xref: /illumos-gate/usr/src/lib/libldap5/sources/ldap/common/digest_md5.c (revision 1da57d55)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Copyright (c) 1998-1999 Innosoft International, Inc.  All Rights Reserved.
 *
 * Copyright (c) 1996-1997 Critical Angle Inc. All Rights Reserved.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
#include <md5.h>
#include <sys/time.h>

#include "lber.h"
#include "ldap.h"
#include "ldap-int.h"

/*
 * DIGEST-MD5 SASL Mechanism
 */

/* use this instead of "const unsigned char" to eliminate compiler warnings */
typedef /* const */ unsigned char CONST_UCHAR;

/* size of a digest result */
#define	DIGEST_SIZE	 16

/* size of a digest hex string */
#define	DIGEST_HEX_SIZE (DIGEST_SIZE * 2 + 1)

/*
 * extra bytes which a client response needs in addition to size of
 * server challenge */
#define	DIGEST_CLIENT_EXTRA (DIGEST_HEX_SIZE + 128)

/* erase a digest_attrs_t structure */
#define	digest_clear(attrs) memset((attrs), 0, sizeof (digest_attrs_t))

/*
 * broken-out digest attributes (with quotes removed)
 *  probably not NUL terminated.
 */
typedef struct {
	const char *realm, *nonce, *cnonce, *qop, *user, *resp, *dom;
	const char *max, *stale, *ncount, *uri, *charset;
	int rlen, nlen, clen, qlen, ulen, resplen, dlen;
	int mlen, slen, nclen, urilen, charsetlen;
	char ncbuf[9];
} digest_attrs_t;

static const char hextab[] = "0123456789abcdef";
static CONST_UCHAR colon[] = ":";

/*
 * Make a nonce (NUL terminated)
 *  buf	-- buffer for result
 *  maxlen -- max length of result
 * returns final length or -1 on error
 */
static int
digest_nonce(char *buf, int maxlen)
{
	/*
	 * it shouldn't matter too much if two threads step on this counter
	 * at the same time, but mutexing it wouldn't hurt
	 */
	static int counter;
	char *dst;
	int len;
	struct chal_info {
		time_t mytime;
		unsigned char digest[16];
	} cinfo;
	MD5_CTX ctx;
	long r;
	static int set_rand = 0;
	unsigned char *p;
	int j;
	int fd;
	int got_random;

	/* initialize challenge */
	if (maxlen < 2 * sizeof (cinfo))
		return (-1);
	dst = buf;

	/* get a timestamp */
	time(&cinfo.mytime);

	/* get some randomness */

	got_random = 0;
	fd = open("/dev/urandom", O_RDONLY);
	if (fd != -1) {
	    got_random =
		(read(fd, &r, sizeof (r)) == sizeof (r));
	    close(fd);
	}

	if (!got_random) {
	    if (set_rand == 0) {
		struct timeval tv;

		r = cinfo.mytime - (getpid() *65536) + (random() & 0xffff);

		gettimeofday(&tv, NULL);
		r ^= tv.tv_usec;
		r ^= gethostid();

		srandom(r);
		set_rand = 1;
	    }

	    r = random();
	}

	MD5Init(&ctx);
	MD5Update(&ctx, (unsigned char *) &r, sizeof (r));
	MD5Update(&ctx, (unsigned char *) &counter, sizeof (counter));
	++counter;
	MD5Final(cinfo.digest, &ctx);

	/* compute hex for result */
	for (j = 0, p = (unsigned char *)&cinfo; j < sizeof (cinfo); ++j) {
		dst[j * 2]	= hextab[p[j] >> 4];
		dst[j * 2 + 1]	= hextab[p[j] & 0xf];
	}

	/* take the entire time_t, plus at least 6 bytes of MD5 output */
	len = ((sizeof (time_t) + 6) * 2);
	dst += len;
	maxlen -= len;

	*dst = '\0';

	return (dst - buf);
}

/*
 * if the string is entirely in the 8859-1 subset of UTF-8, then translate
 * to 8859-1 prior to MD5
 */
static void
MD5_UTF8_8859_1(MD5_CTX *ctx, CONST_UCHAR *base, int len)
{
	CONST_UCHAR *scan, *end;
	unsigned char cbuf;

	end = base + len;
	for (scan = base; scan < end; ++scan) {
		if (*scan > 0xC3) break; /* abort if outside 8859-1 */
		if (*scan >= 0xC0 && *scan <= 0xC3) {
		    if (++scan == end || *scan < 0x80 || *scan > 0xBF) break;
		}
	}
	/* if we found a character outside 8859-1, don't alter string */
	if (scan < end) {
		MD5Update(ctx, base, len);
		return;
	}

	/* convert to 8859-1 prior to applying hash */
	do {
		for (scan = base; scan < end && *scan < 0xC0; ++scan)
			;
		if (scan != base) MD5Update(ctx, base, scan - base);
		if (scan + 1 >= end) break;
		cbuf = ((scan[0] & 0x3) << 6) | (scan[1] & 0x3f);
		MD5Update(ctx, &cbuf, 1);
		base = scan + 2;
	} while (base < end);
}

/*
 * Compute MD5( "<user>:<realm>:<pass>" )
 *  if use8859_1 is non-zero, then user/realm is 8859-1 charset
 *  if supplied lengths are 0, strlen() is used
 *  places result in hash_pass (of size DIGEST_SIZE) and returns it.
 */
static unsigned char *
digest_hash_pass(const char *user, int ulen, const char *realm, int rlen,
		const char *pass, int passlen, int use8859_1,
		unsigned char *hash_pass)
{
	MD5_CTX ctx;

	MD5Init(&ctx);
	if (ulen == 0) ulen = strlen(user);
	if (use8859_1) {
		MD5Update(&ctx, (CONST_UCHAR *) user, ulen);
	} else {
		MD5_UTF8_8859_1(&ctx, (CONST_UCHAR *) user, ulen);
	}
	MD5Update(&ctx, colon, 1);
	if (rlen == 0) rlen = strlen(realm);
	if (use8859_1) {
		MD5Update(&ctx, (CONST_UCHAR *) realm, rlen);
	} else {
		MD5_UTF8_8859_1(&ctx, (CONST_UCHAR *) realm, rlen);
	}
	MD5Update(&ctx, colon, 1);
	if (passlen == 0) passlen = strlen(pass);
	MD5Update(&ctx, (CONST_UCHAR *) pass, passlen);
	MD5Final(hash_pass, &ctx);

	return (hash_pass);
}

/*
 * Compute MD5("<hash_pass>:<nonce>:<cnonce>")
 * places result in hash_a1 and returns hash_a1
 * note that hash_pass and hash_a1 may be the same
 */
static unsigned char *
digest_hash_a1(const digest_attrs_t *attr, CONST_UCHAR *hash_pass,
		unsigned char *hash_a1)
{
	MD5_CTX ctx;

	MD5Init(&ctx);
	MD5Update(&ctx, hash_pass, DIGEST_SIZE);
	MD5Update(&ctx, colon, 1);
	MD5Update(&ctx, (CONST_UCHAR *) attr->nonce, attr->nlen);
	MD5Update(&ctx, colon, 1);
	MD5Update(&ctx, (CONST_UCHAR *) attr->cnonce, attr->clen);
	MD5Final(hash_a1, &ctx);

	return (hash_a1);
}

/*
 * calculate hash response for digest auth.
 *  outresp must be buffer of at least DIGEST_HEX_SIZE
 *  outresp and hex_int may be the same
 *  method may be NULL if mlen is 0
 */
static void
digest_calc_resp(const digest_attrs_t *attr,
		CONST_UCHAR *hash_a1, const char *method, int mlen,
		CONST_UCHAR *hex_int, char *outresp)
{
	static CONST_UCHAR defncount[] = ":00000001:";
	static CONST_UCHAR empty_hex_int[] =
			"00000000000000000000000000000000";
	MD5_CTX ctx;
	unsigned char resp[DIGEST_SIZE];
	unsigned char *hex_a1 = (unsigned char *) outresp;
	unsigned char *hex_a2 = (unsigned char *) outresp;
	unsigned j;

	/* compute hash of A2 and put in resp */
	MD5Init(&ctx);
	if (mlen == 0 && method != NULL) mlen = strlen(method);
	if (mlen) MD5Update(&ctx, (CONST_UCHAR *) method, mlen);
	MD5Update(&ctx, colon, 1);
	if (attr->urilen != 0) {
		MD5Update(&ctx, (CONST_UCHAR *) attr->uri, attr->urilen);
	}
	if (attr->qlen != 4 || strncasecmp(attr->qop, "auth", 4) != 0) {
		MD5Update(&ctx, colon, 1);
	if (hex_int == NULL) hex_int = empty_hex_int;
		MD5Update(&ctx, hex_int, DIGEST_SIZE * 2);
	}
	MD5Final(resp, &ctx);

	/* compute hex_a1 from hash_a1 */
	for (j = 0; j < DIGEST_SIZE; ++j) {
		hex_a1[j * 2]	 = hextab[hash_a1[j] >> 4];
		hex_a1[j * 2 + 1] = hextab[hash_a1[j] & 0xf];
	}

	/* compute response */
	MD5Init(&ctx);
	MD5Update(&ctx, hex_a1, DIGEST_SIZE * 2);
	MD5Update(&ctx, colon, 1);
	MD5Update(&ctx, (CONST_UCHAR *) attr->nonce, attr->nlen);
	if (attr->ncount != NULL) {
		MD5Update(&ctx, colon, 1);
		MD5Update(&ctx, (CONST_UCHAR *) attr->ncount, attr->nclen);
		MD5Update(&ctx, colon, 1);
	} else {
		MD5Update(&ctx, defncount, sizeof (defncount) - 1);
	}
	MD5Update(&ctx, (CONST_UCHAR *) attr->cnonce, attr->clen);
	MD5Update(&ctx, colon, 1);
	MD5Update(&ctx, (CONST_UCHAR *) attr->qop, attr->qlen);
	MD5Update(&ctx, colon, 1);

	/* compute hex_a2 from hash_a2 */
	for (j = 0; j < DIGEST_SIZE; ++j) {
		hex_a2[j * 2]	 = hextab[resp[j] >> 4];
		hex_a2[j * 2 + 1] = hextab[resp[j] & 0xf];
	}
	MD5Update(&ctx, hex_a2, DIGEST_SIZE * 2);
	MD5Final(resp, &ctx);

	/* generate hex output */
	for (j = 0; j < DIGEST_SIZE; ++j) {
		outresp[j * 2]	 = hextab[resp[j] >> 4];
		outresp[j * 2 + 1] = hextab[resp[j] & 0xf];
	}
	outresp[DIGEST_SIZE * 2] = '\0';
	memset(resp, 0, sizeof (resp));
}

/*
 * generate the client response from attributes
 *  either one of hash_pass and hash_a1 may be NULL
 *  hash_a1 is used on re-authentication and takes precedence over hash_pass
 */
static int
digest_client_resp(const char *method, int mlen,
		CONST_UCHAR *hash_pass, CONST_UCHAR *hash_a1,
		digest_attrs_t *attr, /* in/out attributes */
		char *outbuf, int maxout, int *plen)
{
#define	prefixsize (sizeof (prefix) - 4 * 4 - 1)
#define	suffixsize (sizeof (rstr) + sizeof (qstr) - 1 + DIGEST_SIZE * 2)
	static const char prefix[] =
	"username=\"%.*s\",realm=\"%.*s\",nonce=\"%.*s\",nc=%.*s,cnonce=\"";
	static const char rstr[] = "\",response=";
	static const char qstr[] = ",qop=auth";
	static const char chstr[] = "charset=";
	char *scan;
	int len;
	char hexbuf[DIGEST_HEX_SIZE];
	unsigned char hashbuf[DIGEST_SIZE];

	/* make sure we have mandatory attributes */
	if (attr->nonce == NULL || attr->nlen == 0 ||
	    attr->realm == NULL || attr->rlen == 0 ||
	    attr->qop == NULL || attr->qlen == 0 ||
	    (attr->nclen != 0 && attr->nclen != 8)) {
		return (-5);
	}
	if (mlen != 0 && method == NULL)
		return (-7);

	/* initialize ncount */
	if (attr->ncount == NULL) {
		strcpy(attr->ncbuf, "00000001");
		attr->ncount = attr->ncbuf;
		attr->nclen = 8;
	} else if (attr->ncount == attr->ncbuf) {
		/* increment ncount */
		scan = attr->ncbuf + 7;
		while (scan >= attr->ncbuf) {
			if (*scan == '9') {
				*scan = 'a';
				break;
			} else if (*scan != 'f') {
				++*scan;
				break;
			}
			*scan = '0';
			--scan;
		}
	}

	/* sanity check length */
	len = prefixsize + attr->ulen + attr->rlen + attr->nlen + attr->nclen;
	if (attr->charsetlen > 0) {
		/* includes 1 for a comma */
		len += sizeof (chstr) + attr->charsetlen;
	}
	if (len + suffixsize >= maxout)
		return (-3);

	scan = outbuf;

	/* charset */
	if (attr->charsetlen > 0 && attr->charset != NULL) {
		memcpy(scan, chstr, sizeof (chstr) - 1);
		scan += sizeof (chstr) - 1;
		memcpy(scan, attr->charset, attr->charsetlen);
		scan += attr->charsetlen;
		*scan++ = ',';
	}

	/* generate string up to the client nonce */
	sprintf(scan, prefix, attr->ulen, attr->user,
		attr->rlen, attr->realm, attr->nlen, attr->nonce,
		attr->nclen, attr->ncount);
	scan = outbuf + len;

	/* generate client nonce */
	len = digest_nonce(scan, maxout - (scan - outbuf));
	if (len < 0)
		return (len);
	attr->cnonce = scan;
	attr->clen = len;
	scan += len;
	if (scan - outbuf + suffixsize > maxout)
		return (-3);

	/* compute response */
	if (hash_a1 == NULL) {
		if (hash_pass == NULL)
			return (-7);
		hash_a1 = digest_hash_a1(attr, hash_pass, hashbuf);
	}
	digest_calc_resp(attr, hash_a1, method, mlen, NULL, hexbuf);

	/* finish it */
	memcpy(scan, rstr, sizeof (rstr) - 1);
	scan += sizeof (rstr) - 1;
	memcpy(scan, hexbuf, DIGEST_SIZE * 2);
	attr->resp = scan;
	attr->resplen = DIGEST_SIZE * 2;
	scan += DIGEST_SIZE * 2;
	memcpy(scan, qstr, sizeof (qstr));

	/* set final length */
	if (plen != NULL) *plen = scan - outbuf + sizeof (qstr) - 1;

	return (0);
}

#define	lstreqcase(conststr, val, len) ((len) == sizeof (conststr) - 1 && \
		strncasecmp((conststr), (val), sizeof (conststr) - 1) == 0)

/* parse a digest auth string */
static int
digest_parse(const char *str, int len, digest_attrs_t *attr_out)
{
	static const char rstr[] = "realm";
	static const char nstr[] = "nonce";
	static const char cstr[] = "cnonce";
	static const char qstr[] = "qop";
	static const char ustr[] = "username";
	static const char respstr[] = "response";
	static const char dstr[] = "domain";
	static const char mstr[] = "maxbuf";
	static const char sstr[] = "stale";
	static const char ncstr[] = "nc";
	static const char uristr[] = "digest-uri";
	static const char charsetstr[] = "charset";
	const char *scan, *attr, *val, *end;
	int alen, vlen;

	if (len == 0) len = strlen(str);
	scan = str;
	end = str + len;
	for (;;) {
		/* skip over commas */
		while (scan < end && (*scan == ',' || isspace(*scan))) ++scan;
		/* parse attribute */
		attr = scan;
		while (scan < end && *scan != '=') ++scan;
		alen = scan - attr;
		if (!alen || scan == end || scan + 1 == end) {
			return (-5);
		}

		/* parse value */
		if (scan[1] == '"') {
			scan += 2;
			val = scan;
			while (scan < end && *scan != '"') {
				/* skip over "\" quoting, but don't remove it */
				if (*scan == '\\') {
					if (scan + 1 == end)
						return (-5);
					scan += 2;
				} else {
					++scan;
				}
			}
			vlen = scan - val;
			if (*scan != '"')
				return (-5);
			++scan;
		} else {
			++scan;
			val = scan;
			while (scan < end && *scan != ',') ++scan;
			vlen = scan - val;
		}
		if (!vlen)
			return (-5);

		/* lookup the attribute */
		switch (*attr) {
		    case 'c':
		    case 'C':
			if (lstreqcase(cstr, attr, alen)) {
				attr_out->cnonce = val;
				attr_out->clen = vlen;
			}
			if (lstreqcase(charsetstr, attr, alen)) {
				attr_out->charset = val;
				attr_out->charsetlen = vlen;
			}
			break;
		    case 'd':
		    case 'D':
			if (lstreqcase(dstr, attr, alen)) {
				attr_out->dom = val;
				attr_out->dlen = vlen;
			}
			if (lstreqcase(uristr, attr, alen)) {
				attr_out->uri = val;
				attr_out->urilen = vlen;
			}
			break;
		    case 'm':
		    case 'M':
			if (lstreqcase(mstr, attr, alen)) {
				attr_out->max = val;
				attr_out->mlen = vlen;
			}
			break;
		    case 'n':
		    case 'N':
			if (lstreqcase(nstr, attr, alen)) {
				attr_out->nonce = val;
				attr_out->nlen = vlen;
			}
			if (lstreqcase(ncstr, attr, alen)) {
				attr_out->ncount = val;
				attr_out->nclen = vlen;
			}
			break;
		    case 'q':
		    case 'Q':
			if (lstreqcase(qstr, attr, alen)) {
				attr_out->qop = val;
				attr_out->qlen = vlen;
			}
			break;
		    case 'r':
		    case 'R':
			if (lstreqcase(rstr, attr, alen)) {
				attr_out->realm = val;
				attr_out->rlen = vlen;
			}
			if (lstreqcase(respstr, attr, alen)) {
				attr_out->resp = val;
				attr_out->resplen = vlen;
			}
			break;
		    case 's':
		    case 'S':
			if (lstreqcase(sstr, attr, alen)) {
				attr_out->stale = val;
				attr_out->slen = vlen;
			}
			break;
		    case 'u':
		    case 'U':
			if (lstreqcase(ustr, attr, alen)) {
				attr_out->user = val;
				attr_out->ulen = vlen;
			}
			break;
		}

		/* we should be at the end of the string or a comma */
		if (scan == end) break;
		if (*scan != ',')
			return (-5);
	}

	return (0);
}

static int ldap_digest_md5_encode(
	const char *challenge,
	const char *username,
	const char *passwd,
	char **digest
)
{
	unsigned char hash_pass[DIGEST_SIZE];
	digest_attrs_t attrs;
	char *outbuf;
	int outlen;
	int ret;

	/* validate args */
	if (challenge == NULL || username == NULL || passwd == NULL) {
		return (LDAP_PARAM_ERROR);
	}

	/* parse the challenge */
	digest_clear(&attrs);
	ret = digest_parse(challenge, 0, &attrs);
	if (ret != 0)
		return (LDAP_DECODING_ERROR);

	/* server MUST specify support for charset=utf-8 */
	if (attrs.charsetlen != 5 ||
	    strncasecmp(attrs.charset, "utf-8", 5) != 0) {
		LDAPDebug(LDAP_DEBUG_TRACE,
			"server did not specify charset=utf-8\n",
			0, 0, 0);
		return (LDAP_NOT_SUPPORTED);
	}

	/* set up digest attributes */
	attrs.user = username;
	attrs.ulen = strlen(attrs.user);

	/* allocate the output buffer */
	outlen = strlen(challenge) + DIGEST_CLIENT_EXTRA + 1;
	outbuf = (char *)malloc(outlen);
	if (outbuf == NULL)
		return (LDAP_NO_MEMORY);

	/* hash the password */
	digest_hash_pass(username, 0, attrs.realm, attrs.rlen,
				passwd, 0, 0, hash_pass),

	/* create the response */
	ret = digest_client_resp("AUTHENTICATE", 12, hash_pass, NULL,
			&attrs, outbuf, outlen, &outlen);
	memset(hash_pass, 0, DIGEST_SIZE);
	if (ret != 0) {
		free(outbuf);
		return (LDAP_DECODING_ERROR);
	}

	/* null terminate the response */
	*(outbuf+outlen) = '\0';

	*digest = outbuf;
	return (LDAP_SUCCESS);
}

int ldap_x_sasl_digest_md5_bind_s(
	LDAP *ld,
	char *user_name,
	struct berval *cred,
	LDAPControl **serverctrls,
	LDAPControl **clientctrls)
{
	struct berval	*challenge = NULL;
	int		errnum;
	char		*digest = NULL;
	struct berval	resp;

	LDAPDebug(LDAP_DEBUG_TRACE, "ldap_x_sasl_digest_md5_bind_s\n", 0, 0, 0);

	/* Add debug */
	if (ld == NULL || user_name == NULL || cred == NULL ||
	    cred->bv_val == NULL)
		return (LDAP_PARAM_ERROR);

	if (ld->ld_version < LDAP_VERSION3)
		return (LDAP_PARAM_ERROR);

	errnum = ldap_sasl_bind_s(ld, NULL, LDAP_SASL_DIGEST_MD5,
		NULL, serverctrls, clientctrls, &challenge);

	if (errnum == LDAP_SASL_BIND_IN_PROGRESS) {
		if (challenge != NULL) {
			LDAPDebug(LDAP_DEBUG_TRACE,
				"SASL challenge: %s\n",
				challenge->bv_val, 0, 0);
			errnum = ldap_digest_md5_encode(challenge->bv_val,
				user_name, cred->bv_val, &digest);
			ber_bvfree(challenge);
			challenge = NULL;
			if (errnum == LDAP_SUCCESS) {
				resp.bv_val = digest;
				resp.bv_len = strlen(digest);
				LDAPDebug(LDAP_DEBUG_TRACE,
					"SASL reply: %s\n",
					digest, 0, 0);
				errnum = ldap_sasl_bind_s(ld, NULL,
					LDAP_SASL_DIGEST_MD5, &resp,
					serverctrls, clientctrls, &challenge);
				free(digest);
			}
			if (challenge != NULL)
				ber_bvfree(challenge);
		} else {
			errnum = LDAP_NO_MEMORY; /* TO DO: What val? */
		}
	}

	LDAP_MUTEX_LOCK(ld, LDAP_ERR_LOCK);
	ld->ld_errno = errnum;
	LDAP_MUTEX_UNLOCK(ld, LDAP_ERR_LOCK);
	return (errnum);
}

static int
sasl_digest_md5_bind_1(
	LDAP *ld,
	char *user_name,
	LDAPControl **serverctrls,
	LDAPControl **clientctrls,
	int *msgidp)
{
	if (ld == NULL || user_name == NULL || msgidp == NULL)
		return (LDAP_PARAM_ERROR);

	if (ld->ld_version < LDAP_VERSION3)
		return (LDAP_PARAM_ERROR);

	return (ldap_sasl_bind(ld, NULL, LDAP_SASL_DIGEST_MD5,
		NULL, serverctrls, clientctrls, msgidp));
}

static int
sasl_digest_md5_bind_2(
	LDAP *ld,
	char *user_name,
	struct berval *cred,
	LDAPControl **serverctrls,
	LDAPControl **clientctrls,
	LDAPMessage *result,
	int *msgidp)
{
	struct berval	*challenge = NULL;
	struct berval	resp;
	int		errnum;
	char		*digest = NULL;
	int		err;

	if (ld == NULL || user_name == NULL || cred == NULL ||
	    cred->bv_val == NULL || result == NULL || msgidp == NULL)
		return (LDAP_PARAM_ERROR);

	if (ld->ld_version < LDAP_VERSION3)
		return (LDAP_PARAM_ERROR);

	err = ldap_result2error(ld, result, 0);
	if (err != LDAP_SASL_BIND_IN_PROGRESS)
		return (err);

	if ((err = ldap_parse_sasl_bind_result(ld, result, &challenge, 0))
			!= LDAP_SUCCESS)
		return (err);
	if (challenge == NULL)
		return (LDAP_NO_MEMORY);

	err = ldap_digest_md5_encode(challenge->bv_val,
			user_name, cred->bv_val, &digest);
	ber_bvfree(challenge);

	if (err == LDAP_SUCCESS) {
		resp.bv_val = digest;
		resp.bv_len = strlen(digest);
		LDAPDebug(LDAP_DEBUG_TRACE, "SASL reply: %s\n",
			digest, 0, 0);
		err = ldap_sasl_bind(ld, NULL, LDAP_SASL_DIGEST_MD5,
			&resp, serverctrls, clientctrls, msgidp);
		free(digest);
	}
	return (err);
}

int ldap_x_sasl_digest_md5_bind(
	LDAP *ld,
	char *user_name,
	struct berval *cred,
	LDAPControl **serverctrls,
	LDAPControl **clientctrls,
	struct timeval *timeout,
	LDAPMessage **result)
{
	LDAPMessage	*res = NULL;
	int		msgid;
	int		rc;

	if (ld == NULL || user_name == NULL || cred == NULL ||
		result == NULL)
		return (LDAP_PARAM_ERROR);

	if (ld->ld_version < LDAP_VERSION3)
		return (LDAP_PARAM_ERROR);

	*result = NULL;

	rc = sasl_digest_md5_bind_1(ld, user_name,
		serverctrls, clientctrls, &msgid);
	if (rc != LDAP_SUCCESS)
		return (rc);

	rc = ldap_result(ld, msgid, 1, timeout, &res);
	if (rc == -1) {
		if (res != NULL)
			ldap_msgfree(res);
		return (ldap_get_lderrno(ld, NULL, NULL));
	}
	rc = ldap_result2error(ld, res, 0);
	if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
		*result = res;
		return (rc);
	}

	rc = sasl_digest_md5_bind_2(ld, user_name, cred,
		serverctrls, clientctrls, res, &msgid);
	ldap_msgfree(res);
	res = NULL;

	if (rc != LDAP_SUCCESS)
		return (rc);

	rc = ldap_result(ld, msgid, 1, timeout, &res);
	if (rc == -1) {
		if (res != NULL)
			ldap_msgfree(res);
		return (ldap_get_lderrno(ld, NULL, NULL));
	}
	*result = res;
	rc = ldap_result2error(ld, res, 0);
	return (rc);
}