[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
/*****************************************************************************/
/*
AuthVMS.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
This module provides functions related to the authentication of usernames via
access to the SYSUAF and the hashed password and other entry flags, etc. It
also processes VMS identifiers used for controlling access. Functions create
and validate access against WASD's VMS user profile capability. Other
functionality includes checking access to files, etc. via these for the server
as well as users holding profiles.
See AUTH.C for overall detail on the WASD authorization environment.
VERSION HISTORY
---------------
27-AUG-2013 MGD bugfix; AuthVmsGetUai() interaction of logon= parameters
22-AUG-2012 MGD bugfix; AuthVmsGetUai() logon= fall through
11-OCT-2009 MGD AuthVmsGetUai() can now use [AuthSYSUAFlogonType] and/or
an optional authorization rule parameter 'param="logon=.."'
to specify the login mode (default is still NETWORK)
a la ACME (and retrieves the access restriction days/hours
associated with that mode).
18-NOV-2008 MGD bugfix; AuthVmsChangePassword() ensure that
rqAuth.SysUafDataPtr is populated
30-MAY-2007 MGD AuthAccessCheck()
bugfix; &ArmAccessItem
03-JUN-2005 MGD only check pwd2 pre-expiry if pwd2 is set
11-MAY-2005 MGD provide PWDMIX mixed-case plus printable char passwords
in AuthVmsVerifyPassword() and AuthVmsChangePassword()
20-MAR-2005 MGD AuthVmsVerifyUser() WATCH which flag causes failure
18-MAR-2004 MGD rework $GETUAI() during ACME development,
add check for pre-expired passwords
20-NOV-2003 MGD only check secondary password expiry date/time
if the secondary password hash is not empty
24-JUL-2003 MGD remote username already massaged by AuthorizeRealm()
03-MAY-2003 MGD /SYSUAF=(VMS,ID) accomodated in AuthVmsVerifyUser()
30-JAN-2003 MGD authentication profile can be requested via rule,
refine checks in AuthAccessReadCheck() and
AuthAccessWriteCheck()
21-DEC-2002 MGD AuthVmsLoadIdentifiers() more flexible
05-OCT-2002 MGD allow wildcard specifications in AuthAccessReadCheck()
06-SEP-2002 MGD AuthAccessReadCheck() traps SS$_NOCALLPRIV returning
SS$_NOPRIV to allow directory listings of DFS volumes
13-MAY-2002 MGD SYSUAF expired password redirection ([AuthSysUafPwdExpUrl])
07-MAY-2002 MGD bugfix; account/password expiry
27-APR-2002 MGD use sys$setprv()
20-NOV-2001 MGD bugfix; /RELAXED should allow all but DISUSERed accounts
to authenticate regardless of RESTRICTED or CAPTIVE flags
04-AUG-2001 MGD support module WATCHing
05-APR-2001 MGD bugfix; AuthAccessReadCheck() return SS$_NOPRIV
26-MAR-2001 MGD bugfix; sys$create_user_profile() length size from word
(System Services Manual) to unsigned int (startlet.h)!
23-FEB-2001 MGD bugfix; identifier check OK should continue to load details
27-MAR-2000 MGD bugfix; AuthVmsCheckIdentifier() error return changed from
AUTH_DENIED_BY_OTHER to AUTH_DENIED_BY_LOGIN
20-NOV-1999 MGD add nil-access identifier to bypass hour restrictions
02-OCT-1999 MGD VMS user profile WATCH enhancements
bugfix; AuthCreateVmsUserProfile()
28-AUG-1999 MGD unbundled from AUTH.C for v6.1
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <armdef.h>
#include <chpdef.h>
#include <descrip.h>
#include <libdef.h>
#include <prvdef.h>
#include <ssdef.h>
#include <stsdef.h>
#include <uaidef.h>
/* not defined VAX C 3.2 <uaidef.h> (probably unnecessary now 11-MAY-2005) */
#ifndef UAI$M_RESTRICTED
#define UAI$M_RESTRICTED 0x8
#endif
#ifndef UAI$C_PURDY_S
#define UAI$C_PURDY_S 3
#endif
/* probably not defined earlier than 7.3-2 */
#ifndef UAI$M_PWDMIX
#define UAI$M_PWDMIX 0x2000000
#endif
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "AUTHVMS"
#if WATCH_MOD
#define FI_NOLI WASD_MODULE, __LINE__
#else
/* in production let's keep the exact line to ourselves! */
#define FI_NOLI WASD_MODULE, 0
#endif
/******************/
/* global storage */
/******************/
unsigned int HttpdUserProfileLength;
unsigned char *HttpdUserProfilePtr;
$DESCRIPTOR (HttpdUserProfileDsc, "");
/********************/
/* external storage */
/********************/
extern BOOL AuthPolicySysUafRelaxed,
AuthPolicySysUafIdentifiers,
AuthPolicySysUafWasdIdentifiers,
AuthPolicySysUafVms,
AuthSysUafEnabled,
AuthSysUafPromiscuous,
AuthVmsUserProfileEnabled,
AuthVmsUserProfileNoRule;
extern BOOL InstanceMutexHeld[];
extern int ServerPort;
extern int64 HttpdTime64;
extern int ToLowerCase[],
ToUpperCase[];
extern unsigned long AuthHttpsOnlyVmsIdentifier,
AuthNilAccessVmsIdentifier,
AuthPasswordChangeVmsIdentifier,
AuthWasdPwdVmsIdentifier,
AuthWasdHttpsVmsIdentifier,
AuthWasdReadVmsIdentifier,
AuthWasdWriteVmsIdentifier;
extern unsigned long SysPrvMask[];
extern char ErrorSanityCheck[],
SoftwareID[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern HTTPD_PROCESS HttpdProcess;
extern MSG_STRUCT Msgs;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
Get the specified username's flags, authorized privileges, quadword password,
hash salt and encryption algorithm from SYSUAF into an allocated SYSUAF
authentication data buffer.
*/
int AuthVmsGetUai
(
REQUEST_STRUCT *rqptr,
char *UserName
)
{
static $DESCRIPTOR (UserNameDsc, "");
static unsigned long Context = -1;
int status,
AccessP,
AccessS,
LogonType;
ulong *qptr1,
*qptr2;
char *cptr, *sptr, *zptr;
AUTH_SYSUAF *uafptr;
VMS_ITEM_LIST3 *itmptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthVmsGetUai() !&Z", UserName);
/* double-check! */
if (!AuthSysUafEnabled) return (AUTH_DENIED_BY_LOGIN);
uafptr = rqptr->rqAuth.SysUafDataPtr =
(AUTH_SYSUAF*)VmGetHeap (rqptr, sizeof(AUTH_SYSUAF));
zptr = (sptr = uafptr->UserName) + sizeof(uafptr->UserName)-1;
for (cptr = UserName; *cptr && sptr < zptr; *sptr++ = TOUP(*cptr++));
*sptr = '\0';
uafptr->UserNameLength = sptr - uafptr->UserName;
itmptr = &uafptr->UaiItemList;
itmptr->buf_len = sizeof(uafptr->UaiUic);
itmptr->item = UAI$_UIC;
itmptr->buf_addr = &uafptr->UaiUic;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiOwner)-1;
itmptr->item = UAI$_OWNER;
itmptr->buf_addr = &uafptr->UaiOwner;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiExpTime64);
itmptr->item = UAI$_EXPIRATION;
itmptr->buf_addr = &uafptr->UaiExpTime64;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPwdDateTime64);
itmptr->item = UAI$_PWD_DATE;
itmptr->buf_addr = &uafptr->UaiPwdDateTime64;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPwd2DateTime64);
itmptr->item = UAI$_PWD2_DATE;
itmptr->buf_addr = &uafptr->UaiPwd2DateTime64;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPwdLifeTime64);
itmptr->item = UAI$_PWD_LIFETIME;
itmptr->buf_addr = &uafptr->UaiPwdLifeTime64;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiFlags);
itmptr->item = UAI$_FLAGS;
itmptr->buf_addr = &uafptr->UaiFlags;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPriv);
itmptr->item = UAI$_PRIV;
itmptr->buf_addr = &uafptr->UaiPriv;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPwd);
itmptr->item = UAI$_PWD;
itmptr->buf_addr = &uafptr->UaiPwd;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiPwd2);
itmptr->item = UAI$_PWD2;
itmptr->buf_addr = &uafptr->UaiPwd2;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiEncrypt);
itmptr->item = UAI$_ENCRYPT;
itmptr->buf_addr = &uafptr->UaiEncrypt;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(uafptr->UaiSalt);
itmptr->item = UAI$_SALT;
itmptr->buf_addr = &uafptr->UaiSalt;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = sizeof(unsigned long);
itmptr->item = UAI$_PRIMEDAYS;
itmptr->buf_addr = &uafptr->UaiPrimeDays;
itmptr->ret_len = 0;
itmptr++;
if (!(cptr = rqptr->rqAuth.PathParameterPtr)) cptr = "";
while (*cptr && (TOLO(*cptr) != 'l' || !strsame(cptr,"logon=",6))) cptr++;
if (*cptr)
{
/* same set of parameters as used by AuthAcmeVerifyUser() */
if (strsame (cptr, "logon=NETWORK", 13))
{
LogonType = AUTH_LOGON_TYPE_NETWORK;
AccessP = UAI$_NETWORK_ACCESS_P;
AccessS = UAI$_NETWORK_ACCESS_S;
}
else
if (strsame (cptr, "logon=BATCH", 11))
{
LogonType = AUTH_LOGON_TYPE_BATCH;
AccessP = UAI$_BATCH_ACCESS_P;
AccessS = UAI$_BATCH_ACCESS_S;
}
else
if (strsame (cptr, "logon=LOCAL", 11))
{
LogonType = AUTH_LOGON_TYPE_LOCAL;
AccessP = UAI$_LOCAL_ACCESS_P;
AccessS = UAI$_LOCAL_ACCESS_S;
}
else
if (strsame (cptr, "logon=DIALUP", 12))
{
LogonType = AUTH_LOGON_TYPE_DIALUP;
AccessP = UAI$_DIALUP_ACCESS_P;
AccessS = UAI$_DIALUP_ACCESS_S;
}
else
if (strsame (cptr, "logon=REMOTE", 12))
{
LogonType = AUTH_LOGON_TYPE_REMOTE;
AccessP = UAI$_REMOTE_ACCESS_P;
AccessS = UAI$_REMOTE_ACCESS_S;
}
else
if (strsame (cptr, "logon=", 6))
{
AccessP = AccessS = LogonType = 0;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"unknown LOGON TYPE \"!AZ\"", cptr);
}
}
else
if (Config.cfAuth.SysUafLogonType)
{
switch (LogonType = Config.cfAuth.SysUafLogonType)
{
case AUTH_LOGON_TYPE_NETWORK :
AccessP = UAI$_NETWORK_ACCESS_P;
AccessS = UAI$_NETWORK_ACCESS_S;
break;
case AUTH_LOGON_TYPE_BATCH :
AccessP = UAI$_BATCH_ACCESS_P;
AccessS = UAI$_BATCH_ACCESS_S;
break;
case AUTH_LOGON_TYPE_LOCAL :
AccessP = UAI$_LOCAL_ACCESS_P;
AccessS = UAI$_LOCAL_ACCESS_S;
break;
case AUTH_LOGON_TYPE_DIALUP :
AccessP = UAI$_DIALUP_ACCESS_P;
AccessS = UAI$_DIALUP_ACCESS_S;
break;
case AUTH_LOGON_TYPE_REMOTE :
AccessP = UAI$_REMOTE_ACCESS_P;
AccessS = UAI$_REMOTE_ACCESS_S;
break;
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
}
else
{
LogonType = AUTH_LOGON_TYPE_NETWORK;
AccessP = UAI$_NETWORK_ACCESS_P;
AccessS = UAI$_NETWORK_ACCESS_S;
}
rqptr->rqAuth.SysUafLogonType = LogonType;
itmptr->buf_len = 3;
itmptr->item = AccessP;
itmptr->buf_addr = &uafptr->UaiAccessP;
itmptr->ret_len = 0;
itmptr++;
itmptr->buf_len = 3;
itmptr->item = AccessS;
itmptr->buf_addr = &uafptr->UaiAccessS;
itmptr->ret_len = 0;
itmptr++;
memset (itmptr, 0, sizeof(VMS_ITEM_LIST3));
UserNameDsc.dsc$a_pointer = uafptr->UserName;
UserNameDsc.dsc$w_length = uafptr->UserNameLength;
/* turn on SYSPRV to allow access to SYSUAF records */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$getuai (0, &Context, &UserNameDsc, &uafptr->UaiItemList,
0, 0, 0);
sys$setprv (0, &SysPrvMask, 0, 0);
if (VMSnok (status))
{
if (status == RMS$_RNF)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF username");
return (AUTH_DENIED_BY_LOGIN);
}
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_DATABASE_VMS);
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
/* eliminate the counted string, strip trailing spaces */
uafptr->UaiOwner[32] = '\0';
for (cptr = (sptr = uafptr->UaiOwner) + 1; *cptr; *sptr++ = *cptr++);
*sptr = '\0';
if (sptr > uafptr->UaiOwner) sptr--;
while (sptr > uafptr->UaiOwner && isspace(*sptr)) sptr--;
if (!isspace(*sptr)) sptr++;
*sptr = '\0';
if (WATCHING (rqptr, WATCH_AUTH))
{
qptr1 = &uafptr->UaiPwd;
qptr2 = &uafptr->UaiPwd2;
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"GETUAI \"!AZ\" !&S", uafptr->UserName, status);
if (VMSok (status))
WatchDataFormatted (
"expire:!&D pwd:!&D(!8XL!8XL) pwd2:!&D(!8XL!8XL) life:!&D\n\
flags:!8XL priv:<63-32>!8XL<31-00>!8XL\n\
logon:!AZ prime:!8XL primary:!6XL secondary:!6XL\n",
&uafptr->UaiExpTime64,
&uafptr->UaiPwdDateTime64,
qptr1[1], qptr1[0],
&uafptr->UaiPwd2DateTime64,
qptr2[1], qptr2[0],
&uafptr->UaiPwdLifeTime64,
&uafptr->UaiFlags,
uafptr->UaiPriv[1], uafptr->UaiPriv[0],
AuthSysUafLogonType(LogonType),
uafptr->UaiPrimeDays,
uafptr->UaiAccessP, uafptr->UaiAccessS);
}
return (status);
}
/*****************************************************************************/
/*
Verify the request username/password hash against the SYSUAF password. Check
if the primary password has expired and if it has the redirect to a configured
'change password' URL or deny access.
*/
int AuthVmsVerifyPassword (REQUEST_STRUCT* rqptr)
{
static char Password [AUTH_MAX_PASSWORD_LENGTH+1];
static $DESCRIPTOR (PasswordDsc, Password);
static $DESCRIPTOR (UserNameDsc, "");
int status;
char *cptr, *sptr, *zptr;
AUTH_SYSUAF *uafptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthVmsVerifyPassword() !&Z pwdmix:!&B",
rqptr->rqAuth.SysUafDataPtr->UserName,
rqptr->rqAuth.SysUafDataPtr->UaiFlags & UAI$M_PWDMIX);
if (!(uafptr = rqptr->rqAuth.SysUafDataPtr))
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
/* flag that case-less username and password checks were performed */
rqptr->rqAuth.CaseLess = true;
UserNameDsc.dsc$a_pointer = uafptr->UserName;
UserNameDsc.dsc$w_length = uafptr->UserNameLength;
zptr = (sptr = Password) + sizeof(Password)-1;
if (uafptr->UaiFlags & UAI$M_PWDMIX)
{
/* 7.3-2 mixed-case plus printable char passwords */
for (cptr = rqptr->RemoteUserPassword;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
}
else
{
/* to uppercase! */
for (cptr = rqptr->RemoteUserPassword;
*cptr && sptr < zptr;
*sptr++ = TOUP(*cptr++));
}
*sptr = '\0';
PasswordDsc.dsc$w_length = sptr - Password;
status = sys$hash_password (&PasswordDsc, uafptr->UaiEncrypt,
uafptr->UaiSalt, &UserNameDsc,
&uafptr->HashedPwd);
if (VMSnok (status))
{
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_USER);
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
if (uafptr->HashedPwd != uafptr->UaiPwd)
{
if (!AuthSysUafPromiscuous)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF password");
return (AUTH_DENIED_BY_LOGIN);
}
}
/* assumes flag has been set by a prior call to AuthVmsVerifyUser() */
if (rqptr->rqAuth.SysUafPwdExpired)
{
/* password has expired */
if (!strsame (rqptr->rqHeader.RequestUriPtr,
INTERNAL_PASSWORD_CHANGE,
sizeof(INTERNAL_PASSWORD_CHANGE)-1))
{
/* and not in the process of changing it */
if (rqptr->rqPathSet.AuthSysUafPwdExpUrlPtr)
cptr = rqptr->rqPathSet.AuthSysUafPwdExpUrlPtr;
else
if (Config.cfAuth.SysUafPwdExpUrl[0])
cptr = Config.cfAuth.SysUafPwdExpUrl;
else
cptr = NULL;
if (cptr)
{
/* expired password URL is configured */
if (!strsame (rqptr->rqHeader.RequestUriPtr, cptr, -1))
{
/* request URI doesn't match it though, so redirect */
ResponseLocation (rqptr, cptr, -1);
status = AUTH_DENIED_BY_REDIRECT;
}
}
else
{
/* is not configured */
status = AUTH_DENIED_BY_LOGIN;
}
}
}
return (status);
}
/*****************************************************************************/
/*
Verify the SYSUAF-authenticated request username conforms to other SYSUAF
requirements, such as password not expired, rights identifier authentication
control, etc. Assumes the username/password has already, or will be, validated
against the SYSUAF in some manner, either directly as occurs here in AUTHVMS.C
or via the ACME as occurs in AUTHACME.C. Some things checked during ACME
authentication (such as password expiry, prime and secondary days) are redone
here. This function additionally checks for privleged accounts and rights
identifier requirements. I do not intend to further granulate this
functionality and so any redundancy will be lived with.
Returns a success status if user password authenticated,
AUTH_DENIED_BY_LOGIN if not authenticated, or other error status if a
genuine VMS error occurs (which should be reported where and when it occurs).
*/
int AuthVmsVerifyUser (REQUEST_STRUCT* rqptr)
{
/* UAI flags that disallow an identifier-controlled account access */
static unsigned long DisallowFlags =
UAI$M_DISACNT | UAI$M_PWD_EXPIRED | UAI$M_PWD2_EXPIRED;
/* UAI flags that disallow SYSUAF-controlled account access */
static unsigned long DisallowVmsFlags =
UAI$M_DISACNT | UAI$M_PWD_EXPIRED | UAI$M_PWD2_EXPIRED |
UAI$M_CAPTIVE | UAI$M_RESTRICTED;
static $DESCRIPTOR (UserNameDsc, "");
static unsigned long Context = -1;
BOOL AlreadyLocked;
int status,
LockStatus;
int64 PwdExpTime64;
char *cptr, *sptr, *zptr;
AUTH_CREC *acrptr;
AUTH_SYSUAF *uafptr;
VMS_ITEM_LIST3 *itmptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthVmsVerifyUser() !&Z",
rqptr->rqAuth.SysUafDataPtr->UserName);
if (!(AlreadyLocked = InstanceMutexHeld[INSTANCE_MUTEX_AUTH_CACHE]))
InstanceMutexLock (INSTANCE_MUTEX_AUTH_CACHE);
status = AuthCacheFindRecord (rqptr->rqAuth.CacheSearchRecordPtr, &acrptr);
if (VMSnok (status))
{
/* something has happened to the cache record in the meantime! */
if (AlreadyLocked) return (AUTH_DENIED_BY_OTHER);
InstanceMutexUnLock (INSTANCE_MUTEX_AUTH_CACHE);
return (AUTH_DENIED_BY_OTHER);
}
if (!AlreadyLocked) InstanceMutexUnLock (INSTANCE_MUTEX_AUTH_CACHE);
if (!(uafptr = rqptr->rqAuth.SysUafDataPtr))
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
/* copy these data to the authorization cache record */
acrptr->UaiPrimeDays = uafptr->UaiPrimeDays;
acrptr->UaiAccessP = uafptr->UaiAccessP;
acrptr->UaiAccessS = uafptr->UaiAccessS;
/*******************************/
/* check flags and expirations */
/*******************************/
/* automatically disallow if any of these flags are set! */
if ((AuthPolicySysUafIdentifiers ||
AuthPolicySysUafWasdIdentifiers ||
AuthPolicySysUafRelaxed) &&
(uafptr->UaiFlags & DisallowFlags))
{
if (WATCHING (rqptr, WATCH_AUTH))
{
if (uafptr->UaiFlags & UAI$M_DISACNT)
cptr = "DISACNT";
else
if (uafptr->UaiFlags & UAI$M_PWD_EXPIRED)
cptr = "PWD_EXPIRED";
else
if (uafptr->UaiFlags & UAI$M_PWD2_EXPIRED)
cptr = "PWD2_EXPIRED";
else
cptr = "?";
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF flag:!AZ", cptr);
}
return (AUTH_DENIED_BY_LOGIN);
}
/* automatically disallow if any of these flags are set! */
if (((AuthPolicySysUafVms && !AuthPolicySysUafRelaxed) ||
(!AuthPolicySysUafIdentifiers && !AuthPolicySysUafRelaxed)) &&
(uafptr->UaiFlags & DisallowVmsFlags))
{
if (WATCHING (rqptr, WATCH_AUTH))
{
if (uafptr->UaiFlags & UAI$M_DISACNT)
cptr = "DISACNT";
else
if (uafptr->UaiFlags & UAI$M_PWD_EXPIRED)
cptr = "PWD_EXPIRED";
else
if (uafptr->UaiFlags & UAI$M_PWD2_EXPIRED)
cptr = "PWD2_EXPIRED";
else
if (uafptr->UaiFlags & UAI$M_CAPTIVE)
cptr = "CAPTIVE";
else
if (uafptr->UaiFlags & UAI$M_RESTRICTED)
cptr = "RESTRICTED";
else
cptr = "?";
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF flag:!AZ", cptr);
}
return (AUTH_DENIED_BY_LOGIN);
}
if (uafptr->UaiExpTime64)
{
/* check account expiration */
if (uafptr->UaiExpTime64 < HttpdTime64)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL SYSUAF account expired");
return (AUTH_DENIED_BY_LOGIN);
}
}
rqptr->rqAuth.SysUafPwdExpired = false;
if (!Config.cfAuth.SysUafAcceptExpPwd &&
uafptr->UaiPwdDateTime64 == DELTA64_ZERO)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF pwd pre-expired");
rqptr->rqAuth.SysUafPwdExpired = true;
}
else
if (!Config.cfAuth.SysUafAcceptExpPwd &&
uafptr->UaiPwdDateTime64 &&
uafptr->UaiPwdLifeTime64)
{
/* check password expiration */
PwdExpTime64 = uafptr->UaiPwdDateTime64 + uafptr->UaiPwdLifeTime64;
if (PwdExpTime64 > HttpdTime64)
{
rqptr->rqAuth.NoCache = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF pwd expired");
/* only after the password is confirmed OK *then* do any redirect */
rqptr->rqAuth.SysUafPwdExpired = true;
}
}
if (uafptr->UaiPwd2)
{
/* the secondary password has been set */
if (!Config.cfAuth.SysUafAcceptExpPwd &&
uafptr->UaiPwd2DateTime64 == DELTA64_ZERO)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL SYSUAF pwd2 pre-expired");
return (AUTH_DENIED_BY_LOGIN);
}
else
if (!Config.cfAuth.SysUafAcceptExpPwd &&
uafptr->UaiPwd2DateTime64 &&
uafptr->UaiPwdLifeTime64)
{
/* check password 2 expiration */
PwdExpTime64 = uafptr->UaiPwd2DateTime64 + uafptr->UaiPwdLifeTime64;
if (PwdExpTime64 > HttpdTime64)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL SYSUAF pwd2 expired");
return (AUTH_DENIED_BY_LOGIN);
}
}
}
/*******************************/
/* identifier/privilege checks */
/*******************************/
if (AuthPolicySysUafIdentifiers)
{
/* check SYSUAF-authenticated account holds the correct identifier */
if (VMSnok (status = AuthVmsLoadIdentifiers (rqptr, uafptr->UaiUic)))
return (status);
if (VMSnok (status = AuthVmsCheckIdentifier (rqptr)))
return (status);
}
if (!AuthPolicySysUafRelaxed &&
rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS &&
(uafptr->UaiPriv[0] & PRV$M_SYSPRV))
{
/* not allowing all accounts, exclude those with extended privileges */
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "FAIL SYSUAF privileges");
return (AUTH_DENIED_BY_LOGIN);
}
rqptr->rqAuth.UserDetailsLength = strlen(uafptr->UaiOwner);
rqptr->rqAuth.UserDetailsPtr = cptr =
VmGetHeap (rqptr, rqptr->rqAuth.UserDetailsLength+1);
strcpy (cptr, uafptr->UaiOwner);
return (SS$_NORMAL);
}
/****************************************************************************/
/*
SYSUAF authentication is being controlled by possession of an identifier ...
got the identifier you can be SYSUAF-authenticated, haven't then you cant! See
description at beginning of module. Returns normal status if account possesses
suitable identifier, AUTH_DENIED_BY_LOGIN if it doesn't, or error status.
*/
AuthVmsCheckIdentifier (REQUEST_STRUCT *rqptr)
{
BOOL HoldsRealmId,
HoldsWasdReadId,
HoldsWasdWriteId;
unsigned long ThisId;
unsigned long *idptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthVmsCheckIdentifier()");
if (!rqptr->rqAuth.VmsIdentifiersPtr)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
HoldsRealmId = HoldsWasdReadId = HoldsWasdWriteId = false;
for (idptr = rqptr->rqAuth.VmsIdentifiersPtr; ThisId = *idptr; idptr++)
{
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"ID %X!8XL !%I", ThisId, ThisId);
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID &&
ThisId == rqptr->rqAuth.RealmVmsIdentifier)
{
HoldsRealmId = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", rqptr->rqAuth.RealmPtr);
continue;
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID)
{
if (ThisId == AuthWasdReadVmsIdentifier)
{
HoldsWasdReadId = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_WASD_READ_VMS_ID);
continue;
}
if (ThisId == AuthWasdWriteVmsIdentifier)
{
HoldsWasdWriteId = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_WASD_WRITE_VMS_ID);
continue;
}
}
if (ThisId == AuthHttpsOnlyVmsIdentifier)
{
/* account is only allowed to authenticate via SSL */
rqptr->rqAuth.HttpsOnly = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_HTTPS_ONLY_VMS_ID);
continue;
}
if (ThisId == AuthNilAccessVmsIdentifier)
{
/* account may always authenticate even if hours seem to prohibit */
rqptr->rqAuth.SysUafNilAccess = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_NIL_ACCESS_VMS_ID);
continue;
}
if (ThisId == AuthPasswordChangeVmsIdentifier)
{
/* account is allowed to change it's password via the server */
rqptr->rqAuth.SysUafCanChangePwd = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_PASSWORD_CHANGE_VMS_ID);
continue;
}
if (ThisId == AuthWasdHttpsVmsIdentifier)
{
/* account is only allowed to authenticate via SSL */
rqptr->rqAuth.HttpsOnly = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_WASD_HTTPS_VMS_ID);
continue;
}
if (ThisId == AuthWasdPwdVmsIdentifier)
{
/* account is allowed to change it's password via the server */
rqptr->rqAuth.SysUafCanChangePwd = true;
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", AUTH_WASD_PWD_VMS_ID);
continue;
}
}
/************************/
/* check authentication */
/************************/
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID &&
!HoldsRealmId)
{
/* authentication is by local identifier ... and doesn't have it */
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL SYSUAF access identifier");
return (AUTH_DENIED_BY_LOGIN);
}
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID &&
!HoldsWasdWriteId &&
!HoldsWasdReadId)
{
/* authentication only with WASD identifier .. and doesn't have it */
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"FAIL SYSUAF access identifier");
return (AUTH_DENIED_BY_LOGIN);
}
return (SS$_NORMAL);
}
/****************************************************************************/
/*
Allocate dynamic memory to contain a zero-terminated vector of rights
identifiers held by the specified UIC. Read those identifiers. Restart if
insufficient space, increasing buffer space by a factor of two, until the
number of identifiers becomes rediculous.
*/
AuthVmsLoadIdentifiers
(
REQUEST_STRUCT *rqptr,
unsigned long UaiUic
)
{
static struct {
unsigned long Uic;
unsigned long Unused;
} Holder = { 0, 0 };
int status,
idcnt,
idalloc;
unsigned long Ctx,
ThisId;
unsigned long *idptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "AuthVmsLoadIdentifiers()");
/* if already loaded then just continue */
if (rqptr->rqAuth.VmsIdentifiersPtr) return (SS$_NORMAL);
idalloc = AUTH_MIN_VMS_IDENTIFIERS;
while (idalloc < AUTH_MAX_VMS_IDENTIFIERS)
{
/* plus one longword as a sentinal (will contain zero) */
rqptr->rqAuth.VmsIdentifiersPtr = idptr =
VmGetHeap (rqptr, (idalloc+1)*sizeof(unsigned long));
Holder.Uic = UaiUic;
rqptr->rqAuth.VmsIdentifiersCount = 0;
idcnt = idalloc;
/* turn on SYSPRV to allow this to be done */
sys$setprv (1, &SysPrvMask, 0, 0);
Ctx = 0;
while (VMSok (status = sys$find_held (&Holder, &ThisId, 0, &Ctx)))
{
if (--idcnt)
{
*idptr++ = ThisId;
rqptr->rqAuth.VmsIdentifiersCount++;
continue;
}
status = SS$_BUFFEROVF;
VmFreeFromHeap (rqptr, rqptr->rqAuth.VmsIdentifiersPtr, FI_LI);
idptr = NULL;
idalloc *= 2;
sys$finish_rdb (&Ctx);
break;
}
/* sentinal (not really necessary, but let's be over-cautious) */
if (idptr) *idptr = 0;
sys$setprv (0, &SysPrvMask, 0, 0);
/* if we got to the end of the identifiers without mishap */
if (status == SS$_NOSUCHID) return (SS$_NORMAL);
}
/*********/
/* error */
/*********/
sys$finish_rdb (&Ctx);
rqptr->rqAuth.VmsIdentifiersPtr = NULL;
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_DATABASE_VMS);
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
/****************************************************************************/
/*
Look through the request's array of a VMS authenticated user's identifiers for
the specified one. Return zero to indicate the identifier was not held, normal
to indicate it was, or any other error status.
*/
int AuthVmsHoldsIdentifier
(
REQUEST_STRUCT *rqptr,
char *IdentifierName,
unsigned long ThisId
)
{
unsigned long *idptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthVmsHoldsIdentifier() !&Z !&X", IdentifierName, ThisId);
/* if not already loaded via SYSUAF authentication then really an error */
if (!rqptr->rqAuth.VmsIdentifiersPtr)
{
/* has NOT been authenticated via the SYSUAF (shouldn't happen!) */
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"IDENTIFIER request not SYSUAF authenticated");
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_NOLI);
return (SS$_ABORT);
}
if (!ThisId) return (false);
for (idptr = rqptr->rqAuth.VmsIdentifiersPtr;
*idptr && *idptr != ThisId;
idptr++)
{
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"ID !&S !%I", *idptr, *idptr);
}
if (*idptr)
{
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"HOLDS identifier !AZ", IdentifierName);
return (SS$_NORMAL);
}
return (0);
}
/****************************************************************************/
/*
*/
AuthVmsHoldsWasdGroupIdent
(
REQUEST_STRUCT *rqptr,
char *GroupName
)
{
static char GroupIdName [AUTH_MAX_REALM_GROUP_LENGTH+1] =
AUTH_WASD__GROUP_VMS_ID;
static $DESCRIPTOR (GroupIdNameDsc, GroupIdName);
int status;
unsigned long ThisId;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthVmsHoldsWasdGroupIdent() !&Z", GroupName);
zptr = (sptr = GroupIdName) + sizeof(GroupIdName);
for (cptr = GroupName; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr >= zptr)
{
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_GENERAL_OVERFLOW), FI_LI);
return (SS$_ABORT);
}
*sptr = '\0';
GroupIdNameDsc.dsc$w_length = sptr - GroupIdName;
if (VMSnok (status = sys$asctoid (&GroupIdNameDsc, &ThisId, 0)))
{
rqptr->rqResponse.ErrorTextPtr = GroupIdName;
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
return (AuthVmsHoldsIdentifier (rqptr, GroupIdName, ThisId));
}
/*****************************************************************************/
/*
Using sys$create_user_profile() create a permanent security profile of the
SYSUAF-authenticated user name. This will be stored in the cache and attached
to the request structure each time the user is re-authenticated from it. This
profile will be used to check file/directory (see AuthAccessReadCheck())
access permission against the authenticated user not the server account.
*/
int AuthVmsCreateUserProfile (REQUEST_STRUCT* rqptr)
{
static unsigned long Context = -1;
static unsigned char *UserProfilePtr;
static $DESCRIPTOR (UserNameDsc, "");
int status;
unsigned int UserProfileLength;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthVmsCreateUserProfile() !&Z", rqptr->RemoteUser);
if (!UserProfilePtr) UserProfilePtr = VmGet (AUTH_CREATE_USER_PROFILE_SIZE);
UserProfileLength = AUTH_CREATE_USER_PROFILE_SIZE;
rqptr->rqAuth.VmsUserProfilePtr = NULL;
rqptr->rqAuth.VmsUserProfileLength = 0;
UserNameDsc.dsc$a_pointer = rqptr->RemoteUser;
UserNameDsc.dsc$w_length = rqptr->RemoteUserLength;
/* turn on SYSPRV to allow this to be done */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$create_user_profile (&UserNameDsc, 0, 0, UserProfilePtr,
&UserProfileLength, &Context);
sys$setprv (0, &SysPrvMask, 0, 0);
if (VMSnok (status))
{
rqptr->rqResponse.ErrorTextPtr = "sys$create_user_profile()";
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
{
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH, "PROFILE !&Z !UL",
rqptr->RemoteUser, UserProfileLength);
WatchDataDump (UserProfilePtr, UserProfileLength);
}
rqptr->rqAuth.VmsUserProfilePtr =
VmGetHeap (rqptr, rqptr->rqAuth.VmsUserProfileLength = UserProfileLength);
memcpy (rqptr->rqAuth.VmsUserProfilePtr, UserProfilePtr, UserProfileLength);
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Using sys$create_user_profile() create a permanent security profile of the
HTTPd server account. Returns no status, exits server if error encountered.
*/
AuthVmsCreateHttpdProfile ()
{
static unsigned long Flags = 0;
int status;
char HttpdUserProfile [512];
$DESCRIPTOR (HttpdUserNameDsc, "");
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH, "AuthVmsCreateHttpdProfile()");
if (HttpdUserProfileLength) return;
HttpdUserNameDsc.dsc$a_pointer = HttpdProcess.UserName;
HttpdUserNameDsc.dsc$w_length = strlen(HttpdProcess.UserName);
status = sys$create_user_profile (&HttpdUserNameDsc, 0, Flags,
HttpdUserProfile,
&HttpdUserProfileLength, 0);
if (VMSnok (status))
ErrorExitVmsStatus (status, "sys$create_user_profile()", FI_LI);
if (WATCH_MODULE(WATCH_MOD_AUTH))
{
WatchThis (WATCHALL, WATCH_MOD_AUTH, "PROFILE !&Z !UL",
HttpdProcess.UserName, HttpdUserProfileLength);
WatchDataDump (HttpdUserProfile, HttpdUserProfileLength);
}
HttpdUserProfilePtr = VmGet (HttpdUserProfileLength);
memcpy (HttpdUserProfilePtr, HttpdUserProfile, HttpdUserProfileLength);
HttpdUserProfileDsc.dsc$a_pointer = HttpdUserProfilePtr;
HttpdUserProfileDsc.dsc$w_length = HttpdUserProfileLength;
}
/*****************************************************************************/
/*
Change the specified username's ('rqptr->RemoteUser') password in the SYSUAF.
It assumes the calling routine HTAdminChangePassword() has performed required
preliminary sanity checks. This function is just to perform the change.
*/
AuthVmsChangePassword
(
REQUEST_STRUCT *rqptr,
char *PasswordNew
)
{
static unsigned long Context = -1;
static unsigned long UaiPriv [2],
HashedPwd [2],
UaiPwd [2];
static unsigned short UaiSalt;
static unsigned char UaiEncrypt;
static char PasswordBuffer [AUTH_MAX_PASSWORD_LENGTH+1],
UserNameBuffer [AUTH_MAX_USERNAME_LENGTH+1];
static VMS_ITEM_LIST3 GetItems [] =
{
{ sizeof(UaiPwd), UAI$_PWD, &UaiPwd, 0 },
{ sizeof(UaiEncrypt), UAI$_ENCRYPT, &UaiEncrypt, 0 },
{ sizeof(UaiSalt), UAI$_SALT, &UaiSalt, 0 },
{ 0, 0, 0, 0 }
};
static VMS_ITEM_LIST3 SetItems [] =
{
{ sizeof(HashedPwd), UAI$_PWD, &HashedPwd, 0 },
{ 0, 0, 0, 0 }
};
static $DESCRIPTOR (UserNameDsc, UserNameBuffer);
static $DESCRIPTOR (PasswordDsc, PasswordBuffer);
BOOL AccessAllowed;
int status;
char *cptr, *sptr, *zptr;
AUTH_SYSUAF *uafptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHALL, WATCH_MOD_AUTH, "AuthVmsChangePassword()");
if (WATCHING (rqptr, WATCH_RESPONSE))
WatchThis (WATCHITM(rqptr), WATCH_RESPONSE, "CHANGE SYSUAF password");
if (!AuthSysUafEnabled)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
if (!(uafptr = rqptr->rqAuth.SysUafDataPtr))
{
if (VMSnok (status = AuthVmsGetUai (rqptr, rqptr->RemoteUser)))
ErrorExitVmsStatus (status, ErrorSanityCheck, FI_LI);
if (!(uafptr = rqptr->rqAuth.SysUafDataPtr))
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
if (AuthPolicySysUafRelaxed)
AccessAllowed = true;
else
{
if ((rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS &&
!rqptr->rqAuth.SourceGroupWrite) ||
(rqptr->rqAuth.SourceRealm == AUTH_SOURCE_VMS &&
rqptr->rqAuth.SourceGroupWrite == AUTH_SOURCE_ID) ||
(rqptr->rqAuth.SourceRealm == AUTH_SOURCE_ID &&
rqptr->rqAuth.SourceGroupWrite == AUTH_SOURCE_ID))
AccessAllowed = true;
else
if (rqptr->rqAuth.SourceRealm == AUTH_SOURCE_WASD_ID &&
rqptr->rqAuth.SysUafCanChangePwd)
AccessAllowed = true;
else
AccessAllowed = false;
}
if (!AccessAllowed)
{
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_ACCESS_DENIED), FI_LI);
HTAdminChangePasswordEnd (rqptr);
return;
}
/* yet more checking! */
zptr = (sptr = PasswordBuffer) + sizeof(PasswordBuffer)-1;
cptr = PasswordNew;
if (uafptr->UaiFlags & UAI$M_PWDMIX)
{
/* 7.3-2 mixed-case plus printable char passwords */
while (*cptr && sptr < zptr)
{
if (!isprint(*cptr) || *cptr == '\"') break;
*sptr++ = *cptr++;
}
}
else
{
/* all upper-case alphanumeric plus dollar and underscore only */
while (*cptr && sptr < zptr)
{
if (!(isalnum(*cptr) || *cptr == '_' || *cptr == '$')) break;
*sptr++ = TOUP(*cptr++);
}
}
if (*cptr)
{
/* unacceptable character present */
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_HTADMIN_PWD_ERROR), FI_LI);
HTAdminChangePasswordEnd (rqptr);
return;
}
*sptr = '\0';
PasswordDsc.dsc$w_length = sptr - PasswordBuffer;
zptr = (sptr = UserNameBuffer) + sizeof(UserNameBuffer)-1;
for (cptr = rqptr->RemoteUser;
*cptr && sptr < zptr;
*sptr++ = TOUP(*cptr++));
*sptr = '\0';
UserNameDsc.dsc$w_length = sptr - UserNameBuffer;
/* turn on SYSPRV to allow access to SYSUAF records */
sys$setprv (1, &SysPrvMask, 0, 0);
UserNameDsc.dsc$w_length = rqptr->RemoteUserLength;
status = sys$getuai (0, &Context, &UserNameDsc, &GetItems, 0, 0, 0);
sys$setprv (0, &SysPrvMask, 0, 0);
if (VMSnok (status))
{
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_USER);
ErrorVmsStatus (rqptr, status, FI_LI);
HTAdminChangePasswordEnd (rqptr);
return;
}
status = sys$hash_password (&PasswordDsc, UaiEncrypt,
UaiSalt, &UserNameDsc, &HashedPwd);
if (VMSnok (status))
{
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_USER);
ErrorVmsStatus (rqptr, status, FI_LI);
HTAdminChangePasswordEnd (rqptr);
return;
}
/* turn on SYSPRV to allow access to SYSUAF records */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$setuai (0, 0, &UserNameDsc, &SetItems, 0, 0, 0);
sys$setprv (0, &SysPrvMask, 0, 0);
if (VMSnok (status))
{
rqptr->rqResponse.ErrorTextPtr = MsgFor(rqptr,MSG_AUTH_USER);
ErrorVmsStatus (rqptr, status, FI_LI);
HTAdminChangePasswordEnd (rqptr);
return;
}
HTAdminChangePasswordEnd (rqptr);
}
/*****************************************************************************/