From 6119ad729476ac1f4943f7848c0c88f367aff83a Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Wed, 15 Dec 2010 00:59:42 +0000
Subject: [PATCH] Misc vc updates

---
 include/ldap.h         |  5 ++++-
 libraries/libldap/vc.c | 42 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/include/ldap.h b/include/ldap.h
index 8e7f796eb8..bdf4cd90e3 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -388,7 +388,9 @@ typedef struct ldapcontrol {
 #define LDAP_EXOP_VERIFY_CREDENTIALS	"1.3.6.1.4.1.4203.666.6.5"
 #define LDAP_EXOP_X_VERIFY_CREDENTIALS	LDAP_EXOP_VERIFY_CREDENTIALS
 
-#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE	((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE	 ((ber_tag_t) 0x80U)
+#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS	 ((ber_tag_t) 0x81U)
+#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID ((ber_tag_t) 0x82U)
 
 #define LDAP_EXOP_WHO_AM_I		"1.3.6.1.4.1.4203.1.11.3"		/* RFC 4532 */
 #define LDAP_EXOP_X_WHO_AM_I	LDAP_EXOP_WHO_AM_I
@@ -2244,6 +2246,7 @@ ldap_verify_credentials_s LDAP_P((
 	struct berval	*cred,
 	LDAPControl	**serverctrls,
 	LDAPControl	**clientctrls,
+	struct berval	**scookie,
 	struct berval	**servercredp,
 	struct berval	**authzid ));
 
diff --git a/libraries/libldap/vc.c b/libraries/libldap/vc.c
index 9e51c60e81..ee369a1761 100644
--- a/libraries/libldap/vc.c
+++ b/libraries/libldap/vc.c
@@ -45,6 +45,7 @@
  * VCRequest ::= SEQUENCE {
  *		Cookie [0] OCTET STRING OPTIONAL,
  *		serverSaslCreds [1] OCTET STRING OPTIONAL
+ *		authzid [2] OCTET STRING OPTIONAL
  * }
  *
  */
@@ -52,12 +53,13 @@
 int ldap_parse_verify_credentials(
 	LDAP *ld,
 	LDAPMessage *res,
-	struct berval **servercred,
+    struct berval **cookie,
+	struct berval **screds,
 	struct berval **authzid)
 {
 	int rc;
 	char *retoid = NULL;
-	struct berval *reqdata = NULL;
+	struct berval *retdata = NULL;
 
 	assert(ld != NULL);
 	assert(LDAP_VALID(ld));
@@ -66,13 +68,44 @@ int ldap_parse_verify_credentials(
 
 	*authzid = NULL;
 
-	rc = ldap_parse_extended_result(ld, res, &retoid, &reqdata, 0);
+	rc = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
 
 	if( rc != LDAP_SUCCESS ) {
 		ldap_perror(ld, "ldap_parse_whoami");
 		return rc;
 	}
 
+    if (retdata) {
+	    ber_tag_t tag;
+		ber_len_t len;
+	    BerElement * ber = ber_init(retdata);
+		if (!ber) {
+		    rc = ld->ld_errno = LDAP_NO_MEMORY;
+			goto done;
+		}
+
+		ber_scanf(ber, "{" /*"}"*/);
+
+		tag = ber_peek_tag(ber, &len);
+		if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE) {
+			ber_scanf(ber, "O", cookie);
+		    tag = ber_peek_tag(ber, &len);
+		}
+
+		if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS) {
+			ber_scanf(ber, "O", screds);
+		    tag = ber_peek_tag(ber, &len);
+		}
+
+		if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID) {
+			ber_scanf(ber, "O", authzid);
+		}
+
+	    ber_free(ber, 1);
+    }
+
+done:
+	ber_bvfree(retdata);
 	ber_memfree(retoid);
 	return rc;
 }
@@ -145,6 +178,7 @@ ldap_verify_credentials_s(
 	struct berval	*cred,
 	LDAPControl		**sctrls,
 	LDAPControl		**cctrls,
+	struct berval	**scookie,
 	struct berval	**scred,
 	struct berval	**authzid)
 {
@@ -159,7 +193,7 @@ ldap_verify_credentials_s(
 		return ld->ld_errno;
 	}
 
-	rc = ldap_parse_verify_credentials(ld, res, scred, authzid);
+	rc = ldap_parse_verify_credentials(ld, res, scookie, scred, authzid);
 	if (rc != LDAP_SUCCESS) {
 		ldap_msgfree(res);
 		return rc;
-- 
2.39.5