search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libs: Import code from upstream openldap 2.5.13.
[wine.git] / libs / ldap / libldap / cyrus.c
blobd7111ace6f9299b73128b645b59a3759c5419373
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 *
4 * Copyright 1998-2022 The OpenLDAP Foundation.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15
16 #include "portable.h"
17
18 #include <ac/errno.h>
19 #include "ldap-int.h"
20
21 #ifdef HAVE_CYRUS_SASL
22
23 #include <stdio.h>
24
25 #include <ac/socket.h>
26 #include <ac/stdlib.h>
27 #include <ac/string.h>
28 #include <ac/time.h>
29 #include <ac/ctype.h>
30 #include <ac/unistd.h>
31
32 #ifdef HAVE_LIMITS_H
33 #include <limits.h>
34 #endif
35
36 #ifndef INT_MAX
37 #define INT_MAX 2147483647 /* 32 bit signed max */
38 #endif
39
40 #if !defined(HOST_NAME_MAX) && defined(_POSIX_HOST_NAME_MAX)
41 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
42 #endif
43
44 #ifdef HAVE_SASL_SASL_H
45 #include <sasl/sasl.h>
46 #else
47 #include <sasl.h>
48 #endif
49
50 #if SASL_VERSION_MAJOR >= 2
51 #define SASL_CONST const
52 #else
53 #define SASL_CONST
54 #endif
55
56 /*
57 * Various Cyrus SASL related stuff.
58 */
59
60 static const sasl_callback_t client_callbacks[] = {
61 #ifdef SASL_CB_GETREALM
62 { SASL_CB_GETREALM, NULL, NULL },
63 #endif
64 { SASL_CB_USER, NULL, NULL },
65 { SASL_CB_AUTHNAME, NULL, NULL },
66 { SASL_CB_PASS, NULL, NULL },
67 { SASL_CB_ECHOPROMPT, NULL, NULL },
68 { SASL_CB_NOECHOPROMPT, NULL, NULL },
69 { SASL_CB_LIST_END, NULL, NULL }
70 };
71
72 /*
73 * ldap_int_initialize is responsible for calling this only once.
74 */
75 int ldap_int_sasl_init( void )
76 {
77 #ifdef HAVE_SASL_VERSION
78 /* stringify the version number, sasl.h doesn't do it for us */
79 #define VSTR0(maj, min, pat) #maj "." #min "." #pat
80 #define VSTR(maj, min, pat) VSTR0(maj, min, pat)
81 #define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
82 SASL_VERSION_STEP)
83 { int rc;
84 sasl_version( NULL, &rc );
85 if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
86 (rc & 0xffff) < SASL_VERSION_STEP) {
87 char version[sizeof("xxx.xxx.xxxxx")];
88 sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
89 rc & 0xffff );
90
91 Debug1( LDAP_DEBUG_ANY,
92 "ldap_int_sasl_init: SASL library version mismatch:"
93 " expected " SASL_VERSION_STRING ","
94 " got %s\n", version );
95 return -1;
96 }
97 }
98 #endif
99
100 /* SASL 2 takes care of its own memory completely internally */
101 #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
102 sasl_set_alloc(
103 ber_memalloc,
104 ber_memcalloc,
105 ber_memrealloc,
106 ber_memfree );
107 #endif /* CSRIMALLOC */
108
109 #ifdef LDAP_R_COMPILE
110 sasl_set_mutex(
111 ldap_pvt_sasl_mutex_new,
112 ldap_pvt_sasl_mutex_lock,
113 ldap_pvt_sasl_mutex_unlock,
114 ldap_pvt_sasl_mutex_dispose );
115 #endif
116
117 if ( sasl_client_init( NULL ) == SASL_OK ) {
118 return 0;
119 }
120
121 #if SASL_VERSION_MAJOR < 2
122 /* A no-op to make sure we link with Cyrus 1.5 */
123 sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL );
124 #endif
125 return -1;
126 }
127
128 static void
129 sb_sasl_cyrus_init(
130 struct sb_sasl_generic_data *p,
131 ber_len_t *min_send,
132 ber_len_t *max_send,
133 ber_len_t *max_recv)
134 {
135 sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private;
136 ber_len_t maxbuf;
137
138 sasl_getprop( sasl_context, SASL_MAXOUTBUF,
139 (SASL_CONST void **)(char *) &maxbuf );
140
141 *min_send = SASL_MIN_BUFF_SIZE;
142 *max_send = maxbuf;
143 *max_recv = SASL_MAX_BUFF_SIZE;
144 }
145
146 static ber_int_t
147 sb_sasl_cyrus_encode(
148 struct sb_sasl_generic_data *p,
149 unsigned char *buf,
150 ber_len_t len,
151 Sockbuf_Buf *dst)
152 {
153 sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private;
154 ber_int_t ret;
155 unsigned tmpsize = dst->buf_size;
156
157 ret = sasl_encode( sasl_context, (char *)buf, len,
158 (SASL_CONST char **)&dst->buf_base,
159 &tmpsize );
160
161 dst->buf_size = tmpsize;
162 dst->buf_end = dst->buf_size;
163
164 if ( ret != SASL_OK ) {
165 ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug,
166 "sb_sasl_cyrus_encode: failed to encode packet: %s\n",
167 sasl_errstring( ret, NULL, NULL ) );
168 return -1;
169 }
170
171 return 0;
172 }
173
174 static ber_int_t
175 sb_sasl_cyrus_decode(
176 struct sb_sasl_generic_data *p,
177 const Sockbuf_Buf *src,
178 Sockbuf_Buf *dst)
179 {
180 sasl_conn_t *sasl_context = (sasl_conn_t *)p->ops_private;
181 ber_int_t ret;
182 unsigned tmpsize = dst->buf_size;
183
184 ret = sasl_decode( sasl_context,
185 src->buf_base, src->buf_end,
186 (SASL_CONST char **)&dst->buf_base,
187 (unsigned *)&tmpsize );
188
189
190 dst->buf_size = tmpsize;
191 dst->buf_end = dst->buf_size;
192
193 if ( ret != SASL_OK ) {
194 ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug,
195 "sb_sasl_cyrus_decode: failed to decode packet: %s\n",
196 sasl_errstring( ret, NULL, NULL ) );
197 return -1;
198 }
199
200 return 0;
201 }
202
203 static void
204 sb_sasl_cyrus_reset_buf(
205 struct sb_sasl_generic_data *p,
206 Sockbuf_Buf *buf)
207 {
208 #if SASL_VERSION_MAJOR >= 2
209 ber_pvt_sb_buf_init( buf );
210 #else
211 ber_pvt_sb_buf_destroy( buf );
212 #endif
213 }
214
215 static void
216 sb_sasl_cyrus_fini(
217 struct sb_sasl_generic_data *p)
218 {
219 #if SASL_VERSION_MAJOR >= 2
220 /*
221 * SASLv2 encode/decode buffers are managed by
222 * libsasl2. Ensure they are not freed by liblber.
223 */
224 p->buf_in.buf_base = NULL;
225 p->buf_out.buf_base = NULL;
226 #endif
227 }
228
229 static const struct sb_sasl_generic_ops sb_sasl_cyrus_ops = {
230 sb_sasl_cyrus_init,
231 sb_sasl_cyrus_encode,
232 sb_sasl_cyrus_decode,
233 sb_sasl_cyrus_reset_buf,
234 sb_sasl_cyrus_fini
235 };
236
237 int ldap_pvt_sasl_install( Sockbuf *sb, void *ctx_arg )
238 {
239 struct sb_sasl_generic_install install_arg;
240
241 install_arg.ops = &sb_sasl_cyrus_ops;
242 install_arg.ops_private = ctx_arg;
243
244 return ldap_pvt_sasl_generic_install( sb, &install_arg );
245 }
246
247 void ldap_pvt_sasl_remove( Sockbuf *sb )
248 {
249 ldap_pvt_sasl_generic_remove( sb );
250 }
251
252 static int
253 sasl_err2ldap( int saslerr )
254 {
255 int rc;
256
257 /* map SASL errors to LDAP API errors returned by:
258 * sasl_client_new()
259 * SASL_OK, SASL_NOMECH, SASL_NOMEM
260 * sasl_client_start()
261 * SASL_OK, SASL_NOMECH, SASL_NOMEM, SASL_INTERACT
262 * sasl_client_step()
263 * SASL_OK, SASL_INTERACT, SASL_BADPROT, SASL_BADSERV
264 */
265
266 switch (saslerr) {
267 case SASL_CONTINUE:
268 rc = LDAP_MORE_RESULTS_TO_RETURN;
269 break;
270 case SASL_INTERACT:
271 rc = LDAP_LOCAL_ERROR;
272 break;
273 case SASL_OK:
274 rc = LDAP_SUCCESS;
275 break;
276 case SASL_NOMEM:
277 rc = LDAP_NO_MEMORY;
278 break;
279 case SASL_NOMECH:
280 rc = LDAP_AUTH_UNKNOWN;
281 break;
282 case SASL_BADPROT:
283 rc = LDAP_DECODING_ERROR;
284 break;
285 case SASL_BADSERV:
286 rc = LDAP_AUTH_UNKNOWN;
287 break;
288
289 /* other codes */
290 case SASL_BADAUTH:
291 rc = LDAP_AUTH_UNKNOWN;
292 break;
293 case SASL_NOAUTHZ:
294 rc = LDAP_PARAM_ERROR;
295 break;
296 case SASL_FAIL:
297 rc = LDAP_LOCAL_ERROR;
298 break;
299 case SASL_TOOWEAK:
300 case SASL_ENCRYPT:
301 rc = LDAP_AUTH_UNKNOWN;
302 break;
303 default:
304 rc = LDAP_LOCAL_ERROR;
305 break;
306 }
307
308 assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
309 return rc;
310 }
311
312 int
313 ldap_int_sasl_open(
314 LDAP *ld,
315 LDAPConn *lc,
316 const char * host )
317 {
318 int rc;
319 sasl_conn_t *ctx;
320
321 assert( lc->lconn_sasl_authctx == NULL );
322
323 if ( host == NULL ) {
324 ld->ld_errno = LDAP_LOCAL_ERROR;
325 return ld->ld_errno;
326 }
327
328 #if SASL_VERSION_MAJOR >= 2
329 rc = sasl_client_new( "ldap", host, NULL, NULL,
330 client_callbacks, 0, &ctx );
331 #else
332 rc = sasl_client_new( "ldap", host, client_callbacks,
333 SASL_SECURITY_LAYER, &ctx );
334 #endif
335
336 if ( rc != SASL_OK ) {
337 ld->ld_errno = sasl_err2ldap( rc );
338 return ld->ld_errno;
339 }
340
341 Debug1( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: host=%s\n",
342 host );
343
344 lc->lconn_sasl_authctx = ctx;
345
346 return LDAP_SUCCESS;
347 }
348
349 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
350 {
351 sasl_conn_t *ctx = lc->lconn_sasl_authctx;
352
353 if( ctx != NULL ) {
354 sasl_dispose( &ctx );
355 if ( lc->lconn_sasl_sockctx &&
356 lc->lconn_sasl_authctx != lc->lconn_sasl_sockctx ) {
357 ctx = lc->lconn_sasl_sockctx;
358 sasl_dispose( &ctx );
359 }
360 lc->lconn_sasl_sockctx = NULL;
361 lc->lconn_sasl_authctx = NULL;
362 }
363 if( lc->lconn_sasl_cbind ) {
364 ldap_memfree( lc->lconn_sasl_cbind );
365 lc->lconn_sasl_cbind = NULL;
366 }
367
368 return LDAP_SUCCESS;
369 }
370
371 int ldap_pvt_sasl_cbinding_parse( const char *arg )
372 {
373 int i = -1;
374
375 if ( strcasecmp(arg, "none") == 0 )
376 i = LDAP_OPT_X_SASL_CBINDING_NONE;
377 else if ( strcasecmp(arg, "tls-unique") == 0 )
378 i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
379 else if ( strcasecmp(arg, "tls-endpoint") == 0 )
380 i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
381
382 return i;
383 }
384
385 void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
386 {
387 #if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
388 char unique_prefix[] = "tls-unique:";
389 char endpoint_prefix[] = "tls-server-end-point:";
390 char cbinding[ 64 ];
391 struct berval cbv = { 64, cbinding };
392 unsigned char *cb_data; /* used since cb->data is const* */
393 sasl_channel_binding_t *cb;
394 char *prefix;
395 int plen;
396
397 switch (type) {
398 case LDAP_OPT_X_SASL_CBINDING_NONE:
399 return NULL;
400 case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
401 if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
402 return NULL;
403 prefix = unique_prefix;
404 plen = sizeof(unique_prefix) -1;
405 break;
406 case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
407 if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
408 return NULL;
409 prefix = endpoint_prefix;
410 plen = sizeof(endpoint_prefix) -1;
411 break;
412 default:
413 return NULL;
414 }
415
416 cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
417 cb->len = plen + cbv.bv_len;
418 cb->data = cb_data = (unsigned char *)(cb+1);
419 memcpy( cb_data, prefix, plen );
420 memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
421 cb->name = "ldap";
422 cb->critical = 0;
423
424 return cb;
425 #else
426 return NULL;
427 #endif
428 }
429
430 int
431 ldap_int_sasl_bind(
432 LDAP *ld,
433 const char *dn,
434 const char *mechs,
435 LDAPControl **sctrls,
436 LDAPControl **cctrls,
437 unsigned flags,
438 LDAP_SASL_INTERACT_PROC *interact,
439 void *defaults,
440 LDAPMessage *result,
441 const char **rmech,
442 int *msgid )
443 {
444 const char *mech;
445 sasl_ssf_t *ssf;
446 sasl_conn_t *ctx;
447 sasl_interact_t *prompts = NULL;
448 struct berval ccred = BER_BVNULL;
449 int saslrc, rc;
450 unsigned credlen;
451 #if !defined(_WIN32)
452 char my_hostname[HOST_NAME_MAX + 1];
453 #endif
454 int free_saslhost = 0;
455
456 Debug1( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
457 mechs ? mechs : "<null>" );
458
459 /* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
460 if (ld->ld_version < LDAP_VERSION3) {
461 ld->ld_errno = LDAP_NOT_SUPPORTED;
462 return ld->ld_errno;
463 }
464
465 /* Starting a Bind */
466 if ( !result ) {
467 const char *pmech = NULL;
468 sasl_conn_t *oldctx;
469 ber_socket_t sd;
470 void *ssl;
471
472 rc = 0;
473 LDAP_MUTEX_LOCK( &ld->ld_conn_mutex );
474 ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
475
476 if ( sd == AC_SOCKET_INVALID || !ld->ld_defconn ) {
477 /* not connected yet */
478
479 rc = ldap_open_defconn( ld );
480
481 if ( rc == 0 ) {
482 ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb,
483 LBER_SB_OPT_GET_FD, &sd );
484
485 if( sd == AC_SOCKET_INVALID ) {
486 ld->ld_errno = LDAP_LOCAL_ERROR;
487 rc = ld->ld_errno;
488 }
489 }
490 }
491 if ( rc == 0 && ld->ld_defconn &&
492 ld->ld_defconn->lconn_status == LDAP_CONNST_CONNECTING ) {
493 rc = ldap_int_check_async_open( ld, sd );
494 }
495 LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
496 if( rc != 0 ) return ld->ld_errno;
497
498 oldctx = ld->ld_defconn->lconn_sasl_authctx;
499
500 /* If we already have an authentication context, clear it out */
501 if( oldctx ) {
502 if ( oldctx != ld->ld_defconn->lconn_sasl_sockctx ) {
503 sasl_dispose( &oldctx );
504 }
505 ld->ld_defconn->lconn_sasl_authctx = NULL;
506 }
507
508 {
509 char *saslhost;
510 int nocanon = (int)LDAP_BOOL_GET( &ld->ld_options,
511 LDAP_BOOL_SASL_NOCANON );
512
513 /* If we don't need to canonicalize just use the host
514 * from the LDAP URI.
515 * Always use the result of gethostname() for LDAPI.
516 * Skip for Windows which doesn't support LDAPI.
517 */
518 #if !defined(_WIN32)
519 if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
520 strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
521 rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
522 if (rc == 0) {
523 saslhost = my_hostname;
524 } else {
525 saslhost = "localhost";
526 }
527 } else
528 #endif
529 if ( nocanon )
530 saslhost = ld->ld_defconn->lconn_server->lud_host;
531 else {
532 saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
533 "localhost" );
534 free_saslhost = 1;
535 }
536 rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
537 if ( free_saslhost )
538 LDAP_FREE( saslhost );
539 }
540
541 if ( rc != LDAP_SUCCESS ) return rc;
542
543 ctx = ld->ld_defconn->lconn_sasl_authctx;
544
545 #ifdef HAVE_TLS
546 /* Check for TLS */
547 ssl = ldap_pvt_tls_sb_ctx( ld->ld_defconn->lconn_sb );
548 if ( ssl ) {
549 struct berval authid = BER_BVNULL;
550 ber_len_t fac;
551
552 fac = ldap_pvt_tls_get_strength( ssl );
553 /* failure is OK, we just can't use SASL EXTERNAL */
554 (void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 );
555
556 (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
557 LDAP_FREE( authid.bv_val );
558 #ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
559 if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
560 void *cb;
561 cb = ldap_pvt_sasl_cbinding( ssl,
562 ld->ld_options.ldo_sasl_cbinding,
563 0 );
564 if ( cb != NULL ) {
565 sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
566 SASL_CHANNEL_BINDING, cb );
567 ld->ld_defconn->lconn_sasl_cbind = cb;
568 }
569 }
570 #endif
571 }
572 #endif
573
574 #if !defined(_WIN32)
575 /* Check for local */
576 if ( ldap_pvt_url_scheme2proto(
577 ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC )
578 {
579 char authid[sizeof("gidNumber=4294967295+uidNumber=4294967295,"
580 "cn=peercred,cn=external,cn=auth")];
581 sprintf( authid, "gidNumber=%u+uidNumber=%u,"
582 "cn=peercred,cn=external,cn=auth",
583 getegid(), geteuid() );
584 (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid,
585 LDAP_PVT_SASL_LOCAL_SSF );
586 }
587 #endif
588
589 /* (re)set security properties */
590 sasl_setprop( ctx, SASL_SEC_PROPS,
591 &ld->ld_options.ldo_sasl_secprops );
592
593 mech = NULL;
594
595 do {
596 saslrc = sasl_client_start( ctx,
597 mechs,
598 #if SASL_VERSION_MAJOR < 2
599 NULL,
600 #endif
601 &prompts,
602 (SASL_CONST char **)&ccred.bv_val,
603 &credlen,
604 &mech );
605
606 if( pmech == NULL && mech != NULL ) {
607 pmech = mech;
608 *rmech = mech;
609
610 if( flags != LDAP_SASL_QUIET ) {
611 fprintf(stderr,
612 "SASL/%s authentication started\n",
613 pmech );
614 }
615 }
616
617 if( saslrc == SASL_INTERACT ) {
618 int res;
619 if( !interact ) break;
620 res = (interact)( ld, flags, defaults, prompts );
621
622 if( res != LDAP_SUCCESS ) break;
623 }
624 } while ( saslrc == SASL_INTERACT );
625 rc = LDAP_SASL_BIND_IN_PROGRESS;
626
627 } else {
628 /* continuing an in-progress Bind */
629 struct berval *scred = NULL;
630
631 ctx = ld->ld_defconn->lconn_sasl_authctx;
632
633 rc = ldap_parse_sasl_bind_result( ld, result, &scred, 0 );
634 if ( rc != LDAP_SUCCESS ) {
635 if ( scred )
636 ber_bvfree( scred );
637 goto done;
638 }
639
640 rc = ldap_result2error( ld, result, 0 );
641 if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
642 if( scred ) {
643 /* and server provided us with data? */
644 Debug2( LDAP_DEBUG_TRACE,
645 "ldap_int_sasl_bind: rc=%d len=%ld\n",
646 rc, scred ? (long) scred->bv_len : -1L );
647 ber_bvfree( scred );
648 scred = NULL;
649 }
650 goto done;
651 }
652
653 mech = *rmech;
654 if ( rc == LDAP_SUCCESS && mech == NULL ) {
655 if ( scred )
656 ber_bvfree( scred );
657 goto success;
658 }
659
660 do {
661 if( ! scred ) {
662 /* no data! */
663 Debug0( LDAP_DEBUG_TRACE,
664 "ldap_int_sasl_bind: no data in step!\n" );
665 }
666
667 saslrc = sasl_client_step( ctx,
668 (scred == NULL) ? NULL : scred->bv_val,
669 (scred == NULL) ? 0 : scred->bv_len,
670 &prompts,
671 (SASL_CONST char **)&ccred.bv_val,
672 &credlen );
673
674 Debug1( LDAP_DEBUG_TRACE, "sasl_client_step: %d\n",
675 saslrc );
676
677 if( saslrc == SASL_INTERACT ) {
678 int res;
679 if( !interact ) break;
680 res = (interact)( ld, flags, defaults, prompts );
681 if( res != LDAP_SUCCESS ) break;
682 }
683 } while ( saslrc == SASL_INTERACT );
684
685 ber_bvfree( scred );
686 }
687
688 if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
689 rc = ld->ld_errno = sasl_err2ldap( saslrc );
690 #if SASL_VERSION_MAJOR >= 2
691 if ( ld->ld_error ) {
692 LDAP_FREE( ld->ld_error );
693 }
694 ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
695 #endif
696 goto done;
697 }
698
699 if ( saslrc == SASL_OK )
700 *rmech = NULL;
701
702 ccred.bv_len = credlen;
703
704 if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
705 rc = ldap_sasl_bind( ld, dn, mech, &ccred, sctrls, cctrls, msgid );
706
707 if ( ccred.bv_val != NULL ) {
708 #if SASL_VERSION_MAJOR < 2
709 LDAP_FREE( ccred.bv_val );
710 #endif
711 ccred.bv_val = NULL;
712 }
713 if ( rc == LDAP_SUCCESS )
714 rc = LDAP_SASL_BIND_IN_PROGRESS;
715 goto done;
716 }
717
718 success:
719 /* Conversation was completed successfully by now */
720 if( flags != LDAP_SASL_QUIET ) {
721 char *data;
722 saslrc = sasl_getprop( ctx, SASL_USERNAME,
723 (SASL_CONST void **)(char *) &data );
724 if( saslrc == SASL_OK && data && *data ) {
725 fprintf( stderr, "SASL username: %s\n", data );
726 }
727
728 #if SASL_VERSION_MAJOR < 2
729 saslrc = sasl_getprop( ctx, SASL_REALM,
730 (SASL_CONST void **) &data );
731 if( saslrc == SASL_OK && data && *data ) {
732 fprintf( stderr, "SASL realm: %s\n", data );
733 }
734 #endif
735 }
736
737 ssf = NULL;
738 saslrc = sasl_getprop( ctx, SASL_SSF, (SASL_CONST void **)(char *) &ssf );
739 if( saslrc == SASL_OK ) {
740 if( flags != LDAP_SASL_QUIET ) {
741 fprintf( stderr, "SASL SSF: %lu\n",
742 (unsigned long) *ssf );
743 }
744
745 if( ssf && *ssf ) {
746 if ( ld->ld_defconn->lconn_sasl_sockctx ) {
747 sasl_conn_t *oldctx = ld->ld_defconn->lconn_sasl_sockctx;
748 sasl_dispose( &oldctx );
749 ldap_pvt_sasl_remove( ld->ld_defconn->lconn_sb );
750 }
751 ldap_pvt_sasl_install( ld->ld_defconn->lconn_sb, ctx );
752 ld->ld_defconn->lconn_sasl_sockctx = ctx;
753
754 if( flags != LDAP_SASL_QUIET ) {
755 fprintf( stderr, "SASL data security layer installed.\n" );
756 }
757 }
758 }
759 ld->ld_defconn->lconn_sasl_authctx = ctx;
760
761 done:
762 return rc;
763 }
764
765 int
766 ldap_int_sasl_external(
767 LDAP *ld,
768 LDAPConn *conn,
769 const char * authid,
770 ber_len_t ssf )
771 {
772 int sc;
773 sasl_conn_t *ctx;
774 #if SASL_VERSION_MAJOR < 2
775 sasl_external_properties_t extprops;
776 #else
777 sasl_ssf_t sasl_ssf = ssf;
778 #endif
779
780 ctx = conn->lconn_sasl_authctx;
781
782 if ( ctx == NULL ) {
783 return LDAP_LOCAL_ERROR;
784 }
785
786 #if SASL_VERSION_MAJOR >= 2
787 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &sasl_ssf );
788 if ( sc == SASL_OK )
789 sc = sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid );
790 #else
791 memset( &extprops, '\0', sizeof(extprops) );
792 extprops.ssf = ssf;
793 extprops.auth_id = (char *) authid;
794
795 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
796 (void *) &extprops );
797 #endif
798
799 if ( sc != SASL_OK ) {
800 return LDAP_LOCAL_ERROR;
801 }
802
803 return LDAP_SUCCESS;
804 }
805
806
807 #define GOT_MINSSF 1
808 #define GOT_MAXSSF 2
809 #define GOT_MAXBUF 4
810
811 static struct {
812 struct berval key;
813 int sflag;
814 int ival;
815 int idef;
816 } sprops[] = {
817 { BER_BVC("none"), 0, 0, 0 },
818 { BER_BVC("nodict"), SASL_SEC_NODICTIONARY, 0, 0 },
819 { BER_BVC("noplain"), SASL_SEC_NOPLAINTEXT, 0, 0 },
820 { BER_BVC("noactive"), SASL_SEC_NOACTIVE, 0, 0 },
821 { BER_BVC("passcred"), SASL_SEC_PASS_CREDENTIALS, 0, 0 },
822 { BER_BVC("forwardsec"), SASL_SEC_FORWARD_SECRECY, 0, 0 },
823 { BER_BVC("noanonymous"), SASL_SEC_NOANONYMOUS, 0, 0 },
824 { BER_BVC("minssf="), 0, GOT_MINSSF, 0 },
825 { BER_BVC("maxssf="), 0, GOT_MAXSSF, INT_MAX },
826 { BER_BVC("maxbufsize="), 0, GOT_MAXBUF, 65536 },
827 { BER_BVNULL, 0, 0, 0 }
828 };
829
830 void ldap_pvt_sasl_secprops_unparse(
831 sasl_security_properties_t *secprops,
832 struct berval *out )
833 {
834 int i, l = 0;
835 int comma;
836 char *ptr;
837
838 if ( secprops == NULL || out == NULL ) {
839 return;
840 }
841
842 comma = 0;
843 for ( i=0; !BER_BVISNULL( &sprops[i].key ); i++ ) {
844 if ( sprops[i].ival ) {
845 int v = 0;
846
847 switch( sprops[i].ival ) {
848 case GOT_MINSSF: v = secprops->min_ssf; break;
849 case GOT_MAXSSF: v = secprops->max_ssf; break;
850 case GOT_MAXBUF: v = secprops->maxbufsize; break;
851 }
852 /* It is the default, ignore it */
853 if ( v == sprops[i].idef ) continue;
854
855 l += sprops[i].key.bv_len + 24;
856 } else if ( sprops[i].sflag ) {
857 if ( sprops[i].sflag & secprops->security_flags ) {
858 l += sprops[i].key.bv_len;
859 }
860 } else if ( secprops->security_flags == 0 ) {
861 l += sprops[i].key.bv_len;
862 }
863 if ( comma ) l++;
864 comma = 1;
865 }
866 l++;
867
868 out->bv_val = LDAP_MALLOC( l );
869 if ( out->bv_val == NULL ) {
870 out->bv_len = 0;
871 return;
872 }
873
874 ptr = out->bv_val;
875 comma = 0;
876 for ( i=0; !BER_BVISNULL( &sprops[i].key ); i++ ) {
877 if ( sprops[i].ival ) {
878 int v = 0;
879
880 switch( sprops[i].ival ) {
881 case GOT_MINSSF: v = secprops->min_ssf; break;
882 case GOT_MAXSSF: v = secprops->max_ssf; break;
883 case GOT_MAXBUF: v = secprops->maxbufsize; break;
884 }
885 /* It is the default, ignore it */
886 if ( v == sprops[i].idef ) continue;
887
888 if ( comma ) *ptr++ = ',';
889 ptr += sprintf(ptr, "%s%d", sprops[i].key.bv_val, v );
890 comma = 1;
891 } else if ( sprops[i].sflag ) {
892 if ( sprops[i].sflag & secprops->security_flags ) {
893 if ( comma ) *ptr++ = ',';
894 ptr += sprintf(ptr, "%s", sprops[i].key.bv_val );
895 comma = 1;
896 }
897 } else if ( secprops->security_flags == 0 ) {
898 if ( comma ) *ptr++ = ',';
899 ptr += sprintf(ptr, "%s", sprops[i].key.bv_val );
900 comma = 1;
901 }
902 }
903 out->bv_len = ptr - out->bv_val;
904 }
905
906 int ldap_pvt_sasl_secprops(
907 const char *in,
908 sasl_security_properties_t *secprops )
909 {
910 unsigned i, j, l;
911 char **props;
912 unsigned sflags = 0;
913 int got_sflags = 0;
914 sasl_ssf_t max_ssf = 0;
915 int got_max_ssf = 0;
916 sasl_ssf_t min_ssf = 0;
917 int got_min_ssf = 0;
918 unsigned maxbufsize = 0;
919 int got_maxbufsize = 0;
920
921 if( secprops == NULL ) {
922 return LDAP_PARAM_ERROR;
923 }
924 props = ldap_str2charray( in, "," );
925 if( props == NULL ) {
926 return LDAP_PARAM_ERROR;
927 }
928
929 for( i=0; props[i]; i++ ) {
930 l = strlen( props[i] );
931 for ( j=0; !BER_BVISNULL( &sprops[j].key ); j++ ) {
932 if ( l < sprops[j].key.bv_len ) continue;
933 if ( strncasecmp( props[i], sprops[j].key.bv_val,
934 sprops[j].key.bv_len )) continue;
935 if ( sprops[j].ival ) {
936 unsigned v;
937 char *next = NULL;
938 if ( !isdigit( (unsigned char)props[i][sprops[j].key.bv_len] ))
939 continue;
940 v = strtoul( &props[i][sprops[j].key.bv_len], &next, 10 );
941 if ( next == &props[i][sprops[j].key.bv_len] || next[0] != '\0' ) continue;
942 switch( sprops[j].ival ) {
943 case GOT_MINSSF:
944 min_ssf = v; got_min_ssf++; break;
945 case GOT_MAXSSF:
946 max_ssf = v; got_max_ssf++; break;
947 case GOT_MAXBUF:
948 maxbufsize = v; got_maxbufsize++; break;
949 }
950 } else {
951 if ( props[i][sprops[j].key.bv_len] ) continue;
952 if ( sprops[j].sflag )
953 sflags |= sprops[j].sflag;
954 else
955 sflags = 0;
956 got_sflags++;
957 }
958 break;
959 }
960 if ( BER_BVISNULL( &sprops[j].key )) {
961 ldap_charray_free( props );
962 return LDAP_NOT_SUPPORTED;
963 }
964 }
965
966 if(got_sflags) {
967 secprops->security_flags = sflags;
968 }
969 if(got_min_ssf) {
970 secprops->min_ssf = min_ssf;
971 }
972 if(got_max_ssf) {
973 secprops->max_ssf = max_ssf;
974 }
975 if(got_maxbufsize) {
976 secprops->maxbufsize = maxbufsize;
977 }
978
979 ldap_charray_free( props );
980 return LDAP_SUCCESS;
981 }
982
983 int
984 ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
985 {
986 int rc, i;
987
988 switch( option ) {
989 case LDAP_OPT_X_SASL_SECPROPS:
990 rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
991 if( rc == LDAP_SUCCESS ) return 0;
992 break;
993 case LDAP_OPT_X_SASL_CBINDING:
994 i = ldap_pvt_sasl_cbinding_parse( arg );
995 if ( i >= 0 ) {
996 lo->ldo_sasl_cbinding = i;
997 return 0;
998 }
999 break;
1000 }
1001
1002 return -1;
1003 }
1004
1005 int
1006 ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
1007 {
1008 if ( option == LDAP_OPT_X_SASL_MECHLIST ) {
1009 *(char ***)arg = (char **)sasl_global_listmech();
1010 return 0;
1011 }
1012
1013 if ( ld == NULL )
1014 return -1;
1015
1016 switch ( option ) {
1017 case LDAP_OPT_X_SASL_MECH: {
1018 *(char **)arg = ld->ld_options.ldo_def_sasl_mech
1019 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
1020 } break;
1021 case LDAP_OPT_X_SASL_REALM: {
1022 *(char **)arg = ld->ld_options.ldo_def_sasl_realm
1023 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
1024 } break;
1025 case LDAP_OPT_X_SASL_AUTHCID: {
1026 *(char **)arg = ld->ld_options.ldo_def_sasl_authcid
1027 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
1028 } break;
1029 case LDAP_OPT_X_SASL_AUTHZID: {
1030 *(char **)arg = ld->ld_options.ldo_def_sasl_authzid
1031 ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
1032 } break;
1033
1034 case LDAP_OPT_X_SASL_SSF: {
1035 int sc;
1036 sasl_ssf_t *ssf;
1037 sasl_conn_t *ctx;
1038
1039 if( ld->ld_defconn == NULL ) {
1040 return -1;
1041 }
1042
1043 ctx = ld->ld_defconn->lconn_sasl_sockctx;
1044
1045 if ( ctx == NULL ) {
1046 return -1;
1047 }
1048
1049 sc = sasl_getprop( ctx, SASL_SSF,
1050 (SASL_CONST void **)(char *) &ssf );
1051
1052 if ( sc != SASL_OK ) {
1053 return -1;
1054 }
1055
1056 *(ber_len_t *)arg = *ssf;
1057 } break;
1058
1059 case LDAP_OPT_X_SASL_SSF_EXTERNAL:
1060 /* this option is write only */
1061 return -1;
1062
1063 case LDAP_OPT_X_SASL_SSF_MIN:
1064 *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.min_ssf;
1065 break;
1066 case LDAP_OPT_X_SASL_SSF_MAX:
1067 *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.max_ssf;
1068 break;
1069 case LDAP_OPT_X_SASL_MAXBUFSIZE:
1070 *(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize;
1071 break;
1072 case LDAP_OPT_X_SASL_NOCANON:
1073 *(int *)arg = (int) LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
1074 break;
1075
1076 case LDAP_OPT_X_SASL_USERNAME: {
1077 int sc;
1078 char *username;
1079 sasl_conn_t *ctx;
1080
1081 if( ld->ld_defconn == NULL ) {
1082 return -1;
1083 }
1084
1085 ctx = ld->ld_defconn->lconn_sasl_authctx;
1086
1087 if ( ctx == NULL ) {
1088 return -1;
1089 }
1090
1091 sc = sasl_getprop( ctx, SASL_USERNAME,
1092 (SASL_CONST void **)(char **) &username );
1093
1094 if ( sc != SASL_OK ) {
1095 return -1;
1096 }
1097
1098 *(char **)arg = username ? LDAP_STRDUP( username ) : NULL;
1099 } break;
1100
1101 case LDAP_OPT_X_SASL_SECPROPS:
1102 /* this option is write only */
1103 return -1;
1104
1105 case LDAP_OPT_X_SASL_CBINDING:
1106 *(int *)arg = ld->ld_options.ldo_sasl_cbinding;
1107 break;
1108
1109 #ifdef SASL_GSS_CREDS
1110 case LDAP_OPT_X_SASL_GSS_CREDS: {
1111 sasl_conn_t *ctx;
1112 int sc;
1113
1114 if ( ld->ld_defconn == NULL )
1115 return -1;
1116
1117 ctx = ld->ld_defconn->lconn_sasl_authctx;
1118 if ( ctx == NULL )
1119 return -1;
1120
1121 sc = sasl_getprop( ctx, SASL_GSS_CREDS, arg );
1122 if ( sc != SASL_OK )
1123 return -1;
1124 }
1125 break;
1126 #endif
1127
1128 default:
1129 return -1;
1130 }
1131 return 0;
1132 }
1133
1134 int
1135 ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
1136 {
1137 if ( ld == NULL )
1138 return -1;
1139
1140 if ( arg == NULL && option != LDAP_OPT_X_SASL_NOCANON )
1141 return -1;
1142
1143 switch ( option ) {
1144 case LDAP_OPT_X_SASL_SSF:
1145 case LDAP_OPT_X_SASL_USERNAME:
1146 /* This option is read-only */
1147 return -1;
1148
1149 case LDAP_OPT_X_SASL_SSF_EXTERNAL: {
1150 int sc;
1151 #if SASL_VERSION_MAJOR < 2
1152 sasl_external_properties_t extprops;
1153 #else
1154 sasl_ssf_t sasl_ssf;
1155 #endif
1156 sasl_conn_t *ctx;
1157
1158 if( ld->ld_defconn == NULL ) {
1159 return -1;
1160 }
1161
1162 ctx = ld->ld_defconn->lconn_sasl_authctx;
1163
1164 if ( ctx == NULL ) {
1165 return -1;
1166 }
1167
1168 #if SASL_VERSION_MAJOR >= 2
1169 sasl_ssf = * (ber_len_t *)arg;
1170 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &sasl_ssf);
1171 #else
1172 memset(&extprops, 0L, sizeof(extprops));
1173
1174 extprops.ssf = * (ber_len_t *) arg;
1175
1176 sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
1177 (void *) &extprops );
1178 #endif
1179
1180 if ( sc != SASL_OK ) {
1181 return -1;
1182 }
1183 } break;
1184
1185 case LDAP_OPT_X_SASL_SSF_MIN:
1186 ld->ld_options.ldo_sasl_secprops.min_ssf = *(ber_len_t *)arg;
1187 break;
1188 case LDAP_OPT_X_SASL_SSF_MAX:
1189 ld->ld_options.ldo_sasl_secprops.max_ssf = *(ber_len_t *)arg;
1190 break;
1191 case LDAP_OPT_X_SASL_MAXBUFSIZE:
1192 ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg;
1193 break;
1194 case LDAP_OPT_X_SASL_NOCANON:
1195 if ( arg == LDAP_OPT_OFF ) {
1196 LDAP_BOOL_CLR(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
1197 } else {
1198 LDAP_BOOL_SET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
1199 }
1200 break;
1201
1202 case LDAP_OPT_X_SASL_SECPROPS: {
1203 int sc;
1204 sc = ldap_pvt_sasl_secprops( (char *) arg,
1205 &ld->ld_options.ldo_sasl_secprops );
1206
1207 return sc == LDAP_SUCCESS ? 0 : -1;
1208 }
1209
1210 case LDAP_OPT_X_SASL_CBINDING:
1211 if ( !arg ) return -1;
1212 switch( *(int *) arg ) {
1213 case LDAP_OPT_X_SASL_CBINDING_NONE:
1214 case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
1215 case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
1216 ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
1217 return 0;
1218 }
1219 return -1;
1220
1221 #ifdef SASL_GSS_CREDS
1222 case LDAP_OPT_X_SASL_GSS_CREDS: {
1223 sasl_conn_t *ctx;
1224 int sc;
1225
1226 if ( ld->ld_defconn == NULL )
1227 return -1;
1228
1229 ctx = ld->ld_defconn->lconn_sasl_authctx;
1230 if ( ctx == NULL )
1231 return -1;
1232
1233 sc = sasl_setprop( ctx, SASL_GSS_CREDS, arg );
1234 if ( sc != SASL_OK )
1235 return -1;
1236 }
1237 break;
1238 #endif
1239
1240 default:
1241 return -1;
1242 }
1243 return 0;
1244 }
1245
1246 #ifdef LDAP_R_COMPILE
1247 #define LDAP_DEBUG_R_SASL
1248 void *ldap_pvt_sasl_mutex_new(void)
1249 {
1250 ldap_pvt_thread_mutex_t *mutex;
1251
1252 mutex = (ldap_pvt_thread_mutex_t *) LDAP_CALLOC( 1,
1253 sizeof(ldap_pvt_thread_mutex_t) );
1254
1255 if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
1256 return mutex;
1257 }
1258 LDAP_FREE( mutex );
1259 #ifndef LDAP_DEBUG_R_SASL
1260 assert( 0 );
1261 #endif /* !LDAP_DEBUG_R_SASL */
1262 return NULL;
1263 }
1264
1265 int ldap_pvt_sasl_mutex_lock(void *mutex)
1266 {
1267 #ifdef LDAP_DEBUG_R_SASL
1268 if ( mutex == NULL ) {
1269 return SASL_OK;
1270 }
1271 #else /* !LDAP_DEBUG_R_SASL */
1272 assert( mutex != NULL );
1273 #endif /* !LDAP_DEBUG_R_SASL */
1274 return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex )
1275 ? SASL_FAIL : SASL_OK;
1276 }
1277
1278 int ldap_pvt_sasl_mutex_unlock(void *mutex)
1279 {
1280 #ifdef LDAP_DEBUG_R_SASL
1281 if ( mutex == NULL ) {
1282 return SASL_OK;
1283 }
1284 #else /* !LDAP_DEBUG_R_SASL */
1285 assert( mutex != NULL );
1286 #endif /* !LDAP_DEBUG_R_SASL */
1287 return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex )
1288 ? SASL_FAIL : SASL_OK;
1289 }
1290
1291 void ldap_pvt_sasl_mutex_dispose(void *mutex)
1292 {
1293 #ifdef LDAP_DEBUG_R_SASL
1294 if ( mutex == NULL ) {
1295 return;
1296 }
1297 #else /* !LDAP_DEBUG_R_SASL */
1298 assert( mutex != NULL );
1299 #endif /* !LDAP_DEBUG_R_SASL */
1300 (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
1301 LDAP_FREE( mutex );
1302 }
1303 #endif
1304
1305 #else
1306 int ldap_int_sasl_init( void )
1307 { return LDAP_SUCCESS; }
1308
1309 int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
1310 { return LDAP_SUCCESS; }
1311
1312 int
1313 ldap_int_sasl_bind(
1314 LDAP *ld,
1315 const char *dn,
1316 const char *mechs,
1317 LDAPControl **sctrls,
1318 LDAPControl **cctrls,
1319 unsigned flags,
1320 LDAP_SASL_INTERACT_PROC *interact,
1321 void *defaults,
1322 LDAPMessage *result,
1323 const char **rmech,
1324 int *msgid )
1325 { return LDAP_NOT_SUPPORTED; }
1326
1327 int
1328 ldap_int_sasl_external(
1329 LDAP *ld,
1330 LDAPConn *conn,
1331 const char * authid,
1332 ber_len_t ssf )
1333 { return LDAP_SUCCESS; }
1334
1335 #endif /* HAVE_CYRUS_SASL */
Windows API implementation