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) len += sprintf( dn+len, ",cn=%s", conn->c_sasl_bind_mech ); } strcpy( dn+len, ",cn=auth" ); - len += len1; + len += (sizeof(",cn=auth")-1); #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -201,30 +202,33 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) } /* DN strings that are a cn=auth identity to run through regexp */ - if( !strncasecmp( dn, "dn:", 3) && ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) { - c1 = slap_sasl2dn( dn + 3 ); + if( !strncasecmp( dn, "dn:", sizeof("dn:")-1) && + ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) + { + c1 = slap_sasl2dn( dn + (sizeof("dn:")-1) ); if( c1 ) { ch_free( dn ); dn = c1; /* Reaffix the dn: prefix if it was removed */ - if( strncasecmp( dn, "dn:", 3) ) { + if( strncasecmp( dn, "dn:", sizeof("dn:")-1) ) { c1 = dn; - dn = ch_malloc( strlen( c1 ) + 4 ); + dn = ch_malloc( strlen( c1 ) + sizeof("dn:") ); sprintf( dn, "dn:%s", c1 ); ch_free( c1 ); } #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: dn:id converted to %s.\n", dn )); + "slap_sasl_getdn: dn:id converted to %s.\n", dn )); #else - Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", dn,0,0 ); + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn, 0, 0 ); #endif } } if( ( flags & FLAG_GETDN_FINAL ) == 0 ) { - dn_normalize( dn+3 ); + dn_normalize( dn+(sizeof("dn:")-1) ); } *dnptr = dn; @@ -425,6 +429,9 @@ int slap_sasl_destroy( void ) #ifdef HAVE_CYRUS_SASL sasl_done(); #endif + free( global_host ); + global_host = NULL; + return 0; } @@ -561,7 +568,7 @@ char ** slap_sasl_mechs( Connection *conn ) if( sc != SASL_OK ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_mechs: sasl_listmech failed: %d\n", sc )); + "slap_sasl_mechs: sasl_listmech failed: %d\n", sc )); #else Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n", sc, 0, 0 ); @@ -600,32 +607,34 @@ int slap_sasl_close( Connection *conn ) int slap_sasl_bind( Connection *conn, Operation *op, - const char *dn, - const char *ndn, + struct berval *dn, + struct berval *ndn, struct berval *cred, - char **edn, - slap_ssf_t *ssfp ) + char **edn, + slap_ssf_t *ssfp ) { int rc = 1; #ifdef HAVE_CYRUS_SASL sasl_conn_t *ctx = conn->c_sasl_context; struct berval response; - unsigned reslen; + unsigned reslen = 0; const char *errstr; int sc; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%d\n", - conn->c_connid, dn, - conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech, - cred ? cred->bv_len : 0 )); + "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%ld\n", + conn->c_connid, + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 )); #else Debug(LDAP_DEBUG_ARGS, - "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n", dn, - conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, - cred ? cred->bv_len : 0 ); + "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 ); #endif @@ -638,7 +647,8 @@ int slap_sasl_bind( if ( !conn->c_sasl_bind_in_progress ) { sc = sasl_server_start( ctx, conn->c_sasl_bind_mech, - cred->bv_val, cred->bv_len, + cred->bv_len ? cred->bv_val : "", + cred->bv_len, (char **)&response.bv_val, &reslen, &errstr ); } else { @@ -658,7 +668,7 @@ int slap_sasl_bind( if ( sc != SASL_OK ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); + "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); #else Debug(LDAP_DEBUG_TRACE, "slap_sasl_bind: getprop(USERNAME) failed!\n", @@ -712,9 +722,13 @@ int slap_sasl_bind( NULL, errstr, NULL, NULL ); } + if( response.bv_len ) { + ch_free( response.bv_val ); + } + #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_bind: rc=%d\n", rc )); + "slap_sasl_bind: rc=%d\n", rc )); #else Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); #endif