1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
3*0Sstevel@tonic-gate  * Use is subject to license terms.
4*0Sstevel@tonic-gate  */
5*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
6*0Sstevel@tonic-gate 
7*0Sstevel@tonic-gate /* Plain SASL plugin
8*0Sstevel@tonic-gate  * Rob Siemborski
9*0Sstevel@tonic-gate  * Tim Martin
10*0Sstevel@tonic-gate  * $Id: plain.c,v 1.61 2003/03/26 17:18:04 rjs3 Exp $
11*0Sstevel@tonic-gate  */
12*0Sstevel@tonic-gate 
13*0Sstevel@tonic-gate /*
14*0Sstevel@tonic-gate  * Copyright (c) 1998-2003 Carnegie Mellon University.  All rights reserved.
15*0Sstevel@tonic-gate  *
16*0Sstevel@tonic-gate  * Redistribution and use in source and binary forms, with or without
17*0Sstevel@tonic-gate  * modification, are permitted provided that the following conditions
18*0Sstevel@tonic-gate  * are met:
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * 1. Redistributions of source code must retain the above copyright
21*0Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer.
22*0Sstevel@tonic-gate  *
23*0Sstevel@tonic-gate  * 2. Redistributions in binary form must reproduce the above copyright
24*0Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer in
25*0Sstevel@tonic-gate  *    the documentation and/or other materials provided with the
26*0Sstevel@tonic-gate  *    distribution.
27*0Sstevel@tonic-gate  *
28*0Sstevel@tonic-gate  * 3. The name "Carnegie Mellon University" must not be used to
29*0Sstevel@tonic-gate  *    endorse or promote products derived from this software without
30*0Sstevel@tonic-gate  *    prior written permission. For permission or any other legal
31*0Sstevel@tonic-gate  *    details, please contact
32*0Sstevel@tonic-gate  *      Office of Technology Transfer
33*0Sstevel@tonic-gate  *      Carnegie Mellon University
34*0Sstevel@tonic-gate  *      5000 Forbes Avenue
35*0Sstevel@tonic-gate  *      Pittsburgh, PA  15213-3890
36*0Sstevel@tonic-gate  *      (412) 268-4387, fax: (412) 268-7395
37*0Sstevel@tonic-gate  *      tech-transfer@andrew.cmu.edu
38*0Sstevel@tonic-gate  *
39*0Sstevel@tonic-gate  * 4. Redistributions of any form whatsoever must retain the following
40*0Sstevel@tonic-gate  *    acknowledgment:
41*0Sstevel@tonic-gate  *    "This product includes software developed by Computing Services
42*0Sstevel@tonic-gate  *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
43*0Sstevel@tonic-gate  *
44*0Sstevel@tonic-gate  * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
45*0Sstevel@tonic-gate  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
46*0Sstevel@tonic-gate  * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
47*0Sstevel@tonic-gate  * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
48*0Sstevel@tonic-gate  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
49*0Sstevel@tonic-gate  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
50*0Sstevel@tonic-gate  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
51*0Sstevel@tonic-gate  */
52*0Sstevel@tonic-gate 
53*0Sstevel@tonic-gate #include <config.h>
54*0Sstevel@tonic-gate #include <stdio.h>
55*0Sstevel@tonic-gate #include <string.h>
56*0Sstevel@tonic-gate #include <sasl.h>
57*0Sstevel@tonic-gate #include <saslplug.h>
58*0Sstevel@tonic-gate 
59*0Sstevel@tonic-gate #include "plugin_common.h"
60*0Sstevel@tonic-gate 
61*0Sstevel@tonic-gate #ifndef _SUN_SDK_
62*0Sstevel@tonic-gate #ifdef WIN32
63*0Sstevel@tonic-gate /* This must be after sasl.h */
64*0Sstevel@tonic-gate # include "saslPLAIN.h"
65*0Sstevel@tonic-gate #endif /* WIN32 */
66*0Sstevel@tonic-gate #endif /* !_SUN_SDK_ */
67*0Sstevel@tonic-gate 
68*0Sstevel@tonic-gate #ifdef macintosh
69*0Sstevel@tonic-gate #include <sasl_plain_plugin_decl.h>
70*0Sstevel@tonic-gate #endif
71*0Sstevel@tonic-gate 
72*0Sstevel@tonic-gate /*****************************  Common Section  *****************************/
73*0Sstevel@tonic-gate 
74*0Sstevel@tonic-gate #ifndef _SUN_SDK_
75*0Sstevel@tonic-gate static const char plugin_id[] = "$Id: plain.c,v 1.61 2003/03/26 17:18:04 rjs3 Exp $";
76*0Sstevel@tonic-gate #endif /* !_SUN_SDK_ */
77*0Sstevel@tonic-gate 
78*0Sstevel@tonic-gate /*****************************  Server Section  *****************************/
79*0Sstevel@tonic-gate 
80*0Sstevel@tonic-gate static int plain_server_mech_new(void *glob_context __attribute__((unused)),
81*0Sstevel@tonic-gate 				 sasl_server_params_t *sparams,
82*0Sstevel@tonic-gate 				 const char *challenge __attribute__((unused)),
83*0Sstevel@tonic-gate 				 unsigned challen __attribute__((unused)),
84*0Sstevel@tonic-gate 				 void **conn_context)
85*0Sstevel@tonic-gate {
86*0Sstevel@tonic-gate     /* holds state are in */
87*0Sstevel@tonic-gate     if (!conn_context) {
88*0Sstevel@tonic-gate 	PARAMERROR( sparams->utils );
89*0Sstevel@tonic-gate 	return SASL_BADPARAM;
90*0Sstevel@tonic-gate     }
91*0Sstevel@tonic-gate 
92*0Sstevel@tonic-gate     *conn_context = NULL;
93*0Sstevel@tonic-gate 
94*0Sstevel@tonic-gate     return SASL_OK;
95*0Sstevel@tonic-gate }
96*0Sstevel@tonic-gate 
97*0Sstevel@tonic-gate static int plain_server_mech_step(void *conn_context __attribute__((unused)),
98*0Sstevel@tonic-gate 				  sasl_server_params_t *params,
99*0Sstevel@tonic-gate 				  const char *clientin,
100*0Sstevel@tonic-gate 				  unsigned clientinlen,
101*0Sstevel@tonic-gate 				  const char **serverout,
102*0Sstevel@tonic-gate 				  unsigned *serveroutlen,
103*0Sstevel@tonic-gate 				  sasl_out_params_t *oparams)
104*0Sstevel@tonic-gate {
105*0Sstevel@tonic-gate     const char *author;
106*0Sstevel@tonic-gate     const char *authen;
107*0Sstevel@tonic-gate     const char *password;
108*0Sstevel@tonic-gate     size_t password_len;
109*0Sstevel@tonic-gate     unsigned lup=0;
110*0Sstevel@tonic-gate     int result;
111*0Sstevel@tonic-gate     char *passcopy;
112*0Sstevel@tonic-gate 
113*0Sstevel@tonic-gate     *serverout = NULL;
114*0Sstevel@tonic-gate     *serveroutlen = 0;
115*0Sstevel@tonic-gate 
116*0Sstevel@tonic-gate     /* should have received author-id NUL authen-id NUL password */
117*0Sstevel@tonic-gate 
118*0Sstevel@tonic-gate     /* get author */
119*0Sstevel@tonic-gate     author = clientin;
120*0Sstevel@tonic-gate     while ((lup < clientinlen) && (clientin[lup] != 0)) ++lup;
121*0Sstevel@tonic-gate 
122*0Sstevel@tonic-gate     if (lup >= clientinlen) {
123*0Sstevel@tonic-gate #ifdef _SUN_SDK_
124*0Sstevel@tonic-gate 	params->utils->log(params->utils->conn, SASL_LOG_ERR,
125*0Sstevel@tonic-gate 		"Can only find author (no password)");
126*0Sstevel@tonic-gate #else
127*0Sstevel@tonic-gate 	SETERROR(params->utils, "Can only find author (no password)");
128*0Sstevel@tonic-gate #endif /* _SUN_SDK_ */
129*0Sstevel@tonic-gate 	return SASL_BADPROT;
130*0Sstevel@tonic-gate     }
131*0Sstevel@tonic-gate 
132*0Sstevel@tonic-gate     /* get authen */
133*0Sstevel@tonic-gate     ++lup;
134*0Sstevel@tonic-gate     authen = clientin + lup;
135*0Sstevel@tonic-gate     while ((lup < clientinlen) && (clientin[lup] != 0)) ++lup;
136*0Sstevel@tonic-gate 
137*0Sstevel@tonic-gate     if (lup >= clientinlen) {
138*0Sstevel@tonic-gate #ifdef _SUN_SDK_
139*0Sstevel@tonic-gate 	params->utils->log(params->utils->conn, SASL_LOG_ERR,
140*0Sstevel@tonic-gate 			"Can only find author/en (no password)");
141*0Sstevel@tonic-gate #else
142*0Sstevel@tonic-gate 	params->utils->seterror(params->utils->conn, 0,
143*0Sstevel@tonic-gate 				"Can only find author/en (no password)");
144*0Sstevel@tonic-gate #endif /* _SUN_SDK_ */
145*0Sstevel@tonic-gate 	return SASL_BADPROT;
146*0Sstevel@tonic-gate     }
147*0Sstevel@tonic-gate 
148*0Sstevel@tonic-gate     /* get password */
149*0Sstevel@tonic-gate     lup++;
150*0Sstevel@tonic-gate     password = clientin + lup;
151*0Sstevel@tonic-gate     while ((lup < clientinlen) && (clientin[lup] != 0)) ++lup;
152*0Sstevel@tonic-gate 
153*0Sstevel@tonic-gate     password_len = clientin + lup - password;
154*0Sstevel@tonic-gate 
155*0Sstevel@tonic-gate     if (lup != clientinlen) {
156*0Sstevel@tonic-gate #ifdef _SUN_SDK_
157*0Sstevel@tonic-gate 	params->utils->log(params->utils->conn, SASL_LOG_ERR,
158*0Sstevel@tonic-gate 		"Got more data than we were expecting in the PLAIN plugin");
159*0Sstevel@tonic-gate #else
160*0Sstevel@tonic-gate 	SETERROR(params->utils,
161*0Sstevel@tonic-gate 		 "Got more data than we were expecting in the PLAIN plugin\n");
162*0Sstevel@tonic-gate #endif /* _SUN_SDK_ */
163*0Sstevel@tonic-gate 	return SASL_BADPROT;
164*0Sstevel@tonic-gate     }
165*0Sstevel@tonic-gate 
166*0Sstevel@tonic-gate     /* this kinda sucks. we need password to be null terminated
167*0Sstevel@tonic-gate        but we can't assume there is an allocated byte at the end
168*0Sstevel@tonic-gate        of password so we have to copy it */
169*0Sstevel@tonic-gate     passcopy = params->utils->malloc(password_len + 1);
170*0Sstevel@tonic-gate     if (passcopy == NULL) {
171*0Sstevel@tonic-gate 	MEMERROR(params->utils);
172*0Sstevel@tonic-gate 	return SASL_NOMEM;
173*0Sstevel@tonic-gate     }
174*0Sstevel@tonic-gate 
175*0Sstevel@tonic-gate     strncpy(passcopy, password, password_len);
176*0Sstevel@tonic-gate     passcopy[password_len] = '\0';
177*0Sstevel@tonic-gate 
178*0Sstevel@tonic-gate     /* Canonicalize userid first, so that password verification is only
179*0Sstevel@tonic-gate      * against the canonical id */
180*0Sstevel@tonic-gate     if (!author || !*author)
181*0Sstevel@tonic-gate 	author = authen;
182*0Sstevel@tonic-gate 
183*0Sstevel@tonic-gate     result = params->canon_user(params->utils->conn,
184*0Sstevel@tonic-gate 				authen, 0, SASL_CU_AUTHID, oparams);
185*0Sstevel@tonic-gate     if (result != SASL_OK) {
186*0Sstevel@tonic-gate 	_plug_free_string(params->utils, &passcopy);
187*0Sstevel@tonic-gate 	return result;
188*0Sstevel@tonic-gate     }
189*0Sstevel@tonic-gate 
190*0Sstevel@tonic-gate     /* verify password - return sasl_ok on success*/
191*0Sstevel@tonic-gate     result = params->utils->checkpass(params->utils->conn,
192*0Sstevel@tonic-gate 				      oparams->authid, oparams->alen,
193*0Sstevel@tonic-gate 				      passcopy, password_len);
194*0Sstevel@tonic-gate 
195*0Sstevel@tonic-gate     _plug_free_string(params->utils, &passcopy);
196*0Sstevel@tonic-gate 
197*0Sstevel@tonic-gate     if (result != SASL_OK) {
198*0Sstevel@tonic-gate #ifdef _INTEGRATED_SOLARIS_
199*0Sstevel@tonic-gate 	params->utils->seterror(params->utils->conn, 0,
200*0Sstevel@tonic-gate 				gettext("Password verification failed"));
201*0Sstevel@tonic-gate #else
202*0Sstevel@tonic-gate 	params->utils->seterror(params->utils->conn, 0,
203*0Sstevel@tonic-gate 				"Password verification failed");
204*0Sstevel@tonic-gate #endif /* _INTEGRATED_SOLARIS_ */
205*0Sstevel@tonic-gate 	return result;
206*0Sstevel@tonic-gate     }
207*0Sstevel@tonic-gate 
208*0Sstevel@tonic-gate     /* Canonicalize and store the authorization ID */
209*0Sstevel@tonic-gate     /* We need to do this after calling verify_user just in case verify_user
210*0Sstevel@tonic-gate      * needed to get auxprops itself */
211*0Sstevel@tonic-gate     result = params->canon_user(params->utils->conn,
212*0Sstevel@tonic-gate 				author, 0, SASL_CU_AUTHZID, oparams);
213*0Sstevel@tonic-gate     if (result != SASL_OK) return result;
214*0Sstevel@tonic-gate 
215*0Sstevel@tonic-gate     /* Transition? */
216*0Sstevel@tonic-gate     if (params->transition) {
217*0Sstevel@tonic-gate 	params->transition(params->utils->conn, password, password_len);
218*0Sstevel@tonic-gate     }
219*0Sstevel@tonic-gate 
220*0Sstevel@tonic-gate     /* set oparams */
221*0Sstevel@tonic-gate     oparams->doneflag = 1;
222*0Sstevel@tonic-gate     oparams->mech_ssf = 0;
223*0Sstevel@tonic-gate     oparams->maxoutbuf = 0;
224*0Sstevel@tonic-gate     oparams->encode_context = NULL;
225*0Sstevel@tonic-gate     oparams->encode = NULL;
226*0Sstevel@tonic-gate     oparams->decode_context = NULL;
227*0Sstevel@tonic-gate     oparams->decode = NULL;
228*0Sstevel@tonic-gate     oparams->param_version = 0;
229*0Sstevel@tonic-gate 
230*0Sstevel@tonic-gate     return SASL_OK;
231*0Sstevel@tonic-gate }
232*0Sstevel@tonic-gate 
233*0Sstevel@tonic-gate static sasl_server_plug_t plain_server_plugins[] =
234*0Sstevel@tonic-gate {
235*0Sstevel@tonic-gate     {
236*0Sstevel@tonic-gate 	"PLAIN",			/* mech_name */
237*0Sstevel@tonic-gate 	0,				/* max_ssf */
238*0Sstevel@tonic-gate 	SASL_SEC_NOANONYMOUS,		/* security_flags */
239*0Sstevel@tonic-gate 	SASL_FEAT_WANT_CLIENT_FIRST
240*0Sstevel@tonic-gate 	| SASL_FEAT_ALLOWS_PROXY,	/* features */
241*0Sstevel@tonic-gate 	NULL,				/* glob_context */
242*0Sstevel@tonic-gate 	&plain_server_mech_new,		/* mech_new */
243*0Sstevel@tonic-gate 	&plain_server_mech_step,	/* mech_step */
244*0Sstevel@tonic-gate 	NULL,				/* mech_dispose */
245*0Sstevel@tonic-gate 	NULL,				/* mech_free */
246*0Sstevel@tonic-gate 	NULL,				/* setpass */
247*0Sstevel@tonic-gate 	NULL,				/* user_query */
248*0Sstevel@tonic-gate 	NULL,				/* idle */
249*0Sstevel@tonic-gate 	NULL,				/* mech_avail */
250*0Sstevel@tonic-gate 	NULL				/* spare */
251*0Sstevel@tonic-gate     }
252*0Sstevel@tonic-gate };
253*0Sstevel@tonic-gate 
254*0Sstevel@tonic-gate int plain_server_plug_init(const sasl_utils_t *utils,
255*0Sstevel@tonic-gate 			   int maxversion,
256*0Sstevel@tonic-gate 			   int *out_version,
257*0Sstevel@tonic-gate 			   sasl_server_plug_t **pluglist,
258*0Sstevel@tonic-gate 			   int *plugcount)
259*0Sstevel@tonic-gate {
260*0Sstevel@tonic-gate     if (maxversion < SASL_SERVER_PLUG_VERSION) {
261*0Sstevel@tonic-gate 	SETERROR(utils, "PLAIN version mismatch");
262*0Sstevel@tonic-gate 	return SASL_BADVERS;
263*0Sstevel@tonic-gate     }
264*0Sstevel@tonic-gate 
265*0Sstevel@tonic-gate     *out_version = SASL_SERVER_PLUG_VERSION;
266*0Sstevel@tonic-gate     *pluglist = plain_server_plugins;
267*0Sstevel@tonic-gate     *plugcount = 1;
268*0Sstevel@tonic-gate 
269*0Sstevel@tonic-gate     return SASL_OK;
270*0Sstevel@tonic-gate }
271*0Sstevel@tonic-gate 
272*0Sstevel@tonic-gate /*****************************  Client Section  *****************************/
273*0Sstevel@tonic-gate 
274*0Sstevel@tonic-gate typedef struct client_context {
275*0Sstevel@tonic-gate     char *out_buf;
276*0Sstevel@tonic-gate     unsigned out_buf_len;
277*0Sstevel@tonic-gate #ifdef _INTEGRATED_SOLARIS_
278*0Sstevel@tonic-gate     void *h;
279*0Sstevel@tonic-gate #endif /* _INTEGRATED_SOLARIS_ */
280*0Sstevel@tonic-gate } client_context_t;
281*0Sstevel@tonic-gate 
282*0Sstevel@tonic-gate static int plain_client_mech_new(void *glob_context __attribute__((unused)),
283*0Sstevel@tonic-gate 				 sasl_client_params_t *params,
284*0Sstevel@tonic-gate 				 void **conn_context)
285*0Sstevel@tonic-gate {
286*0Sstevel@tonic-gate     client_context_t *text;
287*0Sstevel@tonic-gate 
288*0Sstevel@tonic-gate     /* holds state are in */
289*0Sstevel@tonic-gate     text = params->utils->malloc(sizeof(client_context_t));
290*0Sstevel@tonic-gate     if (text == NULL) {
291*0Sstevel@tonic-gate 	MEMERROR( params->utils );
292*0Sstevel@tonic-gate 	return SASL_NOMEM;
293*0Sstevel@tonic-gate     }
294*0Sstevel@tonic-gate 
295*0Sstevel@tonic-gate     memset(text, 0, sizeof(client_context_t));
296*0Sstevel@tonic-gate 
297*0Sstevel@tonic-gate     *conn_context = text;
298*0Sstevel@tonic-gate 
299*0Sstevel@tonic-gate     return SASL_OK;
300*0Sstevel@tonic-gate }
301*0Sstevel@tonic-gate 
302*0Sstevel@tonic-gate static int plain_client_mech_step(void *conn_context,
303*0Sstevel@tonic-gate 				  sasl_client_params_t *params,
304*0Sstevel@tonic-gate 				  const char *serverin __attribute__((unused)),
305*0Sstevel@tonic-gate 				  unsigned serverinlen __attribute__((unused)),
306*0Sstevel@tonic-gate 				  sasl_interact_t **prompt_need,
307*0Sstevel@tonic-gate 				  const char **clientout,
308*0Sstevel@tonic-gate 				  unsigned *clientoutlen,
309*0Sstevel@tonic-gate 				  sasl_out_params_t *oparams)
310*0Sstevel@tonic-gate {
311*0Sstevel@tonic-gate     client_context_t *text = (client_context_t *) conn_context;
312*0Sstevel@tonic-gate     const char *user = NULL, *authid = NULL;
313*0Sstevel@tonic-gate     sasl_secret_t *password = NULL;
314*0Sstevel@tonic-gate     unsigned int free_password = 0; /* set if we need to free password */
315*0Sstevel@tonic-gate     int user_result = SASL_OK;
316*0Sstevel@tonic-gate     int auth_result = SASL_OK;
317*0Sstevel@tonic-gate     int pass_result = SASL_OK;
318*0Sstevel@tonic-gate     int result;
319*0Sstevel@tonic-gate 
320*0Sstevel@tonic-gate     *clientout = NULL;
321*0Sstevel@tonic-gate     *clientoutlen = 0;
322*0Sstevel@tonic-gate 
323*0Sstevel@tonic-gate     /* doesn't really matter how the server responds */
324*0Sstevel@tonic-gate 
325*0Sstevel@tonic-gate     /* check if sec layer strong enough */
326*0Sstevel@tonic-gate     if (params->props.min_ssf > params->external_ssf) {
327*0Sstevel@tonic-gate #ifdef _INTEGRATED_SOLARIS_
328*0Sstevel@tonic-gate 	SETERROR( params->utils, gettext("SSF requested of PLAIN plugin"));
329*0Sstevel@tonic-gate #else
330*0Sstevel@tonic-gate 	SETERROR( params->utils, "SSF requested of PLAIN plugin");
331*0Sstevel@tonic-gate #endif /* _INTEGRATED_SOLARIS_ */
332*0Sstevel@tonic-gate 	return SASL_TOOWEAK;
333*0Sstevel@tonic-gate     }
334*0Sstevel@tonic-gate 
335*0Sstevel@tonic-gate     /* try to get the authid */
336*0Sstevel@tonic-gate     if (oparams->authid == NULL) {
337*0Sstevel@tonic-gate 	auth_result = _plug_get_authid(params->utils, &authid, prompt_need);
338*0Sstevel@tonic-gate 
339*0Sstevel@tonic-gate 	if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT))
340*0Sstevel@tonic-gate 	    return auth_result;
341*0Sstevel@tonic-gate     }
342*0Sstevel@tonic-gate 
343*0Sstevel@tonic-gate     /* try to get the userid */
344*0Sstevel@tonic-gate     if (oparams->user == NULL) {
345*0Sstevel@tonic-gate 	user_result = _plug_get_userid(params->utils, &user, prompt_need);
346*0Sstevel@tonic-gate 
347*0Sstevel@tonic-gate 	if ((user_result != SASL_OK) && (user_result != SASL_INTERACT))
348*0Sstevel@tonic-gate 	    return user_result;
349*0Sstevel@tonic-gate     }
350*0Sstevel@tonic-gate 
351*0Sstevel@tonic-gate     /* try to get the password */
352*0Sstevel@tonic-gate     if (password == NULL) {
353*0Sstevel@tonic-gate 	pass_result = _plug_get_password(params->utils, &password,
354*0Sstevel@tonic-gate 					 &free_password, prompt_need);
355*0Sstevel@tonic-gate 
356*0Sstevel@tonic-gate 	if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT))
357*0Sstevel@tonic-gate 	    return pass_result;
358*0Sstevel@tonic-gate     }
359*0Sstevel@tonic-gate 
360*0Sstevel@tonic-gate     /* free prompts we got */
361*0Sstevel@tonic-gate     if (prompt_need && *prompt_need) {
362*0Sstevel@tonic-gate 	params->utils->free(*prompt_need);
363*0Sstevel@tonic-gate 	*prompt_need = NULL;
364*0Sstevel@tonic-gate     }
365*0Sstevel@tonic-gate 
366*0Sstevel@tonic-gate     /* if there are prompts not filled in */
367*0Sstevel@tonic-gate     if ((user_result == SASL_INTERACT) || (auth_result == SASL_INTERACT) ||
368*0Sstevel@tonic-gate 	(pass_result == SASL_INTERACT)) {
369*0Sstevel@tonic-gate 	/* make the prompt list */
370*0Sstevel@tonic-gate 	result =
371*0Sstevel@tonic-gate #ifdef _INTEGRATED_SOLARIS_
372*0Sstevel@tonic-gate 	    _plug_make_prompts(params->utils, &text->h, prompt_need,
373*0Sstevel@tonic-gate 			       user_result == SASL_INTERACT ?
374*0Sstevel@tonic-gate 			       convert_prompt(params->utils, &text->h,
375*0Sstevel@tonic-gate 				gettext("Please enter your authorization name"))
376*0Sstevel@tonic-gate 					: NULL,
377*0Sstevel@tonic-gate 			       NULL,
378*0Sstevel@tonic-gate 			       auth_result == SASL_INTERACT ?
379*0Sstevel@tonic-gate 			       convert_prompt(params->utils, &text->h,
380*0Sstevel@tonic-gate 			gettext("Please enter your authentication name"))
381*0Sstevel@tonic-gate 					: NULL,
382*0Sstevel@tonic-gate 			       NULL,
383*0Sstevel@tonic-gate 			       pass_result == SASL_INTERACT ?
384*0Sstevel@tonic-gate 			       convert_prompt(params->utils, &text->h,
385*0Sstevel@tonic-gate 				gettext("Please enter your password")) : NULL,
386*0Sstevel@tonic-gate 				NULL,
387*0Sstevel@tonic-gate 			       NULL, NULL, NULL,
388*0Sstevel@tonic-gate 			       NULL, NULL, NULL);
389*0Sstevel@tonic-gate #else
390*0Sstevel@tonic-gate 	    _plug_make_prompts(params->utils, prompt_need,
391*0Sstevel@tonic-gate 			       user_result == SASL_INTERACT ?
392*0Sstevel@tonic-gate 			       "Please enter your authorization name" : NULL,
393*0Sstevel@tonic-gate 			       NULL,
394*0Sstevel@tonic-gate 			       auth_result == SASL_INTERACT ?
395*0Sstevel@tonic-gate 			       "Please enter your authentication name" : NULL,
396*0Sstevel@tonic-gate 			       NULL,
397*0Sstevel@tonic-gate 			       pass_result == SASL_INTERACT ?
398*0Sstevel@tonic-gate 			       "Please enter your password" : NULL, NULL,
399*0Sstevel@tonic-gate 			       NULL, NULL, NULL,
400*0Sstevel@tonic-gate 			       NULL, NULL, NULL);
401*0Sstevel@tonic-gate #endif /* _INTEGRATED_SOLARIS_ */
402*0Sstevel@tonic-gate 	if (result != SASL_OK) goto cleanup;
403*0Sstevel@tonic-gate 
404*0Sstevel@tonic-gate 	return SASL_INTERACT;
405*0Sstevel@tonic-gate     }
406*0Sstevel@tonic-gate 
407*0Sstevel@tonic-gate     if (!password) {
408*0Sstevel@tonic-gate 	PARAMERROR(params->utils);
409*0Sstevel@tonic-gate 	return SASL_BADPARAM;
410*0Sstevel@tonic-gate     }
411*0Sstevel@tonic-gate 
412*0Sstevel@tonic-gate     if (!user || !*user) {
413*0Sstevel@tonic-gate 	result = params->canon_user(params->utils->conn, authid, 0,
414*0Sstevel@tonic-gate 				    SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
415*0Sstevel@tonic-gate     }
416*0Sstevel@tonic-gate     else {
417*0Sstevel@tonic-gate 	result = params->canon_user(params->utils->conn, user, 0,
418*0Sstevel@tonic-gate 				    SASL_CU_AUTHZID, oparams);
419*0Sstevel@tonic-gate 	if (result != SASL_OK) goto cleanup;
420*0Sstevel@tonic-gate 
421*0Sstevel@tonic-gate 	result = params->canon_user(params->utils->conn, authid, 0,
422*0Sstevel@tonic-gate 				    SASL_CU_AUTHID, oparams);
423*0Sstevel@tonic-gate     }
424*0Sstevel@tonic-gate     if (result != SASL_OK) goto cleanup;
425*0Sstevel@tonic-gate 
426*0Sstevel@tonic-gate     /* send authorized id NUL authentication id NUL password */
427*0Sstevel@tonic-gate     *clientoutlen = (oparams->ulen + 1
428*0Sstevel@tonic-gate 		     + oparams->alen + 1
429*0Sstevel@tonic-gate 		     + password->len);
430*0Sstevel@tonic-gate 
431*0Sstevel@tonic-gate     /* remember the extra NUL on the end for stupid clients */
432*0Sstevel@tonic-gate     result = _plug_buf_alloc(params->utils, &(text->out_buf),
433*0Sstevel@tonic-gate 			     &(text->out_buf_len), *clientoutlen + 1);
434*0Sstevel@tonic-gate     if (result != SASL_OK) goto cleanup;
435*0Sstevel@tonic-gate 
436*0Sstevel@tonic-gate     memset(text->out_buf, 0, *clientoutlen + 1);
437*0Sstevel@tonic-gate     memcpy(text->out_buf, oparams->user, oparams->ulen);
438*0Sstevel@tonic-gate     memcpy(text->out_buf + oparams->ulen + 1, oparams->authid, oparams->alen);
439*0Sstevel@tonic-gate     memcpy(text->out_buf + oparams->ulen + oparams->alen + 2,
440*0Sstevel@tonic-gate 	   password->data, password->len);
441*0Sstevel@tonic-gate 
442*0Sstevel@tonic-gate     *clientout = text->out_buf;
443*0Sstevel@tonic-gate 
444*0Sstevel@tonic-gate     /* set oparams */
445*0Sstevel@tonic-gate     oparams->doneflag = 1;
446*0Sstevel@tonic-gate     oparams->mech_ssf = 0;
447*0Sstevel@tonic-gate     oparams->maxoutbuf = 0;
448*0Sstevel@tonic-gate     oparams->encode_context = NULL;
449*0Sstevel@tonic-gate     oparams->encode = NULL;
450*0Sstevel@tonic-gate     oparams->decode_context = NULL;
451*0Sstevel@tonic-gate     oparams->decode = NULL;
452*0Sstevel@tonic-gate     oparams->param_version = 0;
453*0Sstevel@tonic-gate 
454*0Sstevel@tonic-gate     result = SASL_OK;
455*0Sstevel@tonic-gate 
456*0Sstevel@tonic-gate   cleanup:
457*0Sstevel@tonic-gate     /* free sensitive info */
458*0Sstevel@tonic-gate     if (free_password) _plug_free_secret(params->utils, &password);
459*0Sstevel@tonic-gate 
460*0Sstevel@tonic-gate     return result;
461*0Sstevel@tonic-gate }
462*0Sstevel@tonic-gate 
463*0Sstevel@tonic-gate static void plain_client_mech_dispose(void *conn_context,
464*0Sstevel@tonic-gate 				      const sasl_utils_t *utils)
465*0Sstevel@tonic-gate {
466*0Sstevel@tonic-gate     client_context_t *text = (client_context_t *) conn_context;
467*0Sstevel@tonic-gate 
468*0Sstevel@tonic-gate     if (!text) return;
469*0Sstevel@tonic-gate 
470*0Sstevel@tonic-gate     if (text->out_buf) utils->free(text->out_buf);
471*0Sstevel@tonic-gate #ifdef _INTEGRATED_SOLARIS_
472*0Sstevel@tonic-gate     convert_prompt(utils, &text->h, NULL);
473*0Sstevel@tonic-gate #endif /* _INTEGRATED_SOLARIS_ */
474*0Sstevel@tonic-gate 
475*0Sstevel@tonic-gate     utils->free(text);
476*0Sstevel@tonic-gate }
477*0Sstevel@tonic-gate 
478*0Sstevel@tonic-gate static sasl_client_plug_t plain_client_plugins[] =
479*0Sstevel@tonic-gate {
480*0Sstevel@tonic-gate     {
481*0Sstevel@tonic-gate 	"PLAIN",			/* mech_name */
482*0Sstevel@tonic-gate 	0,				/* max_ssf */
483*0Sstevel@tonic-gate 	SASL_SEC_NOANONYMOUS,		/* security_flags */
484*0Sstevel@tonic-gate 	SASL_FEAT_WANT_CLIENT_FIRST
485*0Sstevel@tonic-gate 	| SASL_FEAT_ALLOWS_PROXY,	/* features */
486*0Sstevel@tonic-gate 	NULL,				/* required_prompts */
487*0Sstevel@tonic-gate 	NULL,				/* glob_context */
488*0Sstevel@tonic-gate 	&plain_client_mech_new,		/* mech_new */
489*0Sstevel@tonic-gate 	&plain_client_mech_step,	/* mech_step */
490*0Sstevel@tonic-gate 	&plain_client_mech_dispose,	/* mech_dispose */
491*0Sstevel@tonic-gate 	NULL,				/* mech_free */
492*0Sstevel@tonic-gate 	NULL,				/* idle */
493*0Sstevel@tonic-gate 	NULL,				/* spare */
494*0Sstevel@tonic-gate 	NULL				/* spare */
495*0Sstevel@tonic-gate     }
496*0Sstevel@tonic-gate };
497*0Sstevel@tonic-gate 
498*0Sstevel@tonic-gate int plain_client_plug_init(sasl_utils_t *utils,
499*0Sstevel@tonic-gate 			   int maxversion,
500*0Sstevel@tonic-gate 			   int *out_version,
501*0Sstevel@tonic-gate 			   sasl_client_plug_t **pluglist,
502*0Sstevel@tonic-gate 			   int *plugcount)
503*0Sstevel@tonic-gate {
504*0Sstevel@tonic-gate     if (maxversion < SASL_CLIENT_PLUG_VERSION) {
505*0Sstevel@tonic-gate 	SETERROR(utils, "PLAIN version mismatch");
506*0Sstevel@tonic-gate 	return SASL_BADVERS;
507*0Sstevel@tonic-gate     }
508*0Sstevel@tonic-gate 
509*0Sstevel@tonic-gate     *out_version = SASL_CLIENT_PLUG_VERSION;
510*0Sstevel@tonic-gate     *pluglist = plain_client_plugins;
511*0Sstevel@tonic-gate     *plugcount = 1;
512*0Sstevel@tonic-gate 
513*0Sstevel@tonic-gate     return SASL_OK;
514*0Sstevel@tonic-gate }
515