From a50f391bb37b059733404b7ec380a883162b23fb Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 28 Jul 2000 00:04:07 +0000 Subject: [PATCH] Working SASL security layers! --- libraries/liblber/sockbuf.c | 2 ++ libraries/libldap/cyrus.c | 12 ++---------- servers/slapd/bind.c | 5 ++++- servers/slapd/connection.c | 27 +++++++++++++++++++++++++-- servers/slapd/proto-slap.h | 2 +- servers/slapd/sasl.c | 18 +++++++----------- servers/slapd/slap.h | 1 + 7 files changed, 42 insertions(+), 25 deletions(-) diff --git a/libraries/liblber/sockbuf.c b/libraries/liblber/sockbuf.c index 5c133e6540..3899206fc5 100644 --- a/libraries/liblber/sockbuf.c +++ b/libraries/liblber/sockbuf.c @@ -232,7 +232,9 @@ ber_pvt_sb_copy_out( Sockbuf_Buf *sbb, char *buf, ber_len_t len ) assert( buf != NULL ); assert( sbb != NULL ); +#if 0 assert( sbb->buf_size > 0 ); +#endif max = sbb->buf_end - sbb->buf_ptr; max = ( max < len) ? max : len; diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c index 0569099937..0320f7bbc8 100644 --- a/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c @@ -404,14 +404,8 @@ ldap_int_sasl_open( return ld->ld_errno; } - rc = sasl_client_new( "ldap", host, - session_callbacks, -#ifdef LDAP_SASL_SECURITY_LAYER - SASL_SECURITY_LAYER, -#else - 0, -#endif - &ctx ); + rc = sasl_client_new( "ldap", host, session_callbacks, + SASL_SECURITY_LAYER, &ctx ); if ( rc != SASL_OK ) { ld->ld_errno = sasl_err2ldap( rc ); @@ -636,14 +630,12 @@ ldap_int_sasl_bind( (unsigned long) *ssf ); } -#ifdef LDAP_SASL_SECURITY_LAYER if( ssf && *ssf ) { if( flags != LDAP_SASL_QUIET ) { fprintf( stderr, "SASL installing layers\n" ); } ldap_pvt_sasl_install( ld->ld_sb, ctx ); } -#endif } return rc; diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index cc53421bcb..b78d96504d 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -186,6 +186,7 @@ do_bind( if ( method == LDAP_AUTH_SASL ) { char *edn; + unsigned long ssf = 0; if ( version < LDAP_VERSION3 ) { Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n", @@ -230,12 +231,14 @@ do_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); edn = NULL; - rc = slap_sasl_bind( conn, op, dn, ndn, saslmech, &cred, &edn ); + rc = slap_sasl_bind( conn, op, dn, ndn, saslmech, &cred, + &edn, &ssf ); if( rc == LDAP_SUCCESS ) { ldap_pvt_thread_mutex_lock( &conn->c_mutex ); conn->c_dn = edn; conn->c_authmech = mech; + if( ssf ) conn->c_sasl_layers++; ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) { diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 9dc6eadea8..a966c0f174 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -895,8 +895,9 @@ int connection_read(ber_socket_t s) fd_set rfd; Debug( LDAP_DEBUG_TRACE, - "connection_read(%d): TLS accept error error=%d id=%ld, closing\n", - s, rc, c->c_connid ); + "connection_read(%d): TLS accept error " + "error=%d id=%ld, closing\n", + s, rc, c->c_connid ); c->c_needs_tls_accept = 0; /* connections_mutex and c_mutex are locked */ @@ -931,6 +932,28 @@ int connection_read(ber_socket_t s) } #endif +#ifdef HAVE_CYRUS_SASL + if ( c->c_sasl_layers ) { + c->c_sasl_layers = 0; + + rc = ldap_pvt_sasl_install( c->c_sb, c->c_sasl_context ); + + if( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "connection_read(%d): SASL install error " + "error=%d id=%ld, closing\n", + s, rc, c->c_connid ); + + /* connections_mutex and c_mutex are locked */ + connection_closing( c ); + connection_close( c ); + connection_return( c ); + ldap_pvt_thread_mutex_unlock( &connections_mutex ); + return 0; + } + } +#endif + #define CONNECTION_INPUT_LOOP 1 #ifdef DATA_READY_LOOP diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 6fd484ee27..2c69c2a27e 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -547,7 +547,7 @@ LDAP_SLAPD_F (int) slap_sasl_bind LDAP_P(( Connection *conn, Operation *op, const char *dn, const char *ndn, const char *mech, struct berval *cred, - char **edn )); + char **edn, unsigned long *ssf )); /* oc.c */ LDAP_SLAPD_F (int) oc_schema_info( Entry *e ); diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index a13426dda5..6e46d65fe3 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -246,6 +246,8 @@ int slap_sasl_open( Connection *conn ) assert( conn->c_sasl_context == NULL ); assert( conn->c_sasl_extra == NULL ); + conn->c_sasl_layers = 0; + session_callbacks = ch_calloc( 3, sizeof(sasl_callback_t)); conn->c_sasl_extra = session_callbacks; @@ -264,14 +266,7 @@ int slap_sasl_open( Connection *conn ) /* create new SASL context */ sc = sasl_server_new( "ldap", sasl_host, global_realm, - session_callbacks, -#ifdef LDAP_SASL_SECURITY_LAYER - SASL_SECURITY_LAYER, -#else - 0, -#endif - &ctx ); - + session_callbacks, SASL_SECURITY_LAYER, &ctx ); if( sc != SASL_OK ) { Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n", @@ -394,7 +389,8 @@ int slap_sasl_bind( const char *ndn, const char *mech, struct berval *cred, - char **edn ) + char **edn, + unsigned long *ssfp ) { int rc = 1; @@ -406,7 +402,7 @@ int slap_sasl_bind( int sc; Debug(LDAP_DEBUG_ARGS, - "==> sasl_bind: dn=\"%s\" mech=%s cred->bv_len=%d\n", + "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n", dn, mech ? mech : "", cred ? cred->bv_len : 0 ); if( ctx == NULL ) { @@ -467,6 +463,7 @@ int slap_sasl_bind( realm ? realm : "", (unsigned long) ( ssf ? *ssf : 0 ) ); + *ssfp = ssf ? *ssf : 0; rc = LDAP_SUCCESS; @@ -544,4 +541,3 @@ char* slap_sasl_secprops( const char *in ) return "SASL not supported"; #endif } - diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index cf29f3610e..d85493a321 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1074,6 +1074,7 @@ typedef struct slap_conn { int c_is_tls; /* true if this LDAP over raw TLS */ int c_needs_tls_accept; /* true if SSL_accept should be called */ #endif + int c_sasl_layers; /* true if we need to install SASL i/o handlers */ void *c_sasl_context; /* SASL session context */ void *c_sasl_extra; /* SASL session extra stuff */ -- 2.39.5