Index: /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/bin/backend/Makefile (working copy) @@ -165,7 +165,7 @@ -lnfnetlink -lnetfilter_conntrack \ -lpciaccess \ -lpam -lpam_misc \ - -lcrypt -lldap -llber -lkvm -lfetch -lmemstat -lutil -lradius -ltacplus -lgeom -lstdc++ -rdynamic + -lcrypt -lldap -llber -lssl -lcrypto -lkvm -lfetch -lmemstat -lutil -lradius -ltacplus -lgeom -lstdc++ -rdynamic BINMODE=4555 Index: /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/bin/openssh/array_patch (working copy) @@ -796,7 +796,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lldap -lssl -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -L ../../objdir/ -L../../../lib/libexauth -lexauth -L../../../lib/libuinet-atcp/lib/libuinet -luinet_lite -L../../../lib/libuinet-atcp/lib/libuinet_sysctl -luinet_sysctl -L../../../lib/libuinet-atcp/lib/libuinetnv -luinetnv -lrt -lcrypto -L../../../lib/libfastlog -lfastlog + +synconfigd$(EXEEXT): sshd$(EXEEXT) + /bin/cp sshd$(EXEEXT) $@ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/Makefile (working copy) @@ -13,6 +13,6 @@ .endif LDADD=-L${.OBJDIR}/../../lib/libbsd -lbsd \ - -lmd -lcrypt -lcrypto -lpthread -lldap -llber -lhiredis -lutil + -lmd -lcrypt -lcrypto -lpthread -lldap -llber -lssl -lcrypto -lhiredis -lutil .include Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext.c (working copy) @@ -33,6 +33,9 @@ #include #include #include +#include +#include + #include "auth_ext.h" #include "auth_ext_cli.h" #include "auth_ext_ipc.h" @@ -43,6 +46,9 @@ #define ARRAY_RADIUS_ID 7564 +#define LDAPS_CLIENT_CERT_FILE "/ca/ssl/vhost/ldaps_client_cert.pem" +#define LDAPS_CLIENT_KEY_FILE "/ca/ssl/vhost/ldaps_client_key.pem" +#define LDAPS_ROOTCA_FILE "/ca/ssl/vhost/ldaps_root_cert.pem" /*if really do external authentication*/ int do_exauth = 0; @@ -85,6 +91,10 @@ sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAP); } + if (g_exauth_conf.exau_method == METHOD_LDAPS) { + sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAPS); + } + return 0; } @@ -179,6 +189,10 @@ return external_auth_ldap(username, password); break; + case METHOD_LDAPS: + return external_auth_ldaps(username, password); + break; + default: exau_log("external_auth: no authenticaion method found"); return EXT_AUTH_FAILED; @@ -190,6 +204,159 @@ } int +external_auth_ldaps(char *username, char *password) +{ + /*the return value of ldap response type*/ + int ret_value = EXT_AUTH_FAILED; + int i; + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + /*authenticate ldaps servers*/ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && + g_exauth_conf.exauth_servers[i].id[0] != '\0') { + ret_value = external_auth_one_ldaps(i, username, password); + if ((ret_value == EXT_AUTH_PASS_CONFIG) || + (ret_value == EXT_AUTH_PASS_ENABLE)) { + break; + } + } + } + return ret_value; +} + +int +external_auth_one_ldaps(int server_num, char *username, char *password) +{ + LDAP *ld; + struct timeval to; + int msgid = 0; + to.tv_sec = 600; + to.tv_usec = 0; + int ret_value = EXT_AUTH_FAILED; + int i = server_num; + LDAPMessage *answer, *entry; + char *attrs[] = {"memberOf", NULL}; + int attrsonly = 0; + int entries_found = 0; + int rc; + + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + // Add certificate verification part here + + char ldap_uri[1024]; + + sprintf(ldap_uri,"ldaps://%s:%d",g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + // Initialize OpenSSL + SSL_library_init(); + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); + exau_log("ldap_uri %s\n", ldap_uri); + // Initialize LDAP connection + rc = ldap_initialize(&ld, ldap_uri); + if (rc != LDAP_SUCCESS) { + exau_log("ldap_initialize failed: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } + + // Set LDAP options + int version = LDAP_VERSION3; + ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + if (g_exauth_conf.exauth_servers[i].insecureSkipVerify) { + exau_log("Skip certificate verification\n"); + // Skip certificate verification + int opt = LDAP_OPT_X_TLS_NEVER; + ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt); + } else { + exau_log("Enable certificate verification\n"); + // Load client certificate and key + rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, LDAPS_CLIENT_CERT_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set client certificate: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } + rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, LDAPS_CLIENT_KEY_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set client key: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } + // Load CA certificate + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, LDAPS_ROOTCA_FILE); + if (rc != LDAP_SUCCESS) { + exau_log("Failed to set CA certificate: %s\n", ldap_err2string(rc)); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } + } + + // This is AD bug, if password is blank it allows to login + if (strlen(password) == 0) { + return EXT_AUTH_FAILED; + } + msgid = ldap_simple_bind_s(ld, username, password); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAPS login failed for user %s password %s.\n", username, password); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAPS login successful for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + } + + // authorization off then will not do authorization only authentication + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_OFF){ + exau_log("LDAPS authorization off for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + ldap_unbind(ld); + return ret_value; + } + //authorization block + char search_string[1024]; + if (strstr(username, "@")) { + sprintf(search_string,"\(\&\(userPrincipalName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } else { + sprintf(search_string,"\(\&\(sAMAccountName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } + msgid = ldap_search_s(ld, g_exauth_conf.exauth_servers[i].dn, LDAP_SCOPE_SUBTREE, search_string, + attrs, attrsonly, &answer); + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAPS search failed for user %s.\n", username); + ldap_unbind_ext_s(ld, NULL, NULL); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAPS search successful for user %s.\n", username); + } + + /* Return the number of objects found during the search */ + entries_found = ldap_count_entries(ld, answer); + if ( entries_found == 0 ) { + exau_log("LDAPS authorization failed for user %s.\n", username); + ret_value = EXT_AUTH_PASS_ENABLE; // if authorization failed then not allow to do any change + } else { + ret_value = EXT_AUTH_PASS_CONFIG; + exau_log("LDAPS authorization success for user %s.\n", username); + } + if (ret_value != EXT_AUTH_PASS_CONFIG) { + ret_value = EXT_AUTH_PASS_ENABLE; + } + ldap_msgfree(answer); + ldap_unbind(ld); + ERR_free_strings(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + return ret_value; +} + +int external_auth_ldap(char *username, char *password) { /*the return value of ldap response type*/ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.h (working copy) @@ -25,7 +25,7 @@ #define MEMBEROF_LEN 256 #define SECRET_LEN 129 #define EXAUTH_DEF_METHOD "RADIUS" -#define MAX_EXAU_SERVER_NUM 3 +#define MAX_EXAU_SERVER_NUM 4 #define IP_PRESENTATION_LEN 100 /*ip presentation length*/ #define CLI_EXAUTH_ON "admin aaa on" @@ -34,6 +34,7 @@ #define CLI_EXAUTH_SERVER "admin aaa server" #define CLI_EXAUTHORIZE_ON "admin aaa authorize on" #define CLI_EXAUTHORIZE_OFF "admin aaa authorize off" +#define CLI_LDAPS_SKIPVERIFY "admin aaa server ldaps skipverify" #define CLI_SHOW_EXAUTH_ALL "show admin aaa all" #define CLI_NO_EXAUTH_SERVER "no admin aaa server" #define CLI_CLEAR_EXAUTH_ALL "clear admin aaa all" @@ -41,9 +42,11 @@ #define EXAUTH_SERVER_ID1 "es01" #define EXAUTH_SERVER_ID2 "es02" #define EXAUTH_SERVER_ID3 "es03" +#define EXAUTH_SERVER_ID4 "es04" #define EXAUTH_METHOD_STRING_RADIUS "RADIUS" #define EXAUTH_METHOD_STRING_TAC_X "TAC_X" #define EXAUTH_METHOD_STRING_LDAP "LDAP" +#define EXAUTH_METHOD_STRING_LDAPS "LDAPS" #define EXAUTH_METHOD_STRING_UNKONWN "UNKONWN METHOD" #define EXAUTH_PRIORITY_HIGH 1 @@ -53,10 +56,15 @@ typedef enum exau_method { METHOD_RADIUS, METHOD_TAC_X, - METHOD_LDAP + METHOD_LDAP, + METHOD_LDAPS } enum_exau_method; -/*the structure for radius server*/ +#define false 0 +#define true 1 +typedef int bool; + +/*the structure for servenl authentication server*/ typedef struct exauth_server { char id[5]; char host[HOST_LEN]; @@ -66,6 +74,7 @@ unsigned short max_retry; char dn[DN_LEN]; char memberOf[MEMBEROF_LEN]; + bool insecureSkipVerify; } exauth_server_t; /*the structure wrapper*/ @@ -74,7 +83,7 @@ int external_authorize_on; int ext_auth_priority; enum_exau_method exau_method; - exauth_server_t exauth_servers[3]; + exauth_server_t exauth_servers[4]; } exauth_conf_t; /*turn on external authentication*/ Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libexauth/auth_ext_cli.c (working copy) @@ -22,6 +22,7 @@ #include #include #include +#include #include #include /*for gethostbyname()*/ #include /*for inet_addr() and inet_ntop()*/ @@ -153,9 +154,13 @@ { g_exauth_conf.exau_method = METHOD_LDAP; } + else if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAPS) == 0) + { + g_exauth_conf.exau_method = METHOD_LDAPS; + } else { - printf ("%s | %s | %s \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP); + printf ("%s | %s | %s | %S \n",EXAUTH_METHOD_STRING_RADIUS, EXAUTH_METHOD_STRING_TAC_X, EXAUTH_METHOD_STRING_LDAP, EXAUTH_METHOD_STRING_LDAPS); } /*update conf to shared mem*/ @@ -164,6 +169,64 @@ return 0; } +/*configure an exauth ldaps server*/ +int +exauth_ldaps_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) +{ + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + + if (id == NULL || host == NULL || dn == NULL || memberOf == NULL) + { + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + /*invalid server id, should be "es01" or "es02"*/ + if (strcmp(id, EXAUTH_SERVER_ID4)) + { + printf ("%s \n", EXAUTH_SERVER_ID4); + return 0; + } + + /*assign id*/ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep,10) - 1; + + if (id_num == 3) + { + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID4); + } + + /*assign host*/ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /*assign port*/ + g_exauth_conf.exauth_servers[id_num].port = port; + /*assign dn*/ + strncpy(g_exauth_conf.exauth_servers[id_num].dn, dn, DN_LEN); + + /*assign memberOf*/ + strncpy(g_exauth_conf.exauth_servers[id_num].memberOf, memberOf, MEMBEROF_LEN); + + g_exauth_conf.exauth_servers[id_num].max_retry = LDAP_DEF_RETRIES; + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} + +/*configure disble certificate verification for ldaps*/ +int +ldaps_certificate_skipverify(int flag) +{ + get_auth_conf(&shm_p, &g_exauth_conf); + g_exauth_conf.exauth_servers[3].insecureSkipVerify = flag; + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + /*configure an exauth ldap server*/ int exauth_ldap_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) @@ -305,9 +368,9 @@ return -1; } - if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3)) + if (strcmp(id, EXAUTH_SERVER_ID1) && strcmp(id, EXAUTH_SERVER_ID2) && strcmp(id, EXAUTH_SERVER_ID3), strcmp(id, EXAUTH_SERVER_ID4)) { - printf ("%s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3); + printf ("%s | %s | %s | %s\n",EXAUTH_SERVER_ID1, EXAUTH_SERVER_ID2, EXAUTH_SERVER_ID3, EXAUTH_SERVER_ID4); return 0; } @@ -329,10 +392,63 @@ return 0; } +int show_ldaps_cert(char *filename) { + FILE *fp; + char *buffer; + long file_size; + size_t bytesRead; + + // Open the certificate file + fp = fopen(filename, "r"); + if (fp == NULL) { + perror("Error opening file"); + return 1; + } + + // Calculate file size + fseek(fp, 0, SEEK_END); + file_size = ftell(fp); + rewind(fp); + + // Allocate memory to store file contents + buffer = (char *)malloc(file_size + 1); // +1 for null terminator + if (buffer == NULL) { + perror("Memory allocation failed"); + fclose(fp); + return 1; + } + + // Read the entire file into the buffer + bytesRead = fread(buffer, 1, file_size, fp); + buffer[bytesRead] = '\0'; // Null-terminate the buffer + + // Print the contents of the certificate file + printf("%s", buffer); + + // Clean up: close file and free allocated memory + fclose(fp); + free(buffer); + + return 0; +} + +static __inline int +ssl_certfile_exists(char *crtfile) +{ + struct stat cstat; + + bzero(&cstat, sizeof(cstat)); + if(stat(crtfile, &cstat) == 0 && S_ISREG(cstat.st_mode) && cstat.st_size > 0) { + return 1; + } + return 0; +} + /*display exauth configurations*/ int show_exauth_all(void) { + int i; get_auth_conf(&shm_p, &g_exauth_conf); @@ -367,6 +483,10 @@ case METHOD_LDAP: printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); break; + case METHOD_LDAPS: + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAPS); + printf("%s %d\n", CLI_LDAPS_SKIPVERIFY, g_exauth_conf.exauth_servers[i].insecureSkipVerify); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -387,6 +507,16 @@ g_exauth_conf.exauth_servers[i].dn, g_exauth_conf.exauth_servers[i].memberOf ); + } else if (g_exauth_conf.exau_method == METHOD_LDAPS) { + printf ("%s ldaps settings %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else { printf ("%s radius %s \"%s\" %d \"%s\"\n", CLI_EXAUTH_SERVER, @@ -398,6 +528,22 @@ } } } + char file[1024]; + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_client_cert.pem"); + if (ssl_certfile_exists(file)) { + printf("----- Client Certificate -----\n"); + show_ldaps_cert(file); // calling certificate print + } + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_client_key.pem"); + if (ssl_certfile_exists(file)) { + printf("----- Client Key -----\n"); + show_ldaps_cert(file); // calling certificate print + } + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_root_cert.pem"); + if (ssl_certfile_exists(file)) { + printf("----- Root CA -----\n"); + show_ldaps_cert(file); // calling certificate print + } return 0; } @@ -410,6 +556,21 @@ init_exau_conf(); + char file[1024]; + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_client_cert.pem"); + if (ssl_certfile_exists(file)) { + printf("File not exist %s\n", file); + unlink(file); + } + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_client_key.pem"); + if (ssl_certfile_exists(file)) { + unlink(file); + } + snprintf(file, sizeof(file), "%s", "/ca/ssl/vhost/ldaps_root_cert.pem"); + if (ssl_certfile_exists(file)) { + unlink(file); + } + /*update conf to shared mem*/ set_auth_conf(&shm_p, &g_exauth_conf); @@ -423,7 +584,6 @@ { /*write buffer*/ char *conf_buf = NULL; - /*buffer offset*/ int buf_offset = 0; int i; @@ -443,14 +603,14 @@ * * each cmd line can have maximum LINE_LEN characters */ - conf_buf = (char *)malloc(LINE_LEN * 5); + conf_buf = (char *)malloc(LINE_LEN * 6); if (conf_buf == NULL) { printf("Could not save the admin aaa configuration.\n"); return NULL; } - memset (conf_buf, 0, LINE_LEN * 4); + memset (conf_buf, 0, LINE_LEN * 6); /*show admin aaa on |off*/ if (g_exauth_conf.external_auth_on == EXT_AUTH_ON) @@ -482,6 +642,11 @@ case METHOD_LDAP: buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); break; + case METHOD_LDAPS: + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAPS); + buf_offset += sprintf(conf_buf + buf_offset,"%s %d\n", CLI_LDAPS_SKIPVERIFY, + g_exauth_conf.exauth_servers[i].insecureSkipVerify); + break; default: printf ("show %s faild\n", CLI_EXAUTH_METHOD); @@ -498,6 +663,15 @@ CLI_EXAUTH_SERVER, g_exauth_conf.exauth_servers[i].id, g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf + ); + } else if (g_exauth_conf.exau_method == METHOD_LDAPS) { + buf_offset += sprintf (conf_buf + buf_offset, "%s ldaps settings %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, g_exauth_conf.exauth_servers[i].port, g_exauth_conf.exauth_servers[i].dn, g_exauth_conf.exauth_servers[i].memberOf Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libparser/commands.pm (working copy) @@ -48705,7 +48705,7 @@ function_name => "exauth_method", function_args => [{ type => "STRING", - help_string => "method name(RADIUS or TAC_X or LDAP, default is RADIUS)", + help_string => "method name(RADIUS or TAC_X or LDAP or LDAPS , default is RADIUS)", optional => "YES", default_value => "\"RADIUS\"", },], @@ -48793,6 +48793,123 @@ }, ], }, + { + obj_type => "MENU", + name => "ldaps", + parent_menu => "root_admin_server_aaa", + uniq_name => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, + { + obj_type => "ITEM", + name => "settings", + menu => "root_admin_ldaps_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_ldaps_server", + function_args => [{ + type => "STRING", + help_string => "id, es04(request will be sent to server es04)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "dn (Ex. OU=Eng,dc=example,dc=in)", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "memberOf (Ex. CN=Engineering,DC=example,DC=in)", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "skipverify", + menu => "root_admin_ldaps_server_aaa", + help_string => "Turn off certificate verification", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "ldaps_certificate_skipverify", + function_args => [ + { + type => "U32", + help_string => "Set 1 to skip certificate verification.(Default = 0)", + optional => "YES", + default_value => 0, + }, + ], + }, + { + obj_type => "ITEM", + name => "clientcert", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import PEM client certificate", + function_name => "exauth_ldaps_server_client_cert", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "clientkey", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import PEM client key", + function_name => "exauth_ldaps_server_client_key", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "ITEM", + name => "rootca", + menu => "root_admin_ldaps_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Import CA certificate used for client authentication", + function_name => "exauth_ldaps_server_client_rootca", + function_args => [ + { + type => "STRING", + name => "url", + help_string => "FTP, TFTP or HTTP URL", + optional => "YES", + default_value => "\"\"", + }, + ], + }, { obj_type => "MENU", name => "authorize", Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libpyexauth/pyexauth_build.py (working copy) @@ -33,7 +33,7 @@ """, include_dirs=["../libexauth", "../libpyauth"], library_dirs=tmp_library_dirs, - libraries=["ldap", "exauth", "fastlog", "bsd", "ssl", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) + libraries=["ldap", "lber", "exauth", "fastlog", "bsd", "ssl", "crypto", "pyauth", "crypt", "uinet_sysctl", "uinet_lite", "uinetnv", "rt"]) if __name__ == "__main__": ffi.compile() Index: /branches/rel_apv_10_7_0_sbi/usr/click/lib/libssl_cli/ssl_cli.c =================================================================== --- /branches/rel_apv_10_7_0_sbi/usr/click/lib/libssl_cli/ssl_cli.c (revision 38360) +++ /branches/rel_apv_10_7_0_sbi/usr/click/lib/libssl_cli/ssl_cli.c (working copy) @@ -349,7 +349,6 @@ int fips_ssl_start_vhost_from_running_cfg(); int fips_ssl_start_vhost(int kernelLoginFlag); int fips_ssl_file_exist(char* sPath, char* vhost, char* domainname, int* csr_exist, int* sslConf_exist); - static int fips_init_turn_on_default_policy(Uint32 session_handle, BoardConfiguration *hsmConfig, int defaultLoginPrompt); static int fips_remove_ssl_files(void); static int fips_remove_name_passwd_files(void); @@ -13975,6 +13974,99 @@ return SUCCESS; } +int +ssl_import_ldaps_cert(char *certname, char *url) +{ + char file[MAXPATHLEN]; + char file_tmp[MAXPATHLEN]; + char keypath[MAXPATHLEN]; + /*Bug 23410, chenhb, 20090824*/ + char agree[5]; + int format = 0; + /*Bug 23410, end*/ + int certfd; + int ret = 0; + + if(ssl_feactl_approved(SHOW_NON_INTEL_MSG) != 1){ + return ERR_SSL_NOT_LICENSED; + } + + snprintf(file, sizeof(file), "%s/%s", SSL_DATA_PATH, certname); + + if(file_exists(file) && cli_need_challenge()) { + printf("You may overwrite an existing client certificate file.\nType YES to continue, NO to abort: "); + fflush(stdout); + bzero(agree, sizeof(agree)); + if (read(STDIN_FILENO, agree, 4) <= 0) { + return ERR_SSL_USER_ABORT; + } + + /* Check if the user agrees to overwrite */ + if (strncasecmp(agree, "YES", 3) != 0) { + printf("Aborted client certificate by user\n"); + do { + } while (strchr(agree, '\n') == NULL && !(getchar() == '\n' && getchar() == '\n')); + return ERR_SSL_USER_ABORT; + } + } + + /* Bug 23370, chenyl, 20090810 */ + create_ssl_tmp_dir(); + snprintf(file_tmp, sizeof(file_tmp), "%s/%s", SSL_TMP_DIR, certname); /*Bug 23410, chenhb, 20090824*/ + /* Bug 23370, end */ +#if defined(__linux__) + certfd = open(file_tmp, O_WRONLY|O_CREAT|O_TRUNC, +#else + certfd = open(file_tmp, O_WRONLY|O_CREAT|O_TRUNC|O_EXLOCK, +#endif + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if ( certfd < 0 ){ + printf ("Error saving certificate file\n"); + englog(ENGLOG_SSL, SSL_CLI_INFO, "could not save %s\n", + file_tmp); + return ERR_SSL_FILE_WRITE_FAILED; + } + + if (url == NULL || *url == 0) { /* Import via stdin */ + printf("Enter the certificate file in PEM format,\n" + " use \"...\" on a single line, without quotes\n" + " to terminate import\n"); + + fflush(stdout); + ssl_import_via_stdin(certfd); + } else { /* Import from remote or local file */ + if (import_file(url, file_tmp) != SUCCESS) { + close(certfd); + return ERR_SSL_FILE_WRITE_FAILED; + } + } + close(certfd); + + unlink(file); + rename(file_tmp, file); + + printf("Certificate import successful\n"); + extra_file_add(file); + + return ERR_SSL_OK; +} + +int +exauth_ldaps_server_client_cert(char *url) +{ + return ssl_import_ldaps_cert("ldaps_client_cert.pem", url); +} +int +exauth_ldaps_server_client_rootca(char *url) +{ + return ssl_import_ldaps_cert("ldaps_root_cert.pem", url); +} +int +exauth_ldaps_server_client_key(char *url) +{ + return ssl_import_ldaps_cert("ldaps_client_key.pem", url); +} + /* * Import SSL client certificate for SSL virtual host to be used for SSL virtual host. */