[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
/*****************************************************************************/
/*
AuthACME.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The Authentication and Credentials Management Extensions (ACME) subsystem
provides authentication and persona-based credential services. Applications
use these services to enforce authentication policies defined by ACME agents
running in the context of the ACME_SERVER process.
This module will form the basis of an authentication capability using the
$ACM() system service and the "Authentication and Credential Management
Extensions" server.
It is not available on VAX and is only for VMS later than V7.3.
See AUTH.C for overall detail on the WASD authorization environment.
WHY ACME?
---------
It offers a vendor maintained authentication service that, in part, parallels
that provided by the WASD SYSUAF authentication facility. Of course, the
"vendor maintained" is the important bit! It should be more robust and
less-likely to get (or be) broken than the WASD equivalent.
So, for applicable platforms no more $GETAUI() and then checking password
expiry and creating password hashes and comparing them, etc., etc. It's all
handled by the one SYS$ACM() call. Does this mean the historical AUTHVMS.C
contortions can be dispensed with? Well, no, of course not. For non-supported
platforms it still must be maintained, as well as WASD's use of some portions
of the SYSUAF account information for further controlling access (e.g.
privileged accounts, rights identifiers).
Any down sides? Well it appears as if the authentication failure information
returned by SYS$ACM() is quite chunky, basically one %ACME-E-AUTHFAIL, so you
lose the explanatory information available with AuthVmsVerifyUser().
The WASD SYSUAF password change functions available via HTADMIN.C and AUTHVMS.C
also get a gee-up by using the ACME service. The password change SYS$ACM()
will invoke the site's full password policy (much better than the half-assed
WASD implementation) and so potentially provide dictionary and password history
functionality, etc., for web-based password change.
Other reasons for using ACME ... well it can authenticate from sources other
than the SYSUAF and supply a mapped VMS username as a result. At the time of
writing the only other HP-supported "domain of interpretation" is the "MSV1_0"
Microsoft Lan Manager domain-based authentication. There may be more in the
future, including third-party and locally developed ACME plug-ins. So WASD
having this now provides for future authentication developments as well.
VERSION HISTORY
---------------
10-OCT-2009 MGD AuthAcmeVerifyUser() requires SECURITY privilege to
allow ACME$M_NOAUTHORIZATION for authentication-only
when using WASD_NIL_ACCESS identifier,
AuthAcmeVerifyUser() can now use [AuthSYSUAFlogonType] and/or
an optional authorization rule parameter 'param="logon=.."'
to specify the login mode (default is still NETWORK)
29-APR-2009 MGD DOI name of '*' indicates use the default of
ACME$LATEST_ENABLED_AGENT_LIST rather than the specified DOI
(authentication realm is set to the DOI authentication realm)
24-NOV-2007 MGD force ACME on VMS V7.3 and later
31-JUL-2005 MGD add remote IP address to refine intrusion data and
reduce possibility of DOS attack on particular usernames,
bugfix; AuthAcmeVerifyUser() ACME$_LOGON_TYPE requires
IMPERSONATE (DETACH) privilege for VMS V7.3-1 and earlier
16-MAR-2004 MGD initial (new with WASD v8.5)
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
#ifndef WASD_ACME
# define WASD_ACME 0
#endif
/**************************************/
#if WASD_ACME /* ACME authentication */
/**************************************/
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <utcblkdef.h>
#include <acmedef.h>
#include <acmemsgdef.h>
#include <descrip.h>
#include <iledef.h>
#define ILE3 ile3 /* because of the __VMS_VER */
#include <prvdef.h>
#include <ssdef.h>
#include <stsdef.h>
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "AUTHACME"
#if WATCH_MOD
#define FI_NOLI WASD_MODULE, __LINE__
#else
/* in production let's keep the exact line to ourselves! */
#define FI_NOLI WASD_MODULE, 0
#endif
/******************/
/* global storage */
/******************/
/* this image is linked with ACME capabilities */
BOOL AuthAcmeLinked = true;
/********************/
/* external storage */
/********************/
#ifdef DBUG
extern BOOL Debug;
#else
#define Debug 0
#endif
extern BOOL AuthConfigACME,
AuthNilAccessExists,
AuthSysUafEnabled;
extern int EfnWait,
EfnNoWait;
extern int ToLowerCase[],
ToUpperCase[];
extern unsigned long DetachMask[],
SecurityMask[];
extern char ErrorSanityCheck[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern MSG_STRUCT Msgs;
extern SYS_INFO SysInfo;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
Verify the request username/password using $ACM() services.
Return the results via AST AuthAcmeVerifyUserAst().
*/
int AuthAcmeVerifyUser (REQUEST_STRUCT* rqptr)
{
int status,
SetPrvStatus,
UserNameLength;
unsigned long AcmeLogonType,
FuncCode;
unsigned long PrivMask [2];
char *cptr, *sptr, *zptr;
char UserNameBuffer [256];
AUTH_ACME *acmeptr;
ILE3 *itmptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAcmeVerifyUser() !&Z !&Z",
rqptr->rqAuth.RealmPtr, rqptr->RemoteUser);
if (!AuthConfigACME)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
rqptr->rqAuth.SysUafAuthenticated = true;
if (!(cptr = rqptr->rqAuth.PathParameterPtr)) cptr = "";
while (*cptr && (TOLO(*cptr) != 'l' || !strsame(cptr,"logon=",6))) cptr++;
if (*cptr)
{
/* same set of parameters as used by AuthVmsGetUai() */
if (strsame (cptr, "logon=NETWORK", 13))
AcmeLogonType = ACME$K_NETWORK;
else
if (strsame (cptr, "logon=BATCH", 11))
AcmeLogonType = ACME$K_BATCH;
else
if (strsame (cptr, "logon=LOCAL", 11))
AcmeLogonType = ACME$K_LOCAL;
else
if (strsame (cptr, "logon=DIALUP", 12))
AcmeLogonType = ACME$K_DIALUP;
else
if (strsame (cptr, "logon=REMOTE", 12))
AcmeLogonType = ACME$K_REMOTE;
else
{
AcmeLogonType = 0;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"unknown ACME$_LOGON_TYPE \"!AZ\"", cptr);
}
}
else
if (Config.cfAuth.SysUafLogonType)
AcmeLogonType = Config.cfAuth.SysUafLogonType;
else
AcmeLogonType = ACME$K_NETWORK;
rqptr->rqAuth.SysUafLogonType = AcmeLogonType;
FuncCode = ACME$_FC_AUTHENTICATE_PRINCIPAL;
PrivMask[0] = DetachMask[0];
PrivMask[1] = DetachMask[1];
acmeptr = rqptr->rqAuth.AcmeDataPtr =
(AUTH_ACME*)VmGetHeap (rqptr, sizeof(AUTH_ACME));
itmptr = &acmeptr->AcmItemList;
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS\0") ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS-") ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS_"))
{
cptr = "VMS";
/* flag that case-less username and password checks were performed */
rqptr->rqAuth.CaseLess = true;
FuncCode = ACME$_FC_AUTHENTICATE_PRINCIPAL;
if (AuthNilAccessExists)
{
/* don't authorize access, just authenticate credentials */
FuncCode |= ACME$M_NOAUTHORIZATION;
PrivMask[0] |= SecurityMask[0];
PrivMask[1] |= SecurityMask[1];
}
}
else
cptr = rqptr->rqAuth.RealmPtr;
if (*cptr == '*')
{
/* use the default DOI(s) ACME$LATEST_ENABLED_AGENT_LIST? */
itmptr->ile3$w_code = ACME$_AUTHENTICATING_DOI_NAME;
itmptr->ile3$w_length = sizeof(acmeptr->AuthDoiName)-1;
itmptr->ile3$ps_bufaddr = acmeptr->AuthDoiName;
itmptr->ile3$ps_retlen_addr = &acmeptr->AuthDoiNameLength;
itmptr++;
/* just for WATCH purposes */
acmeptr->TargetDoiName[0] = '*';
}
else
{
/* specify the DOI */
zptr = (sptr = acmeptr->TargetDoiName) + sizeof(acmeptr->TargetDoiName)-1;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
*sptr = '\0';
acmeptr->TargetDoiNameLength = sptr - acmeptr->TargetDoiName;
itmptr->ile3$w_code = ACME$_TARGET_DOI_NAME;
itmptr->ile3$w_length = acmeptr->TargetDoiNameLength;
itmptr->ile3$ps_bufaddr = acmeptr->TargetDoiName;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
}
/* requires IMPERSONATE (DETACH) privilege on VMS V7.3-1 or earlier */
itmptr->ile3$w_code = ACME$_LOGON_TYPE;
itmptr->ile3$w_length = sizeof(AcmeLogonType);
itmptr->ile3$ps_bufaddr = &AcmeLogonType;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
itmptr->ile3$w_code = ACME$_PRINCIPAL_NAME_IN;
itmptr->ile3$w_length = rqptr->RemoteUserLength;
itmptr->ile3$ps_bufaddr = rqptr->RemoteUser;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
/* requires IMPERSONATE (DETACH) privilege */
itmptr->ile3$w_code = ACME$_REMOTE_HOST_NAME;
itmptr->ile3$w_length = strlen(&rqptr->ClientPtr->IpAddressString);
itmptr->ile3$ps_bufaddr = &rqptr->ClientPtr->IpAddressString;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
/* create a composite string containing the user name */
zptr = (sptr = UserNameBuffer) + sizeof(UserNameBuffer)-1;
for (cptr = "WASD:"; *cptr; *sptr++ = *cptr++);
for (cptr = rqptr->RemoteUser; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
UserNameLength = sptr - UserNameBuffer;
cptr = VmGetHeap (rqptr, UserNameLength+1);
memcpy (cptr, UserNameBuffer, UserNameLength+1);
/* requires IMPERSONATE (DETACH) privilege */
itmptr->ile3$w_code = ACME$_REMOTE_USERNAME;
itmptr->ile3$w_length = UserNameLength;
itmptr->ile3$ps_bufaddr = cptr;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
itmptr->ile3$w_code = ACME$_PASSWORD_1;
itmptr->ile3$w_length = strlen(rqptr->RemoteUserPassword);
itmptr->ile3$ps_bufaddr = rqptr->RemoteUserPassword;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
itmptr->ile3$w_code = ACME$_MAPPED_VMS_USERNAME;
itmptr->ile3$w_length = sizeof(acmeptr->MappedVmsUserName);
itmptr->ile3$ps_bufaddr = acmeptr->MappedVmsUserName;
itmptr->ile3$ps_retlen_addr = &acmeptr->MappedVmsUserNameLength;
itmptr++;
if (WATCHING (rqptr, WATCH_AUTH))
{
itmptr->ile3$w_code = ACME$_MAPPING_ACME_NAME;
itmptr->ile3$w_length = sizeof(acmeptr->MappingAcmeName);
itmptr->ile3$ps_bufaddr = acmeptr->MappingAcmeName;
itmptr->ile3$ps_retlen_addr = &acmeptr->MappingAcmeNameLength;
itmptr++;
}
memset (itmptr, 0, sizeof(ILE3));
/* provide required privilege(s) */
if (VMSnok (SetPrvStatus = sys$setprv (1, &PrivMask, 0, 0)))
ErrorExitVmsStatus (SetPrvStatus, "sys$setprv()", FI_LI);
status = sys$acm (EfnNoWait,
FuncCode,
0,
&acmeptr->AcmItemList,
&acmeptr->AcmIOsb,
&AuthAcmeVerifyUserAst,
rqptr);
if (VMSnok (SetPrvStatus = sys$setprv (0, &PrivMask, 0, 0)))
ErrorExitVmsStatus (SetPrvStatus, "sys$setprv()", FI_LI);
if (AuthNilAccessExists)
if (status == SS$_NOPRIV)
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"!AZ requires INSTALL with SECURITY privilege",
AUTH_NIL_ACCESS_VMS_ID);
if (VMSnok (status))
{
/* an error with sys$acm(), fudge status and queue AST manually */
acmeptr->AcmIOsb[0] = acmeptr->AcmIOsb[1] = status;
SysDclAst (AuthAcmeVerifyUserAst, rqptr);
}
/* function completes asynchronously! */
rqptr->rqAuth.AstFunction = rqptr->rqAuth.AstFunctionBuffer;
rqptr->rqAuth.FinalStatus = AUTH_PENDING;
return (AUTH_PENDING);
}
/*****************************************************************************/
/*
AST delivered from the ACME service. Check the status and adjust to a WASD
AUTH value if necessary. If a SYSUAF-equivalent authentication then also call
AuthVmsVerifyUser() to check against other WASD restrictions (e.g. rights
identifier authentication control), and if then still authenticated also check
if the primary password has expired and if it has the redirect to a configured
'change password' URL or deny access.
*/
AuthAcmeVerifyUserAst (REQUEST_STRUCT* rqptr)
{
int status;
char *cptr;
AUTH_ACME *acmeptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthAcmeVerifyUserAst()");
acmeptr = rqptr->rqAuth.AcmeDataPtr;
if (WATCHING (rqptr, WATCH_AUTH))
{
for (cptr = acmeptr->MappingAcmeName; *cptr && !isspace(*cptr); cptr++);
*cptr = '\0';
acmeptr->MappingAcmeNameLength = cptr - acmeptr->MappingAcmeName;
if (VMSok(acmeptr->AcmIOsb[0]) &&
acmeptr->AcmIOsb[0] == acmeptr->AcmIOsb[1])
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" agent:\"!AZ\" mapped:\"!AZ\" logon:!AZ !&S",
acmeptr->TargetDoiName,
acmeptr->MappingAcmeName,
acmeptr->MappedVmsUserName,
AuthSysUafLogonType(rqptr->rqAuth.SysUafLogonType),
acmeptr->AcmIOsb[0]);
}
else
if (!acmeptr->AcmIOsb[3] &&
acmeptr->AcmIOsb[0] == acmeptr->AcmIOsb[1])
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" logon:!AZ !&S",
acmeptr->TargetDoiName,
AuthSysUafLogonType(rqptr->rqAuth.SysUafLogonType),
acmeptr->AcmIOsb[0]);
}
else
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" logon:!AZ sts:!&S sec:!&S id:!UL acme:!&S",
acmeptr->TargetDoiName,
AuthSysUafLogonType(rqptr->rqAuth.SysUafLogonType),
acmeptr->AcmIOsb[0], acmeptr->AcmIOsb[1],
acmeptr->AcmIOsb[2], acmeptr->AcmIOsb[3],
acmeptr->MappedVmsUserName);
WatchDataFormatted ("%!&M\n%!&M\n",
acmeptr->AcmIOsb[0],
acmeptr->AcmIOsb[1]);
}
}
status = acmeptr->AcmIOsb[0];
/* convert an ACME auth failure into a retryable server auth failure */
if (status == ACME$_AUTHFAILURE) status = AUTH_DENIED_BY_LOGIN;
if (VMSok (status) && strsame (acmeptr->TargetDoiName, "VMS", -1))
rqptr->rqAuth.SysUafAuthenticated = true;
/* if authentication OK and it effectively was from the SYSUAF */
if (VMSok (status) && rqptr->rqAuth.SysUafAuthenticated)
{
if (rqptr->rqAuth.RealmPtr[0] == '*')
{
/* use the authenticating DOI as the realm */
rqptr->rqAuth.RealmPtr = acmeptr->AuthDoiName;
rqptr->rqAuth.RealmLength = acmeptr->AuthDoiNameLength;
rqptr->rqAuth.RealmPtr[rqptr->rqAuth.RealmLength] = '\0';
}
/* check there are no further (WASD-specific) restrictions */
if (VMSok (status = AuthVmsGetUai (rqptr, acmeptr->MappedVmsUserName)))
{
if (VMSok (status = AuthVmsVerifyUser (rqptr)))
{
/* authenticated ... user can do anything (the path allows!) */
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
}
}
/* if authenticated */
if (VMSok (status))
{
if (rqptr->rqAuth.SysUafPwdExpired)
{
/* password has expired */
if (!strsame (rqptr->rqHeader.RequestUriPtr,
INTERNAL_PASSWORD_CHANGE,
sizeof(INTERNAL_PASSWORD_CHANGE)-1))
{
/* and not in the process of changing it */
if (rqptr->rqPathSet.AuthSysUafPwdExpUrlPtr)
cptr = rqptr->rqPathSet.AuthSysUafPwdExpUrlPtr;
else
if (Config.cfAuth.SysUafPwdExpUrl[0])
cptr = Config.cfAuth.SysUafPwdExpUrl;
else
cptr = NULL;
if (cptr)
{
/* expired password URL is configured */
if (!strsame (rqptr->rqHeader.RequestUriPtr, cptr, -1))
{
/* request URI doesn't match it though, so redirect */
ResponseLocation (rqptr, cptr, -1);
status = AUTH_DENIED_BY_REDIRECT;
}
}
else
{
/* is not configured */
status = AUTH_DENIED_BY_LOGIN;
}
}
}
}
if (VMSok (status))
{
/* buffer the original remote user (the browser-supplied user id) */
strcpy (rqptr->rqAuth.RemoteUser, rqptr->RemoteUser);
rqptr->rqAuth.RemoteUserLength = rqptr->RemoteUserLength;
/* replace with the ACME mapped username */
strcpy (rqptr->RemoteUser, acmeptr->MappedVmsUserName);
rqptr->RemoteUserLength = strlen(acmeptr->MappedVmsUserName);
}
}
rqptr->rqAuth.FinalStatus = status;
SysDclAst (AuthorizeRealmCheck, rqptr);
}
/*****************************************************************************/
/*
Change the specified username's ('rqptr->RemoteUser') password in the specified
ACME domain ('rqptr->rqAuth.RealmPtr'). It assumes the calling routine
HTAdminChangePassword() has performed required preliminary sanity checks. This
function is just to perform the change - ASYNCHRONOUSLY!
*/
AuthAcmeChangePassword
(
REQUEST_STRUCT* rqptr,
char *PasswordCurrent,
char *PasswordNew
)
{
/* doesn't work using ACME$K_NETWORK (which is sort of understandable) */
static unsigned long AcmeLogonType = ACME$K_LOCAL;
static unsigned long NewPasswordFlags = ACMEPWDFLG$M_PASSWORD_1;
int len, status;
char *cptr, *sptr, *zptr;
AUTH_ACME *acmeptr;
ILE3 *itmptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAcmeChangePassword() !&Z !&Z",
rqptr->rqAuth.RealmPtr, rqptr->RemoteUser);
if (WATCHING (rqptr, WATCH_RESPONSE))
WatchThis (WATCHITM(rqptr), WATCH_RESPONSE, "CHANGE ACME password");
if (!AuthConfigACME)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
acmeptr = rqptr->rqAuth.AcmeDataPtr =
(AUTH_ACME*)VmGetHeap (rqptr, sizeof(AUTH_ACME));
itmptr = &acmeptr->AcmItemList;
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID ||
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS\0") ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS-") ||
MATCH4 (rqptr->rqAuth.RealmPtr, "VMS_"))
cptr = "VMS";
else
cptr = rqptr->rqAuth.RealmPtr;
if (*cptr == '*')
{
/* use the default DOI(s) ACME$LATEST_ENABLED_AGENT_LIST? */
itmptr->ile3$w_code = ACME$_AUTHENTICATING_DOI_NAME;
itmptr->ile3$w_length = sizeof(acmeptr->AuthDoiName)-1;
itmptr->ile3$ps_bufaddr = acmeptr->AuthDoiName;
itmptr->ile3$ps_retlen_addr = &acmeptr->AuthDoiNameLength;
itmptr++;
/* just for WATCH purposes */
acmeptr->TargetDoiName[0] = '*';
}
else
{
/* specify the DOI */
zptr = (sptr = acmeptr->TargetDoiName) + sizeof(acmeptr->TargetDoiName)-1;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
*sptr = '\0';
acmeptr->TargetDoiNameLength = sptr - acmeptr->TargetDoiName;
itmptr->ile3$w_code = ACME$_TARGET_DOI_NAME;
itmptr->ile3$w_length = acmeptr->TargetDoiNameLength;
itmptr->ile3$ps_bufaddr = acmeptr->TargetDoiName;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
}
itmptr->ile3$w_code = ACME$_LOGON_TYPE;
itmptr->ile3$w_length = sizeof(AcmeLogonType);
itmptr->ile3$ps_bufaddr = &AcmeLogonType;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
itmptr->ile3$w_code = ACME$_PRINCIPAL_NAME_IN;
itmptr->ile3$w_length = rqptr->RemoteUserLength;
itmptr->ile3$ps_bufaddr = rqptr->RemoteUser;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
len = strlen(PasswordCurrent);
cptr = VmGetHeap (rqptr, len+1);
strcpy (cptr, PasswordCurrent);
itmptr->ile3$w_code = ACME$_PASSWORD_1;
itmptr->ile3$w_length = len;
itmptr->ile3$ps_bufaddr = cptr;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
itmptr->ile3$w_code = ACME$_NEW_PASSWORD_FLAGS;
itmptr->ile3$w_length = sizeof(NewPasswordFlags);
itmptr->ile3$ps_bufaddr = &NewPasswordFlags;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
len = strlen(PasswordNew);
cptr = VmGetHeap (rqptr, len+1);
strcpy (cptr, PasswordNew);
itmptr->ile3$w_code = ACME$_NEW_PASSWORD_1;
itmptr->ile3$w_length = len;
itmptr->ile3$ps_bufaddr = cptr;
itmptr->ile3$ps_retlen_addr = 0;
itmptr++;
memset (itmptr, 0, sizeof(ILE3));
status = sys$acm (EfnNoWait,
ACME$_FC_CHANGE_PASSWORD,
0,
&acmeptr->AcmItemList,
&acmeptr->AcmIOsb,
&AuthAcmeChangePasswordAst,
rqptr);
if (VMSnok (status))
{
/* an error with sys$acm(), fudge status and queue AST manually */
acmeptr->AcmIOsb[0] = acmeptr->AcmIOsb[1] = status;
SysDclAst (AuthAcmeChangePasswordAst, rqptr);
}
}
/*****************************************************************************/
/*
AST delivered from the ACME service.
*/
AuthAcmeChangePasswordAst (REQUEST_STRUCT* rqptr)
{
int status;
char *cptr;
AUTH_ACME *acmeptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAcmeChangePasswordAst()");
acmeptr = rqptr->rqAuth.AcmeDataPtr;
if (WATCHING (rqptr, WATCH_AUTH))
{
for (cptr = acmeptr->MappingAcmeName; *cptr && !isspace(*cptr); cptr++);
*cptr = '\0';
acmeptr->MappingAcmeNameLength = cptr - acmeptr->MappingAcmeName;
if (VMSok(acmeptr->AcmIOsb[0]) &&
acmeptr->AcmIOsb[0] == acmeptr->AcmIOsb[1])
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" !&S",
acmeptr->TargetDoiName,
acmeptr->AcmIOsb[0]);
}
else
if (!acmeptr->AcmIOsb[3] &&
acmeptr->AcmIOsb[0] == acmeptr->AcmIOsb[1])
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" !&S",
acmeptr->TargetDoiName,
acmeptr->AcmIOsb[0]);
}
else
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACME doi:\"!AZ\" sts:!&S sec:!&S id:!UL acme:!&S",
acmeptr->TargetDoiName,
acmeptr->AcmIOsb[0], acmeptr->AcmIOsb[1],
acmeptr->AcmIOsb[2], acmeptr->AcmIOsb[3],
acmeptr->MappedVmsUserName);
WatchDataFormatted ("%!&M\n%!&M\n",
acmeptr->AcmIOsb[0],
acmeptr->AcmIOsb[1]);
}
}
status = acmeptr->AcmIOsb[0];
if (VMSok (status))
{
if (rqptr->rqAuth.RealmPtr[0] == '*')
{
/* use the authenticating DOI as the realm */
rqptr->rqAuth.RealmPtr = acmeptr->AuthDoiName;
rqptr->rqAuth.RealmLength = acmeptr->AuthDoiNameLength;
rqptr->rqAuth.RealmPtr[rqptr->rqAuth.RealmLength] = '\0';
}
}
else
{
rqptr->rqResponse.HttpStatus = 403;
cptr = VmGetHeap (rqptr, 256);
FaoToBuffer (cptr, 255, NULL, "!&m.", status);
*cptr = TOUP(*cptr);
ErrorGeneral (rqptr, cptr, FI_NOLI);
}
HTAdminChangePasswordEnd (rqptr);
}
/*****************************************************************************/
/************************/
#else /* #if WASD_ACME */
/************************/
#include "wasd.h"
#define WASD_MODULE "AUTHACME"
extern char ErrorSanityCheck[];
/* this image is linked without ACME capabilities */
BOOL AuthAcmeLinked = 0;
/* just for linkage and sanity checking */
int AuthAcmeVerifyUser (REQUEST_STRUCT* rqptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
/* keep the compile quiet using a return statement */
return (SS$_BUGCHECK);
}
AuthAcmeVerifyUserAst (REQUEST_STRUCT* rqptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
AuthAcmeChangePassword
(
REQUEST_STRUCT *rqptr,
char *PasswordCurrent,
char *PasswordNew
)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
AuthAcmeChangePasswordAst (REQUEST_STRUCT* rqptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
/*************************/
#endif /* #if WASD_ACME */
/*************************/
/*****************************************************************************/