--- libraries/libldap/sasl.c	1999/12/12 02:16:46	1.3
+++ libraries/libldap/sasl.c	2006/01/03 22:12:09	1.63
@@ -1,7 +1,19 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.2 1999/09/08 17:06:29 kdz Exp $ */
-/*
- * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.62 2005/12/13 19:11:26 ando Exp $ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2006 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* Portions Copyright (C) The Internet Society (1997)
+ * ASN.1 fragments are from RFC 2251; see RFC for full legal notices.
  */
 
 /*
@@ -10,7 +22,7 @@
  *		name		DistinguishedName,	 -- who
  *		authentication	CHOICE {
  *			simple		[0] OCTET STRING -- passwd
-#ifdef HAVE_KERBEROS
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  *			krbv42ldap	[1] OCTET STRING
  *			krbv42dsa	[2] OCTET STRING
 #endif
@@ -30,20 +42,22 @@
 #include <stdio.h>
 
 #include <ac/socket.h>
+#include <ac/stdlib.h>
 #include <ac/string.h>
 #include <ac/time.h>
+#include <ac/errno.h>
 
 #include "ldap-int.h"
 
-
 /*
- * ldap_sasl_bind - bind to the ldap server (and X.500).  The dn, mechanism, and
- * credentials of the entry to which to bind are supplied.  The message id
- * of the request initiated is provided upon successful (LDAP_SUCCESS) return.
+ * ldap_sasl_bind - bind to the ldap server (and X.500).
+ * The dn (usually NULL), mechanism, and credentials are provided.
+ * The message id of the request initiated is provided upon successful
+ * (LDAP_SUCCESS) return.
  *
  * Example:
- *	ldap_sasl_bind( ld, "cn=manager, o=university of michigan, c=us",
- *	    "mechanism", "secret", NULL, NULL, &msgid )
+ *	ldap_sasl_bind( ld, NULL, "mechanism",
+ *		cred, NULL, NULL, &msgid )
  */
 
 int
@@ -58,6 +72,7 @@ ldap_sasl_bind(
 {
 	BerElement	*ber;
 	int rc;
+	ber_int_t id;
 
 	Debug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 );
 
@@ -65,20 +80,24 @@ ldap_sasl_bind(
 	assert( LDAP_VALID( ld ) );
 	assert( msgidp != NULL );
 
-	if( msgidp == NULL ) {
-		ld->ld_errno = LDAP_PARAM_ERROR;
-		return ld->ld_errno;
-	}
+	/* check client controls */
+	rc = ldap_int_client_controls( ld, cctrls );
+	if( rc != LDAP_SUCCESS ) return rc;
+
+	if( mechanism == LDAP_SASL_SIMPLE ) {
+		if( dn == NULL && cred != NULL && cred->bv_len ) {
+			/* use default binddn */
+			dn = ld->ld_defbinddn;
+		}
 
-	if( mechanism != LDAP_SASL_SIMPLE
-		&& ld->ld_version < LDAP_VERSION3)
-	{
+	} else if( ld->ld_version < LDAP_VERSION3 ) {
 		ld->ld_errno = LDAP_NOT_SUPPORTED;
 		return ld->ld_errno;
 	}
 
-	if ( dn == NULL )
+	if ( dn == NULL ) {
 		dn = "";
+	}
 
 	/* create a message to send */
 	if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
@@ -86,26 +105,27 @@ ldap_sasl_bind(
 		return ld->ld_errno;
 	}
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
+	LDAP_NEXT_MSGID( ld, id );
 	if( mechanism == LDAP_SASL_SIMPLE ) {
 		/* simple bind */
-		rc = ber_printf( ber, "{it{istO}" /*}*/,
-			++ld->ld_msgid, LDAP_REQ_BIND,
+		rc = ber_printf( ber, "{it{istON}" /*}*/,
+			id, LDAP_REQ_BIND,
 			ld->ld_version, dn, LDAP_AUTH_SIMPLE,
 			cred );
 		
-	} else if ( cred == NULL ) {
-		/* SASL bind w/o creditials */
-		rc = ber_printf( ber, "{it{ist{s}}" /*}*/,
-			++ld->ld_msgid, LDAP_REQ_BIND,
+	} else if ( cred == NULL || cred->bv_val == NULL ) {
+		/* SASL bind w/o credentials */
+		rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
+			id, LDAP_REQ_BIND,
 			ld->ld_version, dn, LDAP_AUTH_SASL,
 			mechanism );
 
 	} else {
-		/* SASL bind w/ creditials */
-		rc = ber_printf( ber, "{it{ist{sO}}" /*}*/,
-			++ld->ld_msgid, LDAP_REQ_BIND,
+		/* SASL bind w/ credentials */
+		rc = ber_printf( ber, "{it{ist{sON}N}" /*}*/,
+			id, LDAP_REQ_BIND,
 			ld->ld_version, dn, LDAP_AUTH_SASL,
 			mechanism, cred );
 	}
@@ -122,20 +142,15 @@ ldap_sasl_bind(
 		return ld->ld_errno;
 	}
 
-	if ( ber_printf( ber, /*{*/ "}" ) == -1 ) {
+	if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
 		ld->ld_errno = LDAP_ENCODING_ERROR;
 		ber_free( ber, 1 );
 		return ld->ld_errno;
 	}
 
-#ifndef LDAP_NOCACHE
-	if ( ld->ld_cache != NULL ) {
-		ldap_flush_cache( ld );
-	}
-#endif /* !LDAP_NOCACHE */
 
 	/* send the message */
-	*msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber );
+	*msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
 
 	if(*msgidp < 0)
 		return ld->ld_errno;
@@ -143,16 +158,6 @@ ldap_sasl_bind(
 	return LDAP_SUCCESS;
 }
 
-/*
- * ldap_sasl_bind_s - bind to the ldap server (and X.500) using simple
- * authentication.  The dn and password of the entry to which to bind are
- * supplied.  LDAP_SUCCESS is returned upon success, the ldap error code
- * otherwise.
- *
- * Example:
- *	ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us",
- *	    "mechanism", "secret", NULL, NULL, &servercred )
- */
 
 int
 ldap_sasl_bind_s(
@@ -185,7 +190,13 @@ ldap_sasl_bind_s(
 		return( rc );
 	}
 
-	if ( ldap_result( ld, msgid, 1, NULL, &result ) == -1 ) {
+#ifdef LDAP_CONNECTIONLESS
+	if (LDAP_IS_UDP(ld)) {
+		return( rc );
+	}
+#endif
+
+	if ( ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &result ) == -1 ) {
 		return( ld->ld_errno );	/* ldap_result sets ld_errno */
 	}
 
@@ -195,19 +206,21 @@ ldap_sasl_bind_s(
 		rc = ldap_parse_sasl_bind_result( ld, result, &scredp, 0 );
 	}
 
-	if( rc != LDAP_SUCCESS ) {
+	if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
 		ldap_msgfree( result );
 		return( rc );
 	}
 
 	rc = ldap_result2error( ld, result, 1 );
 
-	if( rc == LDAP_SUCCESS ) {
+	if ( rc == LDAP_SUCCESS || rc == LDAP_SASL_BIND_IN_PROGRESS ) {
 		if( servercredp != NULL ) {
 			*servercredp = scredp;
+			scredp = NULL;
 		}
+	}
 
-	} else if (scredp != NULL ) {
+	if ( scredp != NULL ) {
 		ber_bvfree(scredp);
 	}
 
@@ -216,18 +229,18 @@ ldap_sasl_bind_s(
 
 
 /*
- * Parse BindResponse:
- *
- *   BindResponse ::= [APPLICATION 1] SEQUENCE {
- *     COMPONENTS OF LDAPResult,
- *     serverSaslCreds  [7] OCTET STRING OPTIONAL }
- *
- *   LDAPResult ::= SEQUENCE {
- *     resultCode      ENUMERATED,
- *     matchedDN       LDAPDN,
- *     errorMessage    LDAPString,
- *     referral        [3] Referral OPTIONAL }
- */
+* Parse BindResponse:
+*
+*   BindResponse ::= [APPLICATION 1] SEQUENCE {
+*     COMPONENTS OF LDAPResult,
+*     serverSaslCreds  [7] OCTET STRING OPTIONAL }
+*
+*   LDAPResult ::= SEQUENCE {
+*     resultCode      ENUMERATED,
+*     matchedDN       LDAPDN,
+*     errorMessage    LDAPString,
+*     referral        [3] Referral OPTIONAL }
+*/
 
 int
 ldap_parse_sasl_bind_result(
@@ -248,18 +261,14 @@ ldap_parse_sasl_bind_result(
 	assert( LDAP_VALID( ld ) );
 	assert( res != NULL );
 
-	if ( ld == NULL || res == NULL ) {
-		return LDAP_PARAM_ERROR;
-	}
-
-	if(servercredp != NULL) {
+	if( servercredp != NULL ) {
 		if( ld->ld_version < LDAP_VERSION2 ) {
 			return LDAP_NOT_SUPPORTED;
 		}
 		*servercredp = NULL;
 	}
 
-	if( res->lm_msgtype == LDAP_RES_BIND ) {
+	if( res->lm_msgtype != LDAP_RES_BIND ) {
 		ld->ld_errno = LDAP_PARAM_ERROR;
 		return ld->ld_errno;
 	}
@@ -285,8 +294,13 @@ ldap_parse_sasl_bind_result(
 	}
 
 	if ( ld->ld_version < LDAP_VERSION2 ) {
+#ifdef LDAP_NULL_IS_NULL
+		tag = ber_scanf( ber, "{iA}",
+			&errcode, &ld->ld_error );
+#else /* ! LDAP_NULL_IS_NULL */
 		tag = ber_scanf( ber, "{ia}",
 			&errcode, &ld->ld_error );
+#endif /* ! LDAP_NULL_IS_NULL */
 
 		if( tag == LBER_ERROR ) {
 			ber_free( ber, 0 );
@@ -297,8 +311,13 @@ ldap_parse_sasl_bind_result(
 	} else {
 		ber_len_t len;
 
-		tag = ber_scanf( ber, "{iaa" /*}*/,
+#ifdef LDAP_NULL_IS_NULL
+		tag = ber_scanf( ber, "{eAA" /*}*/,
 			&errcode, &ld->ld_matched, &ld->ld_error );
+#else /* ! LDAP_NULL_IS_NULL */
+		tag = ber_scanf( ber, "{eaa" /*}*/,
+			&errcode, &ld->ld_matched, &ld->ld_error );
+#endif /* ! LDAP_NULL_IS_NULL */
 
 		if( tag == LBER_ERROR ) {
 			ber_free( ber, 0 );
@@ -345,3 +364,127 @@ ldap_parse_sasl_bind_result(
 
 	return( ld->ld_errno );
 }
+
+int
+ldap_pvt_sasl_getmechs ( LDAP *ld, char **pmechlist )
+{
+	/* we need to query the server for supported mechs anyway */
+	LDAPMessage *res, *e;
+	char *attrs[] = { "supportedSASLMechanisms", NULL };
+	char **values, *mechlist;
+	int rc;
+
+	Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_getmech\n", 0, 0, 0 );
+
+	rc = ldap_search_s( ld, "", LDAP_SCOPE_BASE,
+		NULL, attrs, 0, &res );
+
+	if ( rc != LDAP_SUCCESS ) {
+		return ld->ld_errno;
+	}
+		
+	e = ldap_first_entry( ld, res );
+	if ( e == NULL ) {
+		ldap_msgfree( res );
+		if ( ld->ld_errno == LDAP_SUCCESS ) {
+			ld->ld_errno = LDAP_NO_SUCH_OBJECT;
+		}
+		return ld->ld_errno;
+	}
+
+	values = ldap_get_values( ld, e, "supportedSASLMechanisms" );
+	if ( values == NULL ) {
+		ldap_msgfree( res );
+		ld->ld_errno = LDAP_NO_SUCH_ATTRIBUTE;
+		return ld->ld_errno;
+	}
+
+	mechlist = ldap_charray2str( values, " " );
+	if ( mechlist == NULL ) {
+		LDAP_VFREE( values );
+		ldap_msgfree( res );
+		ld->ld_errno = LDAP_NO_MEMORY;
+		return ld->ld_errno;
+	} 
+
+	LDAP_VFREE( values );
+	ldap_msgfree( res );
+
+	*pmechlist = mechlist;
+
+	return LDAP_SUCCESS;
+}
+
+/*
+ * ldap_sasl_interactive_bind_s - interactive SASL authentication
+ *
+ * This routine uses interactive callbacks.
+ *
+ * LDAP_SUCCESS is returned upon success, the ldap error code
+ * otherwise.
+ */
+int
+ldap_sasl_interactive_bind_s(
+	LDAP *ld,
+	LDAP_CONST char *dn, /* usually NULL */
+	LDAP_CONST char *mechs,
+	LDAPControl **serverControls,
+	LDAPControl **clientControls,
+	unsigned flags,
+	LDAP_SASL_INTERACT_PROC *interact,
+	void *defaults )
+{
+	int rc;
+	char *smechs = NULL;
+
+#if defined( LDAP_R_COMPILE ) && defined( HAVE_CYRUS_SASL )
+	ldap_pvt_thread_mutex_lock( &ldap_int_sasl_mutex );
+#endif
+#ifdef LDAP_CONNECTIONLESS
+	if( LDAP_IS_UDP(ld) ) {
+		/* Just force it to simple bind, silly to make the user
+		 * ask all the time. No, we don't ever actually bind, but I'll
+		 * let the final bind handler take care of saving the cdn.
+		 */
+		rc = ldap_simple_bind( ld, dn, NULL );
+		rc = rc < 0 ? rc : 0;
+		goto done;
+	} else
+#endif
+
+#ifdef HAVE_CYRUS_SASL
+	if( mechs == NULL || *mechs == '\0' ) {
+		mechs = ld->ld_options.ldo_def_sasl_mech;
+	}
+#endif
+		
+	if( mechs == NULL || *mechs == '\0' ) {
+		rc = ldap_pvt_sasl_getmechs( ld, &smechs );
+		if( rc != LDAP_SUCCESS ) {
+			goto done;
+		}
+
+		Debug( LDAP_DEBUG_TRACE,
+			"ldap_sasl_interactive_bind_s: server supports: %s\n",
+			smechs, 0, 0 );
+
+		mechs = smechs;
+
+	} else {
+		Debug( LDAP_DEBUG_TRACE,
+			"ldap_sasl_interactive_bind_s: user selected: %s\n",
+			mechs, 0, 0 );
+	}
+
+	rc = ldap_int_sasl_bind( ld, dn, mechs,
+		serverControls, clientControls,
+		flags, interact, defaults );
+
+done:
+#if defined( LDAP_R_COMPILE ) && defined( HAVE_CYRUS_SASL )
+	ldap_pvt_thread_mutex_unlock( &ldap_int_sasl_mutex );
+#endif
+	if ( smechs ) LDAP_FREE( smechs );
+
+	return rc;
+}