xref: /illumos-gate/usr/src/lib/libldap5/sources/ldap/common/saslbind.c (revision 1da57d551424de5a9d469760be7c4b4d4f10a755)
1 /*
2  * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
7  *
8  * The contents of this file are subject to the Netscape Public License
9  * Version 1.0 (the "NPL"); you may not use this file except in
10  * compliance with the NPL.  You may obtain a copy of the NPL at
11  * http://www.mozilla.org/NPL/
12  *
13  * Software distributed under the NPL is distributed on an "AS IS" basis,
14  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL
15  * for the specific language governing rights and limitations under the
16  * NPL.
17  *
18  * The Initial Developer of the Original Code is Netscape
19  * Communications Corporation. Portions created by Netscape are
20  * Copyright (C) 1998-1999 Netscape Communications Corporation. All
21  * Rights Reserved.
22  *
23  * Contributor(s):
24  */
25 #include "ldap-int.h"
26 
27 /*
28  * ldap_sasl_bind - authenticate to the ldap server.  The dn, mechanism,
29  * and credentials of the entry to which to bind are supplied. An LDAP
30  * error code is returned and if LDAP_SUCCESS is returned *msgidp is set
31  * to the id of the request initiated.
32  *
33  * Example:
34  *	struct berval	creds;
35  *	LDAPControl	**ctrls;
36  *	int		err, msgid;
37  *	... fill in creds with credentials ...
38  *	... fill in ctrls with server controls ...
39  *	err = ldap_sasl_bind( ld, "cn=manager, o=university of michigan, c=us",
40  *	    "mechanismname", &creds, ctrls, NULL, &msgid );
41  */
42 int
43 LDAP_CALL
ldap_sasl_bind(LDAP * ld,const char * dn,const char * mechanism,const struct berval * cred,LDAPControl ** serverctrls,LDAPControl ** clientctrls,int * msgidp)44 ldap_sasl_bind(
45     LDAP		*ld,
46     const char		*dn,
47     const char		*mechanism,
48     const struct berval	*cred,
49     LDAPControl		**serverctrls,
50     LDAPControl		**clientctrls,
51     int			*msgidp
52 )
53 {
54 	BerElement	*ber;
55 	int		rc, simple, msgid, ldapversion;
56 
57 	/*
58 	 * The ldapv3 bind request looks like this:
59 	 *	BindRequest ::= SEQUENCE {
60 	 *		version		INTEGER,
61 	 *		name		DistinguishedName,	 -- who
62 	 *		authentication	CHOICE {
63 	 *			simple		[0] OCTET STRING, -- passwd
64 	 *			sasl		[3] SaslCredentials -- v3 only
65 	 *		}
66 	 *	}
67 	 *	SaslCredentials ::= SEQUENCE {
68 	 *		mechanism	LDAPString,
69 	 * 		credentials	OCTET STRING
70 	 *	}
71 	 * all wrapped up in an LDAPMessage sequence.
72 	 */
73 
74 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 );
75 
76 	if ( msgidp == NULL ) {
77 		LDAP_SET_LDERRNO( ld, LDAP_PARAM_ERROR, NULL, NULL );
78                 return( LDAP_PARAM_ERROR );
79 	}
80 
81 	simple = ( mechanism == LDAP_SASL_SIMPLE );
82 	ldapversion = NSLDAPI_LDAP_VERSION( ld );
83 
84 	/* only ldapv3 or higher can do sasl binds */
85 	if ( !simple && ldapversion < LDAP_VERSION3 ) {
86 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
87 		return( LDAP_NOT_SUPPORTED );
88 	}
89 
90 	LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK );
91 	msgid = ++ld->ld_msgid;
92 	LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK );
93 
94 	if ( dn == NULL )
95 		dn = "";
96 
97 	if ( ld->ld_cache_on && ld->ld_cache_bind != NULL ) {
98 		LDAP_MUTEX_LOCK( ld, LDAP_CACHE_LOCK );
99 		if ( (rc = (ld->ld_cache_bind)( ld, msgid, LDAP_REQ_BIND, dn,
100 		    cred, LDAP_AUTH_SASL )) != 0 ) {
101 			*msgidp = rc;
102 			LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK );
103 			return( LDAP_SUCCESS );
104 		}
105 		LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK );
106 	}
107 
108 	/* create a message to send */
109 	if (( rc = nsldapi_alloc_ber_with_options( ld, &ber ))
110 	    != LDAP_SUCCESS ) {
111 		return( rc );
112 	}
113 
114 	/* fill it in */
115 	if ( simple ) {		/* simple bind; works in LDAPv2 or v3 */
116 		struct berval	tmpcred;
117 
118 		if ( cred == NULL ) {
119 			tmpcred.bv_val = "";
120 			tmpcred.bv_len = 0;
121 			cred = &tmpcred;
122 		}
123 		rc = ber_printf( ber, "{it{isto}", msgid, LDAP_REQ_BIND,
124 		    ldapversion, dn, LDAP_AUTH_SIMPLE, cred->bv_val,
125 		    (int)cred->bv_len /* XXX lossy cast */ );
126 
127 	} else {		/* SASL bind; requires LDAPv3 or better */
128 		if ( cred == NULL ) {
129 			rc = ber_printf( ber, "{it{ist{s}}", msgid,
130 			    LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL,
131 			    mechanism );
132 		} else {
133 			rc = ber_printf( ber, "{it{ist{so}}", msgid,
134 			    LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL,
135 			    mechanism, cred->bv_val,
136 			    (int)cred->bv_len /* XXX lossy cast */ );
137 		}
138 	}
139 
140 	if ( rc == -1 ) {
141 		LDAP_SET_LDERRNO( ld, LDAP_ENCODING_ERROR, NULL, NULL );
142 		ber_free( ber, 1 );
143 		return( LDAP_ENCODING_ERROR );
144 	}
145 
146 	if ( (rc = nsldapi_put_controls( ld, serverctrls, 1, ber ))
147 	    != LDAP_SUCCESS ) {
148 		ber_free( ber, 1 );
149 		return( rc );
150 	}
151 
152 	/* send the message */
153 	rc = nsldapi_send_initial_request( ld, msgid, LDAP_REQ_BIND,
154 		(char *)dn, ber );
155 	*msgidp = rc;
156 	return( rc < 0 ? LDAP_GET_LDERRNO( ld, NULL, NULL ) : LDAP_SUCCESS );
157 }
158 
159 /*
160  * ldap_sasl_bind_s - bind to the ldap server using sasl authentication
161  * The dn, mechanism, and credentials of the entry to which to bind are
162  * supplied.  LDAP_SUCCESS is returned upon success, the ldap error code
163  * otherwise.
164  *
165  * Example:
166  *	struct berval	creds;
167  *	... fill in creds with credentials ...
168  *	ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us",
169  *	    "mechanismname", &creds )
170  */
171 int
172 LDAP_CALL
ldap_sasl_bind_s(LDAP * ld,const char * dn,const char * mechanism,const struct berval * cred,LDAPControl ** serverctrls,LDAPControl ** clientctrls,struct berval ** servercredp)173 ldap_sasl_bind_s(
174     LDAP		*ld,
175     const char		*dn,
176     const char		*mechanism,
177     const struct berval	*cred,
178     LDAPControl		**serverctrls,
179     LDAPControl		**clientctrls,
180     struct berval	**servercredp
181 )
182 {
183 	int		err, msgid;
184 	LDAPMessage	*result;
185 
186 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 );
187 
188 	if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) {
189 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
190 		return( LDAP_NOT_SUPPORTED );
191 	}
192 
193 	if ( ( err = ldap_sasl_bind( ld, dn, mechanism, cred, serverctrls,
194 	    clientctrls, &msgid )) != LDAP_SUCCESS )
195 		return( err );
196 
197 	if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &result ) == -1 )
198 		return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
199 
200 	err = ldap_parse_sasl_bind_result( ld, result, servercredp, 0 );
201 	if (err != LDAP_SUCCESS  && err != LDAP_SASL_BIND_IN_PROGRESS) {
202 		ldap_msgfree( result );
203 		return( err );
204 	}
205 
206 	return( ldap_result2error( ld, result, 1 ) );
207 }
208 
209 
210 /* returns an LDAP error code that indicates if parse succeeded or not */
211 int
212 LDAP_CALL
ldap_parse_sasl_bind_result(LDAP * ld,LDAPMessage * res,struct berval ** servercredp,int freeit)213 ldap_parse_sasl_bind_result(
214     LDAP		*ld,
215     LDAPMessage		*res,
216     struct berval	**servercredp,
217     int			freeit
218 )
219 {
220 	BerElement	ber;
221 	int		rc, err;
222 	ber_int_t	along;
223 	ber_len_t	len;
224 	char		*m, *e;
225 
226 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_parse_sasl_bind_result\n", 0, 0, 0 );
227 
228 	/*
229 	 * the ldapv3 SASL bind response looks like this:
230 	 *
231 	 *	BindResponse ::= [APPLICATION 1] SEQUENCE {
232 	 *		COMPONENTS OF LDAPResult,
233 	 *		serverSaslCreds [7] OCTET STRING OPTIONAL
234 	 *	}
235 	 *
236 	 * all wrapped up in an LDAPMessage sequence.
237 	 */
238 
239 	if ( !NSLDAPI_VALID_LDAP_POINTER( ld ) ||
240 	    !NSLDAPI_VALID_LDAPMESSAGE_BINDRESULT_POINTER( res )) {
241 		return( LDAP_PARAM_ERROR );
242 	}
243 
244 	/* only ldapv3 or higher can do sasl binds */
245 	if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) {
246 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
247 		return( LDAP_NOT_SUPPORTED );
248 	}
249 
250 	if ( servercredp != NULL ) {
251 		*servercredp = NULL;
252 	}
253 
254 	ber = *(res->lm_ber);	/* struct copy */
255 
256 	/* skip past message id, matched dn, error message ... */
257 	rc = ber_scanf( &ber, "{iaa}", &along, &m, &e );
258 
259 	if ( rc != LBER_ERROR &&
260 	    ber_peek_tag( &ber, &len ) == LDAP_TAG_SASL_RES_CREDS ) {
261 		rc = ber_get_stringal( &ber, servercredp );
262 	}
263 
264 	if ( freeit ) {
265 		ldap_msgfree( res );
266 	}
267 
268 	if ( rc == LBER_ERROR ) {
269 		err = LDAP_DECODING_ERROR;
270 	} else {
271 		err = (int) along;
272 	}
273 
274 	LDAP_SET_LDERRNO( ld, err, m, e );
275 	/* this is a little kludge for the 3.0 Barracuda/hammerhead relese */
276 	/* the docs state that the return is either LDAP_DECODING_ERROR */
277 	/* or LDAP_SUCCESS.  Here we match the docs...  it's cleaner in 3.1 */
278 
279 	if ( LDAP_DECODING_ERROR == err ) {
280 		return (LDAP_DECODING_ERROR);
281 	} else {
282 		return( LDAP_SUCCESS );
283 	}
284 }
285