Working SASL security layers!

libraries/liblber/sockbuf.c

@@ -232,7 +232,9 @@ ber_pvt_sb_copy_out( Sockbuf_Buf *sbb, char *buf, ber_len_t len )
 
 	assert( buf != NULL );
 	assert( sbb != NULL );
+#if 0
 	assert( sbb->buf_size > 0 );
+#endif
 
 	max = sbb->buf_end - sbb->buf_ptr;
 	max = ( max < len) ? max : len;

libraries/libldap/cyrus.c

@@ -404,14 +404,8 @@ ldap_int_sasl_open(
 		return ld->ld_errno;
 	}
 
-	rc = sasl_client_new( "ldap", host,
-		session_callbacks,
-#ifdef LDAP_SASL_SECURITY_LAYER
-		SASL_SECURITY_LAYER,
-#else
-		0,
-#endif
-		&ctx );
+	rc = sasl_client_new( "ldap", host, session_callbacks,
+		SASL_SECURITY_LAYER, &ctx );
 
 	if ( rc != SASL_OK ) {
 		ld->ld_errno = sasl_err2ldap( rc );
@@ -636,14 +630,12 @@ ldap_int_sasl_bind(
 				(unsigned long) *ssf );
 		}
 
-#ifdef LDAP_SASL_SECURITY_LAYER
 		if( ssf && *ssf ) {
 			if( flags != LDAP_SASL_QUIET ) {
 				fprintf( stderr, "SASL installing layers\n" );
 			}
 			ldap_pvt_sasl_install( ld->ld_sb, ctx );
 		}
-#endif
 	}
 
 	return rc;

servers/slapd/bind.c

@@ -186,6 +186,7 @@ do_bind(
 
 	if ( method == LDAP_AUTH_SASL ) {
 		char *edn;
+		unsigned long ssf = 0;
 
 		if ( version < LDAP_VERSION3 ) {
 			Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n",
@@ -230,12 +231,14 @@ do_bind(
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 		edn = NULL;
-		rc = slap_sasl_bind( conn, op, dn, ndn, saslmech, &cred, &edn );
+		rc = slap_sasl_bind( conn, op, dn, ndn, saslmech, &cred,
+			&edn, &ssf );
 
 		if( rc == LDAP_SUCCESS ) {
 			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 			conn->c_dn = edn;
 			conn->c_authmech = mech;
+			if( ssf ) conn->c_sasl_layers++;
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 		} else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {

servers/slapd/connection.c

@@ -895,8 +895,9 @@ int connection_read(ber_socket_t s)
 			fd_set rfd;
 
 			Debug( LDAP_DEBUG_TRACE,
-			       "connection_read(%d): TLS accept error error=%d id=%ld, closing\n",
-			       s, rc, c->c_connid );
+				"connection_read(%d): TLS accept error "
+				"error=%d id=%ld, closing\n",
+				s, rc, c->c_connid );
 
 			c->c_needs_tls_accept = 0;
 			/* connections_mutex and c_mutex are locked */
@@ -931,6 +932,28 @@ int connection_read(ber_socket_t s)
 	}
 #endif
 
+#ifdef HAVE_CYRUS_SASL
+	if ( c->c_sasl_layers ) {
+		c->c_sasl_layers = 0;
+
+		rc = ldap_pvt_sasl_install( c->c_sb,  c->c_sasl_context );
+
+		if( rc != LDAP_SUCCESS ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"connection_read(%d): SASL install error "
+				"error=%d id=%ld, closing\n",
+				s, rc, c->c_connid );
+
+			/* connections_mutex and c_mutex are locked */
+			connection_closing( c );
+			connection_close( c );
+			connection_return( c );
+			ldap_pvt_thread_mutex_unlock( &connections_mutex );
+			return 0;
+		}
+	}
+#endif
+
 #define CONNECTION_INPUT_LOOP 1
 
 #ifdef DATA_READY_LOOP

servers/slapd/proto-slap.h

@@ -547,7 +547,7 @@ LDAP_SLAPD_F (int) slap_sasl_bind LDAP_P((
 	Connection *conn, Operation *op, 
 	const char *dn, const char *ndn,
 	const char *mech, struct berval *cred,
-	char **edn ));
+	char **edn, unsigned long *ssf ));
 
 /* oc.c */
 LDAP_SLAPD_F (int) oc_schema_info( Entry *e );

servers/slapd/sasl.c

@@ -246,6 +246,8 @@ int slap_sasl_open( Connection *conn )
 	assert( conn->c_sasl_context == NULL );
 	assert( conn->c_sasl_extra == NULL );
 
+	conn->c_sasl_layers = 0;
+
 	session_callbacks =
 		ch_calloc( 3, sizeof(sasl_callback_t));
 	conn->c_sasl_extra = session_callbacks;
@@ -264,14 +266,7 @@ int slap_sasl_open( Connection *conn )
 
 	/* create new SASL context */
 	sc = sasl_server_new( "ldap", sasl_host, global_realm,
-		session_callbacks,
-#ifdef LDAP_SASL_SECURITY_LAYER
-		SASL_SECURITY_LAYER,
-#else
-		0,
-#endif
-		&ctx );
-
+		session_callbacks, SASL_SECURITY_LAYER, &ctx );
 
 	if( sc != SASL_OK ) {
 		Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
@@ -394,7 +389,8 @@ int slap_sasl_bind(
     const char          *ndn,
     const char          *mech,
     struct berval       *cred,
-	char				**edn )
+	char				**edn,
+	unsigned long		*ssfp )
 {
 	int rc = 1;
 
@@ -406,7 +402,7 @@ int slap_sasl_bind(
 	int sc;
 
 	Debug(LDAP_DEBUG_ARGS,
-		"==> sasl_bind: dn=\"%s\" mech=%s cred->bv_len=%d\n",
+		"==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n",
 		dn, mech ? mech : "<continuing>", cred ? cred->bv_len : 0 );
 
 	if( ctx == NULL ) {
@@ -467,6 +463,7 @@ int slap_sasl_bind(
 				realm ? realm : "",
 				(unsigned long) ( ssf ? *ssf : 0 ) );
 
+			*ssfp = ssf ? *ssf : 0;
 
 			rc = LDAP_SUCCESS;
 
@@ -544,4 +541,3 @@ char* slap_sasl_secprops( const char *in )
 	return "SASL not supported";
 #endif
 }
-

servers/slapd/slap.h

@@ -1074,6 +1074,7 @@ typedef struct slap_conn {
 	int	c_is_tls;		/* true if this LDAP over raw TLS */
 	int	c_needs_tls_accept;	/* true if SSL_accept should be called */
 #endif
+	int		c_sasl_layers;	 /* true if we need to install SASL i/o handlers */
 	void	*c_sasl_context;	/* SASL session context */
 	void	*c_sasl_extra;		/* SASL session extra stuff */