![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ds_bind.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu|
Return to ds_bind.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu |
1.1 ! root 1: /* ds_bind.c - BindArgument Checking and Authentication */ ! 2: ! 3: #ifndef lint ! 4: static char *rcsid = "$Header: /f/osi/quipu/RCS/ds_bind.c,v 7.2 90/03/15 11:18:46 mrose Exp $"; ! 5: #endif ! 6: ! 7: /* ! 8: * $Header: /f/osi/quipu/RCS/ds_bind.c,v 7.2 90/03/15 11:18:46 mrose Exp $ ! 9: * ! 10: * ! 11: * $Log: ds_bind.c,v $ ! 12: * Revision 7.2 90/03/15 11:18:46 mrose ! 13: * quipu-sync ! 14: * ! 15: * Revision 7.1 89/12/19 16:20:13 mrose ! 16: * sync ! 17: * ! 18: * Revision 7.0 89/11/23 22:17:05 mrose ! 19: * Release 6.0 ! 20: * ! 21: */ ! 22: ! 23: /* ! 24: * NOTICE ! 25: * ! 26: * Acquisition, use, and distribution of this module and related ! 27: * materials are subject to the restrictions of a license agreement. ! 28: * Consult the Preface in the User's Manual for the full terms of ! 29: * this agreement. ! 30: * ! 31: */ ! 32: ! 33: ! 34: #include "quipu/util.h" ! 35: #include "quipu/entry.h" ! 36: #include "quipu/commonarg.h" ! 37: #include "quipu/bind.h" ! 38: #include "quipu/compare.h" ! 39: #include "quipu/dua.h" ! 40: #include "quipu/connection.h" ! 41: ! 42: extern LLog * log_dsap; ! 43: extern DN mydsadn; ! 44: struct oper_act * oper_alloc(); ! 45: ! 46: #ifndef NO_STATS ! 47: extern LLog * log_stat; ! 48: extern int dn_print (); ! 49: #endif ! 50: ! 51: int bind_window = 300; /* Tailorable timeout for credentials */ ! 52: ! 53: int ds_bind_init (cn) ! 54: struct connection * cn; ! 55: { ! 56: struct ds_bind_arg * arg = &(cn->cn_start.cs_ds.ds_bind_arg); ! 57: struct ds_bind_arg * result = &(cn->cn_start.cs_res); ! 58: struct ds_bind_error * error = &(cn->cn_start.cs_err); ! 59: Attr_Sequence as; ! 60: Entry entryptr; ! 61: extern AttributeType at_password; ! 62: extern AttributeType at_p_password; ! 63: struct di_block * dsas; ! 64: struct di_block * di_tmp; ! 65: struct oper_act * on; ! 66: struct ds_compare_arg * cma; ! 67: struct DSError err; ! 68: static struct common_args ca_def = default_common_args; ! 69: int res; ! 70: int retval; ! 71: struct protected_password * pp; ! 72: #ifndef NO_STATS ! 73: char buff[LINESIZE]; ! 74: #endif ! 75: ! 76: DLOG (log_dsap,LLOG_TRACE,("ds_bind_init")); ! 77: ! 78: ! 79: if (arg->dba_version != DBA_VERSION_V1988) ! 80: { ! 81: error->dbe_version = DBA_VERSION_V1988; ! 82: error->dbe_type = DBE_TYPE_SERVICE; ! 83: error->dbe_value = DSE_SV_UNAVAILABLE; ! 84: return(DS_ERROR_CONNECT); ! 85: } ! 86: ! 87: /* We don't support any bilaterally-defined authentication procedures. ! 88: * Hence, if we get EXTERNAL credentials in the bind, reject them. ! 89: */ ! 90: ! 91: if (arg->dba_auth_type == DBA_AUTH_EXTERNAL) ! 92: { ! 93: DLOG(log_dsap, LLOG_EXCEPTIONS, ("EXTERNAL found in credentials")); ! 94: error->dbe_version = DBA_VERSION_V1988; ! 95: error->dbe_type = DBE_TYPE_SERVICE; ! 96: error->dbe_value = DSE_SV_UNAVAILABLE; ! 97: return (DS_ERROR_CONNECT); ! 98: } ! 99: ! 100: /* If password is present, but zero length, treat as though absent */ ! 101: if ((arg->dba_auth_type == DBA_AUTH_SIMPLE) && (arg->dba_passwd_len == 0)) ! 102: arg->dba_auth_type = DBA_AUTH_NONE; ! 103: ! 104: ! 105: /* If binding as NULLDN (ie. `anonymous') don't need any authentication */ ! 106: if (arg->dba_dn == NULLDN) ! 107: { ! 108: #ifndef NO_STATS ! 109: LLOG(log_stat, LLOG_NOTICE, ("Bind (%d) (anonymous)", cn->cn_ad)); ! 110: #endif ! 111: cn->cn_authen = DBA_AUTH_NONE; ! 112: make_dsa_bind_arg(result); ! 113: return(DS_OK); ! 114: } ! 115: ! 116: /* Now we're sure dba_dn contains a valid pointer, can decode it */ ! 117: ! 118: switch (arg->dba_auth_type) ! 119: { ! 120: case DBA_AUTH_NONE: ! 121: #ifndef NO_STATS ! 122: (void) sprintf (buff,"Bind (%d) (no auth)",cn->cn_ad); ! 123: pslog (log_stat,LLOG_NOTICE,buff,dn_print,(caddr_t)arg->dba_dn); ! 124: #endif ! 125: cn->cn_authen = DBA_AUTH_NONE; ! 126: make_dsa_bind_arg(result); ! 127: return (DS_OK); ! 128: case DBA_AUTH_SIMPLE: ! 129: #ifndef NO_STATS ! 130: (void) sprintf (buff,"Bind (%d) (simple)",cn->cn_ad); ! 131: pslog (log_stat,LLOG_NOTICE,buff,dn_print,(caddr_t)arg->dba_dn); ! 132: #endif ! 133: /* Can't check simple credentials from DSP (livelock risk). ! 134: * Hence treat DSP accesses as unauthenticated. ! 135: */ ! 136: if (cn->cn_ctx != DS_CTX_X500_DAP) ! 137: { ! 138: cn->cn_authen = DBA_AUTH_NONE; ! 139: make_dsa_bind_arg(result); ! 140: return(DS_OK); ! 141: } ! 142: break; ! 143: case DBA_AUTH_PROTECTED: ! 144: #ifndef NO_STATS ! 145: (void) sprintf (buff,"Bind (%d) (protected)",cn->cn_ad); ! 146: pslog (log_stat,LLOG_NOTICE,buff,dn_print,(caddr_t)arg->dba_dn); ! 147: #endif ! 148: if (cn->cn_ctx != DS_CTX_X500_DAP) ! 149: { ! 150: cn->cn_authen = DBA_AUTH_NONE; ! 151: make_dsa_bind_arg(result); ! 152: return(DS_OK); ! 153: } ! 154: else ! 155: { ! 156: UTC ut; ! 157: long c_time, s_time, delta; ! 158: time_t time(); ! 159: ! 160: (void) time(&s_time); ! 161: ut = str2utct(arg->dba_time1, strlen(arg->dba_time1)); ! 162: if (ut == NULLUTC) ! 163: c_time = 0L; /* 1970 is a convenient out-of-date timestamp */ ! 164: else ! 165: c_time = gtime(ut2tm(ut)); ! 166: delta = s_time - c_time; ! 167: if ((delta < 0) || (delta > bind_window)) ! 168: { ! 169: DLOG(log_dsap, LLOG_EXCEPTIONS, ! 170: ("Time = %s, Delay = %D s : Association rejected", ! 171: arg->dba_time1, delta)); ! 172: error->dbe_version = DBA_VERSION_V1988; ! 173: error->dbe_type = DBE_TYPE_SECURITY; ! 174: error->dbe_value = DSE_SC_INVALIDCREDENTIALS; ! 175: return (DS_ERROR_CONNECT); ! 176: } ! 177: pp = (struct protected_password *) calloc(1, sizeof(*pp)); ! 178: /* Ought to check for null pointer ... */ ! 179: pp->passwd = malloc((unsigned)arg->dba_passwd_len); ! 180: bcopy(arg->dba_passwd, pp->passwd, arg->dba_passwd_len); ! 181: pp->n_octets = arg->dba_passwd_len; ! 182: pp->time1 = strdup(arg->dba_time1); ! 183: pp->protected = (char) 1; ! 184: } ! 185: break; ! 186: case DBA_AUTH_STRONG: ! 187: #ifndef NO_STATS ! 188: (void) sprintf (buff,"Bind (%d) (strong)",cn->cn_ad); ! 189: pslog (log_stat,LLOG_NOTICE,buff,dn_print,(caddr_t)arg->dba_dn); ! 190: #endif ! 191: /* Strong authentication is not yet supported. ! 192: * It will eventually be possible to check strong credentials over DSP. ! 193: * For the moment, accept them and treat as NONE over DSP, but reject ! 194: * over DAP. ! 195: */ ! 196: #ifdef HAVE_RSA ! 197: { ! 198: int rc; ! 199: DN real_name; ! 200: extern int encode_DAS_TokenToSign(); ! 201: ! 202: rc = check_cert_path((caddr_t) arg, encode_DAS_TokenToSign, ! 203: arg->dba_cpath, arg->dba_sig, &real_name); ! 204: if (rc == OK) ! 205: { ! 206: make_dsa_bind_arg(result); ! 207: return (DS_OK); ! 208: } ! 209: else ! 210: { ! 211: error->dbe_version = DBA_VERSION_V1988; ! 212: error->dbe_type = DBE_TYPE_SECURITY; ! 213: error->dbe_value = rc; ! 214: return (DS_ERROR_CONNECT); ! 215: } ! 216: } ! 217: #else ! 218: if (cn->cn_ctx != DS_CTX_X500_DAP) ! 219: { ! 220: cn->cn_authen = DBA_AUTH_NONE; ! 221: make_dsa_bind_arg(result); ! 222: return (DS_OK); ! 223: } ! 224: else ! 225: { ! 226: error->dbe_version = DBA_VERSION_V1988; ! 227: error->dbe_type = DBE_TYPE_SERVICE; ! 228: error->dbe_value = DSE_SV_UNAVAILABLE; ! 229: return (DS_ERROR_CONNECT); ! 230: } ! 231: #endif ! 232: } ! 233: ! 234: /* If we fall through to here, credentials are simple or protected simple */ ! 235: ! 236: if ((res = really_find_entry(arg->dba_dn, TRUE, NULLDNSEQ, FALSE, &(entryptr), &(err), &(dsas))) == DS_OK) { ! 237: /* is it really OK ??? */ ! 238: if ((entryptr->e_data == E_TYPE_CONSTRUCTOR) ! 239: || (entryptr->e_data == E_TYPE_CACHE_FROM_MASTER)) { ! 240: DN dn_found; ! 241: DLOG(log_dsap, LLOG_NOTICE, ("rfe (bind) returned a constructor")); ! 242: dn_found = get_copy_dn(entryptr); ! 243: res = constructor_dsa_info(dn_found,NULLDNSEQ,FALSE,entryptr,&err,&dsas); ! 244: dn_free (dn_found); ! 245: } ! 246: } ! 247: switch(res) ! 248: { ! 249: case DS_OK: ! 250: /* entryptr filled out - break through to deal with it */ ! 251: break; ! 252: ! 253: case DS_CONTINUE: ! 254: /* ! 255: * At this point a remote operation is required to compare ! 256: * the password given with the password of the entry, so ! 257: * fire up the remote operation and return without completing. ! 258: * Mark the operation as a BIND_COMPARE_OP and set the connection ! 259: * which will need to be restarted. ! 260: * Generate a compare argument. ! 261: * Chain the compare operation using the di_blocks. ! 262: */ ! 263: cn->cn_start.cs_bind_compare = on = oper_alloc();/* cn knows about on */ ! 264: on->on_type = ON_TYPE_BIND_COMPARE; ! 265: on->on_bind_compare = cn; /* on knows about cn */ ! 266: ! 267: on->on_arg = &(on->on_req); ! 268: set_my_chain_args(&(on->on_req.dca_charg), arg->dba_dn); ! 269: on->on_req.dca_dsarg.arg_type = OP_COMPARE; ! 270: cma = &(on->on_req.dca_dsarg.arg_cm); ! 271: ! 272: cma->cma_common = ca_def; /* struct copy */ ! 273: ! 274: /* Set originator/requestor */ ! 275: on->on_req.dca_charg.cha_originator = dn_cpy(arg->dba_dn); ! 276: cma->cma_common.ca_requestor = dn_cpy(arg->dba_dn); ! 277: cma->cma_common.ca_servicecontrol.svc_prio = SVC_PRIO_HIGH; ! 278: ! 279: cma->cma_object = dn_cpy(arg->dba_dn); ! 280: ! 281: if (arg->dba_auth_type == DBA_AUTH_SIMPLE) ! 282: { ! 283: cma->cma_purported.ava_type = AttrT_cpy (at_password); ! 284: cma->cma_purported.ava_value = ! 285: str2AttrV (arg->dba_passwd,str2syntax("octetstring")); ! 286: } ! 287: else ! 288: { ! 289: cma->cma_purported.ava_type = AttrT_cpy (at_p_password); ! 290: cma->cma_purported.ava_value = ! 291: (AttributeValue) calloc(1, sizeof(attrVal)); ! 292: cma->cma_purported.ava_value->av_syntax = ! 293: str2syntax("protectedPassword"); ! 294: cma->cma_purported.ava_value->av_struct = (caddr_t) pp; ! 295: } ! 296: ! 297: ! 298: on->on_dsas = dsas; ! 299: for(di_tmp=on->on_dsas; di_tmp!=NULL_DI_BLOCK; di_tmp=di_tmp->di_next) ! 300: { ! 301: di_tmp->di_type = DI_OPERATION; ! 302: di_tmp->di_oper = on; ! 303: } ! 304: ! 305: if(oper_chain(on) == OK) ! 306: return(DS_CONTINUE); ! 307: ! 308: oper_extract(on); ! 309: cn->cn_start.cs_bind_compare = NULLOPER; ! 310: ! 311: error->dbe_version = DBA_VERSION_V1988; ! 312: error->dbe_type = DBE_TYPE_SERVICE; ! 313: error->dbe_value = DSE_SV_UNAVAILABLE; ! 314: ! 315: return(DS_ERROR_CONNECT); ! 316: ! 317: case DS_X500_ERROR: ! 318: /* User's entry doesn't exist, for example */ ! 319: LLOG(log_dsap, LLOG_NOTICE, ("ds_bind - really_find_entry erred:")); ! 320: log_ds_error(&(err)); ! 321: ds_error_free(&(err)); ! 322: error->dbe_version = DBA_VERSION_V1988; ! 323: error->dbe_type = DBE_TYPE_SECURITY; ! 324: error->dbe_value = DSE_SC_INVALIDCREDENTIALS; ! 325: return(DS_ERROR_CONNECT); ! 326: ! 327: default: ! 328: error->dbe_version = DBA_VERSION_V1988; ! 329: error->dbe_type = DBE_TYPE_SERVICE; ! 330: error->dbe_value = DSE_SV_DITERROR; ! 331: return(DS_ERROR_CONNECT); ! 332: } ! 333: ! 334: if ((as = as_find_type (entryptr->e_attributes, ! 335: (arg->dba_auth_type == DBA_AUTH_SIMPLE) ? ! 336: at_password : at_p_password)) == NULLATTR) ! 337: { ! 338: /* No password in entry. ! 339: * Simple authentication is not possible for entities without passwords. ! 340: * Hence, give the `inappropriate authentication' message. ! 341: */ ! 342: error->dbe_version = DBA_VERSION_V1988; ! 343: error->dbe_type = DBE_TYPE_SECURITY; ! 344: error->dbe_value = DSE_SC_AUTHENTICATION; ! 345: return (DS_ERROR_CONNECT); ! 346: } ! 347: ! 348: if (arg->dba_auth_type == DBA_AUTH_SIMPLE) { ! 349: if (strlen ((char *)as->attr_value->avseq_av.av_struct) != arg->dba_passwd_len) ! 350: retval = -1; ! 351: else ! 352: retval = strncmp ((char *)as->attr_value->avseq_av.av_struct, ! 353: arg->dba_passwd, arg->dba_passwd_len); ! 354: } else ! 355: retval = check_guard( ! 356: ((struct protected_password *) ! 357: as->attr_value->avseq_av.av_struct)->passwd, ! 358: ((struct protected_password *) ! 359: as->attr_value->avseq_av.av_struct)->n_octets, ! 360: arg->dba_time1, ! 361: arg->dba_passwd, ! 362: arg->dba_passwd_len); ! 363: ! 364: if (retval == 0) ! 365: { ! 366: /* Password OK! */ ! 367: cn->cn_authen = arg->dba_auth_type; ! 368: make_dsa_bind_arg(result); ! 369: return (DS_OK); ! 370: } ! 371: else ! 372: { ! 373: /* password wrong ! */ ! 374: error->dbe_version = DBA_VERSION_V1988; ! 375: error->dbe_type = DBE_TYPE_SECURITY; ! 376: error->dbe_value = DSE_SC_INVALIDCREDENTIALS; ! 377: return (DS_ERROR_CONNECT); ! 378: } ! 379: } ! 380: ! 381: bind_compare_result_wakeup(on) ! 382: struct oper_act * on; ! 383: { ! 384: ! 385: DLOG(log_dsap, LLOG_TRACE, ("bind_compare_result_wakeup()")); ! 386: if(on->on_bind_compare == NULLCONN) ! 387: { ! 388: LLOG(log_dsap, LLOG_EXCEPTIONS, ("bind_compare_result_wakeup - connection initiating compare already failed")); ! 389: } ! 390: else ! 391: { ! 392: if(on->on_resp.di_result.dr_res.dcr_dsres.res_cm.cmr_matched) ! 393: { ! 394: DLOG(log_dsap, LLOG_DEBUG, ("bind_compare - user authenticated")); ! 395: on->on_bind_compare->cn_authen = on->on_bind_compare->cn_connect.cc_req.dba_auth_type; ! 396: conn_init_res(on->on_bind_compare); ! 397: } ! 398: else ! 399: { ! 400: struct ds_bind_error * error = &(on->on_bind_compare->cn_start.cs_err); ! 401: DLOG(log_dsap, LLOG_DEBUG, ("bind_compare - user NOT authenticated")); ! 402: error->dbe_version = DBA_VERSION_V1988; ! 403: error->dbe_type = DBE_TYPE_SECURITY; ! 404: /* Password match failed, therefore credentials are wrong */ ! 405: error->dbe_value = DSE_SC_INVALIDCREDENTIALS; ! 406: conn_init_err(on->on_bind_compare); ! 407: } ! 408: } ! 409: oper_conn_extract(on); ! 410: oper_free(on); ! 411: } ! 412: ! 413: bind_compare_error_wakeup(on) ! 414: struct oper_act * on; ! 415: { ! 416: int errmsg = DSE_SV_DITERROR; ! 417: int errtype = DBE_TYPE_SERVICE; ! 418: ! 419: DLOG(log_dsap, LLOG_TRACE, ("bind_compare_error_wakeup()")); ! 420: ! 421: /* ! 422: * Check for referral and rechain if appropriate; ! 423: * Otherwise check if error requires propagation ! 424: * or another of the original di_blocks to be chained to. ! 425: */ ! 426: ! 427: if(on->on_bind_compare == NULLCONN) ! 428: { ! 429: LLOG(log_dsap, LLOG_EXCEPTIONS, ("bind_compare_error_wakeup - connection initiating compare already failed")); ! 430: } ! 431: else ! 432: { ! 433: struct ds_bind_error * error = &(on->on_bind_compare->cn_start.cs_err); ! 434: switch(on->on_resp.di_error.de_err.dse_type) ! 435: { ! 436: case DSE_NOERROR: ! 437: LLOG(log_dsap, LLOG_EXCEPTIONS, ("bind_compare_error_wakeup() - no error!")); ! 438: break; ! 439: case DSE_REFERRAL: ! 440: LLOG(log_dsap, LLOG_EXCEPTIONS, ("bind_compare_error_wakeup() - DAP referral received!")); ! 441: case DSE_DSAREFERRAL: ! 442: /* Follow referral */ ! 443: if(oper_rechain(on) == OK) ! 444: return; ! 445: break; ! 446: case DSE_NAMEERROR: ! 447: case DSE_SECURITYERROR: ! 448: case DSE_ATTRIBUTEERROR: ! 449: errtype = DBE_TYPE_SECURITY; ! 450: errmsg = DSE_SC_INVALIDCREDENTIALS; ! 451: break; ! 452: case DSE_SERVICEERROR: ! 453: errmsg = on->on_resp.di_error.de_err.ERR_SERVICE.DSE_sv_problem; ! 454: break; ! 455: default: ! 456: log_ds_error(&on->on_resp.di_error.de_err); ! 457: DLOG(log_dsap, LLOG_DEBUG, ("bind_compare_error_wakeup() - assuming all errors finish operation!")); ! 458: break; ! 459: } ! 460: ! 461: error->dbe_version = DBA_VERSION_V1988; ! 462: error->dbe_type = errtype; ! 463: error->dbe_value = errmsg; ! 464: conn_init_err(on->on_bind_compare); ! 465: } ! 466: oper_conn_extract(on); ! 467: oper_free(on); ! 468: } ! 469: ! 470: bind_compare_fail_wakeup(on) ! 471: struct oper_act * on; ! 472: { ! 473: DLOG(log_dsap, LLOG_TRACE, ("bind_compare_fail_wakeup()")); ! 474: ! 475: /* ! 476: * If there are any more "di_block"s to attempt it must be ! 477: * worth a go (perhaps this depends on the failure which ! 478: * has occurrred). ! 479: */ ! 480: if(on->on_bind_compare == NULLCONN) ! 481: { ! 482: LLOG(log_dsap, LLOG_EXCEPTIONS, ("bind_compare_fail_wakeup - connection initiating compare already failed")); ! 483: } ! 484: else ! 485: { ! 486: struct ds_bind_error * error = &(on->on_bind_compare->cn_start.cs_err); ! 487: ! 488: if(on->on_dsas) ! 489: { ! 490: if(oper_chain(on) == OK) ! 491: return; ! 492: } ! 493: ! 494: if(on->on_dsas) ! 495: { ! 496: /* oper_chain must be awaiting deferred di_blocks */ ! 497: return; ! 498: } ! 499: ! 500: error->dbe_version = DBA_VERSION_V1988; ! 501: error->dbe_type = DBE_TYPE_SERVICE; ! 502: error->dbe_value = DSE_SV_UNAVAILABLE; ! 503: conn_init_err(on->on_bind_compare); ! 504: } ! 505: oper_conn_extract(on); ! 506: oper_free(on); ! 507: } ! 508: ! 509: do_ds_unbind (conn) ! 510: register struct connection * conn; ! 511: { ! 512: #ifndef NO_STATS ! 513: char buff[LINESIZE]; ! 514: ! 515: if(conn->cn_initiator) ! 516: { ! 517: (void) sprintf (buff,"Unbind (%d) (initiator)",conn->cn_ad); ! 518: } ! 519: else ! 520: { ! 521: (void) sprintf (buff,"Unbind (%d) (responder)",conn->cn_ad); ! 522: } ! 523: pslog (log_stat,LLOG_NOTICE,buff,dn_print,(caddr_t)conn->cn_dn); ! 524: #endif ! 525: DLOG (log_dsap,LLOG_TRACE,("ds_un_bind")); ! 526: } ! 527:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.