Index: /branches/rel_avx_2_7_2/lib/Makefile =================================================================== --- /branches/rel_avx_2_7_2/lib/Makefile (revision 8838) +++ /branches/rel_avx_2_7_2/lib/Makefile (working copy) @@ -5,7 +5,7 @@ include $(TOP)/Makefile.master -SDIRS += casnmp avxpci feactl vtch libopenssl-1.1.1 +SDIRS += exauth casnmp avxpci feactl vtch libopenssl-1.1.1 # since we are using some utils that might not be on the build machine # lets not fail the entire build, but still be noise about failing to Index: /branches/rel_avx_2_7_2/lib/exauth/Makefile =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/Makefile (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/Makefile (working copy) @@ -0,0 +1,27 @@ +LIB_NAME = libexauth +STARGET = $(LIB_NAME).a + +CFILES = auth_ext.c auth_ext_cli.c auth_ext_ipc.c +HFILES = auth_ext.h auth_ext_cli.h auth_ext_ipc.h +OBJS = $(CFILES:.c=.o) + +CC = gcc +AR = ar +CFLAGS = -fPIC -Wformat -Wall -O -g -I../../src/library/avx_log -I${TOP}/centos72/usr/include \ +#LDFLAGS = -L${TOP}/centos72/usr/lib64 +#LDLIBS = -lldap -llber -lssl -lcrypto -lpthread + +all: $(STARGET) + +%.o: %.c $(HFILES) + $(CC) $(CFLAGS) -c $< -o $@ + #$(CC) $(CFLAGS) $(LDLIBS) -c $< -o $@ + +$(STARGET): $(OBJS) + $(AR) -rcs $@ $(OBJS) + +clean: + rm -rf *.o $(STARGET) + +.PHONY: all clean + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext.h =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext.h (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext.h (working copy) @@ -0,0 +1,95 @@ +#ifndef _EXAUTH_EXT_H_ +#define _EXAUTH_EXT_H_ + +#define LDAP_AUTH_PORT 389 +#define LDAP_DEF_RETRIES 2 +#define LDAP_DEF_TIMEOUT 5 + +#define EXT_AUTH_OFF 0 +#define EXT_AUTH_ON 1 +#define EXT_AUTH_PASS_ENABLE 2 +#define EXT_AUTH_PASS_CONFIG 3 +#define EXT_AUTH_REJECT 4 +#define EXT_AUTH_FAILED 5 +#define EXT_AUTH_OTHER 6 +#define EXT_AUTH_PASS 7 +#define EXT_AUTHORIZE_OFF 0 +#define EXT_AUTHORIZE_ON 1 + +/*bug 21179 zhenglf*/ +#define EXTERNAL_AUTH_LOG_FILE_NAME "/var/crash/exau.log" +/*bug 21179 end*/ +#define MSGBUFSIZ 1024 +#define MEM_BLOCK_MAX_LEN (20 * 1024 * 1024) /*20MB*/ + +/*3 month*/ +#define THR_MONTH (86400 * 90) + +/*if external authentication pass, use this user to log on*/ +#define EX_LOG_ON_MAPPED_USER "array" + +/* Supported syslog facilities and levels. */ +typedef enum { + SYS_LOG_FACILITY_DAEMON, + SYS_LOG_FACILITY_USER, + SYS_LOG_FACILITY_AUTH, + SYS_LOG_FACILITY_LOCAL0, + SYS_LOG_FACILITY_LOCAL1, + SYS_LOG_FACILITY_LOCAL2, + SYS_LOG_FACILITY_LOCAL3, + SYS_LOG_FACILITY_LOCAL4, + SYS_LOG_FACILITY_LOCAL5, + SYS_LOG_FACILITY_LOCAL6, + SYS_LOG_FACILITY_LOCAL7 +} Syslog_Facility; + +typedef enum { + SYS_LOG_LEVEL_QUIET, + SYS_LOG_LEVEL_FATAL, + SYS_LOG_LEVEL_ERROR, + SYS_LOG_LEVEL_INFO, + SYS_LOG_LEVEL_VERBOSE, + SYS_LOG_LEVEL_DEBUG1, + SYS_LOG_LEVEL_DEBUG2, + SYS_LOG_LEVEL_DEBUG3 +} Log_Level; + +typedef enum _ROLE_MODE{ + ROLE_MODE_NORMAL, + ROLE_MODE_SEPARATION, + ROLE_MODE_MAX +} ROLE_MODE; + +/*if external_auth_on is set to EXT_AUTH_ON*/ +int is_external_auth_on(void); + +/*get external auth priority*/ +int exauth_priority(void); + +/*check if there is a configured external server*/ +int found_server(void); + +/*authenticate with external ldap server*/ +int external_auth(char *username, char *password); + +/*authenticate with external ldap server*/ +int external_auth_ldap(char *username, char *password); + +/*get the aaa method*/ +int get_aaa_method(char *buf); + +/*copy the user name value to ext_user*/ +void set_ext_user(char *user); + +/*copy the client IP to ext_ssh_client_IP*/ +void set_ext_ip(char *ip); + +/*log function*/ +void exau_log(const char *fmt,...); +void exau_log_webui(char *msg); + +int get_user_basic_info (char *username, char *group, char *password); +int get_user_method (char *username); + +#endif + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext.c =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext.c (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext.c (working copy) @@ -0,0 +1,635 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "avx_log.h" +#include +#include +#include +#include + +#include "auth_ext.h" +#include "auth_ext_cli.h" +#include "auth_ext_ipc.h" + +/* Global Variables */ +extern exauth_conf_t g_exauth_conf; +extern exauth_conf_t *shm_p; + +/*if really do external authentication*/ +int do_exauth = 0; + +/* + * * * * user name to authenticate with ext server + * * * * since the name is not always valid in unix system + * * * * (it may be valid in the external server) + * * * * the structure passwd pw can not be used since its + * * * * value could be null + * * * */ +char ext_user[32]; + +char ext_ssh_client_IP[32]; + +static Log_Level log_level = SYS_LOG_LEVEL_INFO; + +/*get the aaa method*/ +int +get_aaa_method(char *buf) +{ + int ret = 0; + + /*get exauth conf from the shared mem*/ + ret = get_auth_conf(&shm_p, &g_exauth_conf); + if (ret < 0) { + exau_log("get_aaa_method: get_auth_conf failed"); + sprintf(buf, "%s", EXAUTH_METHOD_STRING_UNKONWN); + return -1; + } + + if (g_exauth_conf.exau_method == METHOD_LDAP) { + sprintf(buf, "%s", EXAUTH_METHOD_STRING_LDAP); + } + + return 0; +} + +/*check if there is a configured external server*/ +int +found_server(void) +{ + int i; + int found = 0; + + /* check if there is a configured external server */ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + /*found a server*/ + if (g_exauth_conf.exauth_servers[i].id && + g_exauth_conf.exauth_servers[i].id[0] != '\0') { + found = 1; + break; + } + } + + return found; +} + +/*if external_auth_on is set to EXT_AUTH_ON*/ +int +is_external_auth_on(void) +{ + printf("rohith entering ext auth\n"); + avx_log(LOG_IDX_CLI, 2, "rohith", "is_external_auth_on"); + int ret = 0; + + /* get exauth conf from the shared mem */ + ret = get_auth_conf(&shm_p, &g_exauth_conf); + + if (ret < 0) { + exau_log("is_external_auth_on: get_auth_conf failed"); + return 0; + } + + return g_exauth_conf.external_auth_on; +} + +/*get external auth priority*/ +int +exauth_priority(void) +{ + int ret = 0; + + /*get exauth conf from the shared mem*/ + ret = get_auth_conf(&shm_p, &g_exauth_conf); + + if (ret < 0) { + exau_log("exauth_priority: get_auth_conf failed"); + return 0; + } + + return g_exauth_conf.ext_auth_priority; +} +/*authenticate with external server*/ +int +external_auth(char *username, char *password) +{ + printf("rohith enter external_auth\n"); + avx_log(LOG_IDX_CLI, 2, username, "external_auth"); + int ret = 0; + + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + + /*get exauth conf from the shared mem*/ + ret = get_auth_conf(&shm_p, &g_exauth_conf); + if (ret < 0) { + exau_log("external_auth: get_auth_conf failed"); + return EXT_AUTH_FAILED; + } + + if (is_external_auth_on() && found_server()) { + if (g_exauth_conf.exau_method == METHOD_LDAP) { + return external_auth_ldap(username, password); + } else { + exau_log("external_auth: no valid authentication method found"); + return EXT_AUTH_FAILED; + } + } + + return EXT_AUTH_FAILED; +} + +int +external_auth_ldap(char *username, char *password) +{ + printf("rohith enter auth_ldap\n"); + avx_log(LOG_IDX_CLI, 2, username, "external_auth_ldap"); + /*the return value of ldap response type*/ + int ret_value = EXT_AUTH_FAILED; + int i; + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + /*authenticate ldap servers*/ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && + g_exauth_conf.exauth_servers[i].id[0] != '\0') { + ret_value = external_auth_one_ldap(i, username, password); + if ((ret_value == EXT_AUTH_PASS_CONFIG) || + (ret_value == EXT_AUTH_PASS_ENABLE)) { + break; + } + } + } + return ret_value; +} + +int +external_auth_one_ldap(int server_num, char *username, char *password) +{ + printf("rohith enter auth one ldap\n"); + avx_log(LOG_IDX_CLI, 2, username, "external_auth_one_ldap"); + LDAP *ldap; + struct timeval to; + int ldap_version = LDAP_VERSION3; + int msgid = 0; + to.tv_sec = 600; + to.tv_usec = 0; + int ret_value = EXT_AUTH_FAILED; + int i = server_num; + LDAPMessage *answer, *entry; + char *attrs[] = {"memberOf", NULL}; + int attrsonly = 0; + int entries_found = 0; + + if (username == NULL || password == NULL) { + return EXT_AUTH_FAILED; + } + char ldap_uri[1024]; + sprintf(ldap_uri,"ldap://%s:%d",g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port); + if ( ldap_initialize(&ldap, ldap_uri) != LDAP_SUCCESS ) { + exau_log( "ldap_init failed" ); + return EXT_AUTH_FAILED; + } else { + exau_log("Generated LDAP handle for uri %s.\n", ldap_uri); + } + + if (ldap_set_option(ldap, LDAP_OPT_TIMEOUT,&to) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + + if (ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT,&to) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + + if (ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version) != LDAP_SUCCESS ) { + return EXT_AUTH_FAILED; + } + /*This is AD bug, if password is blank it allows tp login*/ + if (strlen(password) == 0) { + return EXT_AUTH_FAILED; + } + msgid = ldap_simple_bind_s(ldap, username, password); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAP login failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAP login successful for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + } + /*authorization off then will not do authorization only authentication*/ + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_OFF){ + exau_log("LDAP authorization off for user %s.\n", username); + ret_value = EXT_AUTH_PASS_CONFIG; + ldap_unbind(ldap); + return ret_value; + } + /*authorization block*/ + char search_string[1024]; + if (strstr(username, "@")) { + sprintf(search_string,"\(\&\(userPrincipalName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } else { + sprintf(search_string,"\(\&\(sAMAccountName\=%s\)\(memberOf=%s\)\)", username, g_exauth_conf.exauth_servers[i].memberOf); + } + + msgid = ldap_search_s(ldap, g_exauth_conf.exauth_servers[i].dn, LDAP_SCOPE_SUBTREE, search_string, + attrs, attrsonly, &answer); + + if ( msgid != LDAP_SUCCESS ) { + exau_log("LDAP search failed for user %s.\n", username); + return EXT_AUTH_FAILED; + } else { + exau_log("LDAP search successful for user %s.\n", username); + } + + /* Return the number of objects found during the search */ + entries_found = ldap_count_entries(ldap, answer); + if ( entries_found == 0 ) { + exau_log("LDAP authorization failed for user %s.\n", username); + ret_value = EXT_AUTH_PASS_ENABLE; /*if authorization failed then not allow to do any change*/ + } else { + ret_value = EXT_AUTH_PASS_CONFIG; + printf("LDAP authorization success for user %s.\n", username); + } + if (ret_value != EXT_AUTH_PASS_CONFIG) { + ret_value = EXT_AUTH_PASS_ENABLE; + } + + ldap_msgfree(answer); + ldap_unbind(ldap); + return ret_value; +} + +#define MAXUSERS 100 +#define SEGMENTMAXUSERS 2048 +#define MAXNAMELEN 25 +#define UT_NAMESIZE 32 +#define USER_ITEM_NUM (MAXUSERS+SEGMENTMAXUSERS) +#if defined(__linux__) +#define MAXPASSLEN 107 +#else +#define MAXPASSLEN 50 +#endif +#define USER_CONF_SHM_KEY 0xcaf02001 +#define SEGMENT_NAME_MAX_LENGTH 128 +#define MAX_OLD_PASSWD_NUM 5 + +/* If change this struct, need to synchronously change the struct in usr/click/bin/backend/user.h */ +typedef struct _user_info { + char name[UT_NAMESIZE + 1]; + char segment_name[SEGMENT_NAME_MAX_LENGTH + 1]; + char encpasswd[MAXPASSLEN]; + char old_encpasswd[MAX_OLD_PASSWD_NUM][MAXPASSLEN]; + char group[MAXNAMELEN]; + + uint32_t segment_user; /*1;segment user. 0:normal user*/ + uint32_t method; + int old_passwd_index; + int user_status; + int twofactor_random; /* Used for twofactor, do signature for this random */ + uint32_t flags; + uint64_t expire_time; +} user_info_t; + +typedef struct _user_conf { + user_info_t user[USER_ITEM_NUM]; + int passwd_forcemode; + int passwd_expirecheck; + uint32_t adminCnt; +} user_conf_t; + +user_conf_t *user_conf_p = NULL; + +void +user_conf_detach2(void) +{ + int ret; + if (user_conf_p) { + ret = shmdt(user_conf_p); + if (ret == 0) { + user_conf_p = NULL; + } + } +} + +void * +user_conf_init2(void) +{ + int shm_id; + void *p = NULL; + shm_id = shmget(USER_CONF_SHM_KEY, sizeof(user_conf_t), IPC_CREAT | 0666); + if (shm_id < 0) { + perror("Internal Error:"); + user_conf_p = NULL; + return NULL; + } + + p = shmat(shm_id, NULL, 0); + if ((long)p == -1) { + perror("Internal Error:"); + return NULL; + } + + user_conf_p = (user_conf_t *) p; + atexit(user_conf_detach2); + + return p; +} +user_conf_t * +user_conf_attach2(void) +{ + if (user_conf_p == NULL) { + user_conf_init2(); + } + return user_conf_p; +} + +int +check_segment_user(char *username) +{ + int i; + int ret = -1; + user_conf_t *p; + + if (!username || username[0] == '\0') { + return ret; + } + + p = user_conf_attach2(); + if (p == NULL) { + return ret; + } + + for(i = 0; i < USER_ITEM_NUM; i++) { + if (strcmp(p->user[i].name, username) == 0) { + ret = p->user[i].segment_user; + break; + } + } + + return ret; +} +int +get_segment_name_by_user(char *username, char *rst) +{ + int i; + user_conf_t *p; + + if (!username || username[0] == '\0') { + return 0; + } + if (!rst) { + return 0; + } + + p = user_conf_attach2(); + if (p == NULL) { + return 0; + } + + for(i = 0; i < USER_ITEM_NUM; i++) { + if (strcmp(p->user[i].name, username) == 0) { + strcpy(rst, p->user[i].segment_name); + return 1; + } + } + + return 0; +} + + + +/*copy the user name value to ext_user*/ +void +set_ext_user(char *user) +{ + memset(ext_user, 0, sizeof(ext_user)); + /* strlcpy(ext_user, user, sizeof(ext_user));*/ + strncpy(ext_user, user, sizeof(ext_user) - 1); + ext_user[sizeof(ext_user) - 1] = '\0'; +} + + +/*copy the client IP to ext_ssh_client_IP*/ +void +set_ext_ip(char *ip) +{ + memset(ext_ssh_client_IP, 0, sizeof(ext_ssh_client_IP)); + /*strlcpy(ext_ssh_client_IP, ip, sizeof(ext_ssh_client_IP));*/ + strncpy(ext_ssh_client_IP, ip, sizeof(ext_ssh_client_IP) - 1); + ext_ssh_client_IP[sizeof(ext_ssh_client_IP) - 1] = '\0'; +} + +static char * +get_time(void) +{ + time_t t; + char *time_string; + + t = time(NULL); + time_string = ctime(&t); + time_string[strlen(time_string) - 1] = '\0'; + return (time_string); +} + +/*log function*/ +int +exau_log_file(char *content) +{ + struct stat sbuf; + FILE *fp = NULL; + int ret = 0; + + ret = access(EXTERNAL_AUTH_LOG_FILE_NAME, W_OK); + if (ret) { + if (errno == EACCES) { + fprintf(stderr, "open exau_log error: write permissio denied\n"); + /*bug 21179 zhenglf*/ + /* + * * * * change the permission mode of the log file + * * * */ + chmod(EXTERNAL_AUTH_LOG_FILE_NAME, S_IRWXU | S_IRWXG | S_IRWXO); + /*bug 21179 end*/ + } + + fprintf(stderr, "exau_log_file():open exau_log error: access failed\n"); + } + + /*delete the file if the log file size > 20 MB*/ + if ((ret == 0) || (errno != ENOENT)) { + memset(&sbuf, 0, sizeof(struct stat)); + + if (stat(EXTERNAL_AUTH_LOG_FILE_NAME, &sbuf) == 0) { + if (sbuf.st_size > MEM_BLOCK_MAX_LEN) { + unlink(EXTERNAL_AUTH_LOG_FILE_NAME); + } + } + } + + fp = fopen(EXTERNAL_AUTH_LOG_FILE_NAME, "a"); + if (fp && content) { + fprintf(fp, "%s %s\n", get_time(), content); + fclose(fp); + return 0; + } else { + fprintf(stderr, "exau_log_file error\n"); + return -1; + } +} + +void +exau_do_log(Log_Level level, const char *fmt, va_list args) +{ + char msgbuf[MSGBUFSIZ]; + char fmtbuf[MSGBUFSIZ]; + char *txt = NULL; + int pri = LOG_INFO; + + if (level > log_level) + return; + switch (level) { + case SYS_LOG_LEVEL_ERROR: + txt = "error"; + pri = LOG_ERR; + break; + case SYS_LOG_LEVEL_FATAL: + txt = "fatal"; + pri = LOG_ERR; + break; + case SYS_LOG_LEVEL_INFO: + case SYS_LOG_LEVEL_VERBOSE: + pri = LOG_INFO; + break; + case SYS_LOG_LEVEL_DEBUG1: + txt = "debug1"; + pri = LOG_DEBUG; + break; + case SYS_LOG_LEVEL_DEBUG2: + txt = "debug2"; + pri = LOG_DEBUG; + break; + case SYS_LOG_LEVEL_DEBUG3: + txt = "debug3"; + pri = LOG_DEBUG; + break; + default: + txt = "internal error"; + pri = LOG_ERR; + break; + } + if (txt != NULL) { + snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt); + vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args); + } else { + vsnprintf(msgbuf, sizeof(msgbuf), fmt, args); + } + + exau_log_file(msgbuf); +} + + +void +exau_log(const char *fmt, ...) +{ + printf("rohith enter exau log\n"); + va_list args; + char msg[MSGBUFSIZ]; + + va_start(args, fmt); + exau_do_log(SYS_LOG_LEVEL_INFO, fmt, args); + va_end(args); + /*do fastlog*/ + memset(msg, 0, MSGBUFSIZ); + va_start(args, fmt); + vsnprintf(msg, sizeof(msg), fmt, args); + avx_log(LOG_IDX_CLI, 2, msg, "msg1"); + /*fastlog_logex(CLI_SSH_INFO, 1, msg);*/ + va_end(args); +} + +static void +exau_log_webui_va(const char *fmt,...) +{ + va_list args; + char msg[MSGBUFSIZ]; + + va_start(args, fmt); + exau_do_log(SYS_LOG_LEVEL_INFO, fmt, args); + va_end(args); + /*do fastlog*/ + memset(msg, 0, MSGBUFSIZ); + va_start(args, fmt); + vsnprintf(msg, sizeof(msg), fmt, args); + avx_log(LOG_IDX_CLI, 2, msg, "msg1"); + /* fastlog_logex(WEBUI_MESSAGE, 1, msg);*/ + va_end(args); +} + +void +exau_log_webui(char *msg) +{ + exau_log_webui_va("%s", msg); +} + +int +get_user_basic_info (char *username, char *group, char *password) +{ + int i; + user_conf_t *p; + + if (!username || username[0] == '\0') { + return 0; + } + if (!group || !password) { + return 0; + } + + p = user_conf_attach2(); + if (p == NULL) { + return 0; + } + + for(i = 0; i < USER_ITEM_NUM; i++) { + if (strcmp(p->user[i].name, username) == 0) { + strcpy(password, p->user[i].encpasswd); + strcpy(group, p->user[i].group); + return 1; + } + } + + return 0; +} +int +get_user_method (char *username) +{ + int i; + user_conf_t *p; + int method = 0; + + if (!username || username[0] == '\0') { + return 0; + } + + p = user_conf_attach2(); + if (p == NULL) { + return 0; + } + + for(i = 0; i < USER_ITEM_NUM; i++) { + if (strcmp(p->user[i].name, username) == 0) { + method = p->user[i].method; + break; + } + } + + return method; +} + + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.h =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.h (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.h (working copy) @@ -0,0 +1,81 @@ +#ifndef _AUTH_EXT_CLI_H_ +#define _AUTH_EXT_CLI_H_ + +#define LINE_LEN 255 +#define HOST_LEN 256 +#define DN_LEN 256 +#define MEMBEROF_LEN 256 +#define SECRET_LEN 129 +#define EXAUTH_DEF_METHOD "LDAP" +#define MAX_EXAU_SERVER_NUM 3 +#define IP_PRESENTATION_LEN 100 /*ip presentation length*/ + +#define CLI_EXAUTH_ON "admin aaa on" +#define CLI_EXAUTH_OFF "admin aaa off" +#define CLI_EXAUTH_METHOD "admin aaa method" +#define CLI_EXAUTH_SERVER "admin aaa server" +#define CLI_EXAUTHORIZE_ON "admin aaa authorize on" +#define CLI_EXAUTHORIZE_OFF "admin aaa authorize off" +#define CLI_SHOW_EXAUTH_ALL "show admin aaa all" +#define CLI_NO_EXAUTH_SERVER "no admin aaa server" +#define CLI_CLEAR_EXAUTH_ALL "clear admin aaa all" + +#define EXAUTH_SERVER_ID1 "es01" +#define EXAUTH_METHOD_STRING_LDAP "LDAP" +#define EXAUTH_METHOD_STRING_UNKONWN "UNKONWN METHOD" +#define EXAUTH_PRIORITY_HIGH 1 +#define EXAUTH_PRIORITY_LOW 0 + + +/*authentication method table*/ +typedef enum exau_method { + METHOD_LDAP +} enum_exau_method; + +/*the structure for radius server*/ +typedef struct exauth_server { + char id[5]; + char host[HOST_LEN]; + unsigned short port; + char secret[SECRET_LEN]; + unsigned short timeout; + unsigned short max_retry; + char dn[DN_LEN]; + char memberOf[MEMBEROF_LEN]; +} exauth_server_t; + +/*the structure wrapper*/ +typedef struct exauth_conf { + int external_auth_on; + int external_authorize_on; + int ext_auth_priority; + enum_exau_method exau_method; + exauth_server_t exauth_servers[3]; +} exauth_conf_t; + +/*turn on external authentication*/ +int exauth_on(int); + +/*turn off external authentication*/ +int exauth_off(void); + +/*set exauth method*/ +int exauth_method(char *method); + +/*configure ldap server*/ +int exauth_server(char *id, char *host, unsigned short port, char *secret, char *cipher_flag); + +/*delete a ldap server*/ +int no_exauth_server(char *id); + +/*display exauth configurations*/ +int show_exauth_all(void); + +/*reset the configuration*/ +int clear_exauth_all(void); + +/*save the configurations*/ +char *write_exauth(char *segment); + +#endif + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.c =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.c (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext_cli.c (working copy) @@ -0,0 +1,338 @@ +#include +#include +#include +#include +#include +#include +#include +#include /*for gethostbyname()*/ +#include /*for inet_addr() and inet_ntop()*/ +#include +#include + +#include "auth_ext.h" +#include "auth_ext_cli.h" +#include "auth_ext_ipc.h" + +/* Global Variables */ +exauth_conf_t g_exauth_conf; +exauth_conf_t *shm_p = NULL; + +static int initialized = 0; + +/*init the exau configurations*/ +int init_exau_conf(void); + +/*init the exau configurations*/ +int +init_exau_conf(void) +{ + int i; + + /*bzero the structure*/ + memset(&g_exauth_conf, 0, sizeof(exauth_conf_t)); + + /*turn off external_auth_on*/ + g_exauth_conf.external_auth_on = EXT_AUTH_OFF; + g_exauth_conf.external_authorize_on = EXT_AUTHORIZE_OFF; + g_exauth_conf.exau_method = METHOD_LDAP; + g_exauth_conf.ext_auth_priority = EXAUTH_PRIORITY_LOW; + + /*assign the default values*/ + for (i=0; i < MAX_EXAU_SERVER_NUM; i++) + { + g_exauth_conf.exauth_servers[i].port = LDAP_AUTH_PORT; + g_exauth_conf.exauth_servers[i].timeout = LDAP_DEF_TIMEOUT; + g_exauth_conf.exauth_servers[i].max_retry = LDAP_DEF_RETRIES; + } + + initialized = 1; + + return 0; +} + + +/*turn on external authentication*/ +int +exauth_on(int priority) +{ + if (priority != 0 && priority != 1){ + printf("Priority should be 0 or 1\n"); + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + + g_exauth_conf.external_auth_on = EXT_AUTH_ON; + g_exauth_conf.ext_auth_priority = priority; + + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/*turn on external authentication*/ +int +exauth_off(void) +{ + get_auth_conf(&shm_p, &g_exauth_conf); + + g_exauth_conf.external_auth_on = EXT_AUTH_OFF; + + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/*turn on external authorization*/ +int +exauth_authorize_on(void) +{ + get_auth_conf(&shm_p, &g_exauth_conf); + g_exauth_conf.external_authorize_on = EXT_AUTHORIZE_ON; + + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} + +/*turn off external authorization*/ +int +exauth_authorize_off(void) +{ + get_auth_conf(&shm_p, &g_exauth_conf); + g_exauth_conf.external_authorize_on = EXT_AUTHORIZE_OFF; + + /*update conf to shared mem*/ + set_auth_conf(&shm_p, &g_exauth_conf); + return 0; +} + +/* Set exauth method to LDAP */ +int exauth_method(char *method) { + get_auth_conf(&shm_p, &g_exauth_conf); + + if (method == NULL) { + printf("%s failed\n", CLI_EXAUTH_METHOD); + return -1; + } + + if (strcasecmp(method, EXAUTH_METHOD_STRING_LDAP) == 0) { + g_exauth_conf.exau_method = METHOD_LDAP; + } else { + printf("%s \n", EXAUTH_METHOD_STRING_LDAP); + return -1; + } + + /* Update conf to shared mem */ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/* Configure an exauth LDAP server */ +int exauth_server(char *id, char *host, uint16_t port, char *dn, char *memberOf) { + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + if (id == NULL || host == NULL || dn == NULL || memberOf == NULL) { + printf("%s failed\n", CLI_EXAUTH_SERVER); + return -1; + } + + get_auth_conf(&shm_p, &g_exauth_conf); + + /* Only accept "es01" as a valid server ID */ + if (strcmp(id, EXAUTH_SERVER_ID1) != 0) { + printf("%s \n", EXAUTH_SERVER_ID1); + return -1; + } + + /* Assign id */ + id_num = 0; // Always use the first server slot for LDAP + + strcpy(g_exauth_conf.exauth_servers[id_num].id, EXAUTH_SERVER_ID1); + + /* Assign host */ + strncpy(g_exauth_conf.exauth_servers[id_num].host, host, HOST_LEN); + + /* Assign port */ + g_exauth_conf.exauth_servers[id_num].port = port; + + /* Assign dn */ + strncpy(g_exauth_conf.exauth_servers[id_num].dn, dn, DN_LEN); + + /* Assign memberOf */ + strncpy(g_exauth_conf.exauth_servers[id_num].memberOf, memberOf, MEMBEROF_LEN); + + g_exauth_conf.exauth_servers[id_num].max_retry = LDAP_DEF_RETRIES; + + /* Update conf to shared mem */ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/* Delete an exauth server */ +int no_exauth_server(char *id) { + int id_num = -1; + char *str_num = NULL, *ep = NULL; + + get_auth_conf(&shm_p, &g_exauth_conf); + + if (id == NULL) { + printf("%s failed\n", CLI_NO_EXAUTH_SERVER); + return -1; + } + + if (strcmp(id, EXAUTH_SERVER_ID1) != 0) { + printf("%s\n", EXAUTH_SERVER_ID1); + return 0; + } + + /* Assign id */ + str_num = id + 3; + id_num = (int)strtol(str_num, &ep, 10) - 1; + + if (g_exauth_conf.exauth_servers[id_num].id[0] == '\0') { + printf("Server %s not found", id); + return 0; + } + + memset(&g_exauth_conf.exauth_servers[id_num], 0, sizeof(exauth_server_t)); + + /* Update conf to shared mem */ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/* Display exauth configurations */ +int show_exauth_all(void) { + int i; + + get_auth_conf(&shm_p, &g_exauth_conf); + + /* Show admin aaa on | off */ + if (g_exauth_conf.external_auth_on == EXT_AUTH_ON) { + printf("%s %d\n", CLI_EXAUTH_ON, g_exauth_conf.ext_auth_priority); + } + + if (g_exauth_conf.external_auth_on == EXT_AUTH_OFF) { + printf("%s\n", CLI_EXAUTH_OFF); + } + + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_ON) { + printf("%s\n", CLI_EXAUTHORIZE_ON); + } else { + printf("%s\n", CLI_EXAUTHORIZE_OFF); + } + + /* Show admin aaa method */ + if (g_exauth_conf.exau_method == METHOD_LDAP) { + printf("%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + } else { + printf("show %s failed\n", CLI_EXAUTH_METHOD); + return -1; + } + + /* Show admin aaa server */ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { + printf("%s ldap %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf); + } + } + + return 0; +} + +/* Reset the configuration */ +int clear_exauth_all(void) { + get_auth_conf(&shm_p, &g_exauth_conf); + + init_exau_conf(); + + /* Update conf to shared mem */ + set_auth_conf(&shm_p, &g_exauth_conf); + + return 0; +} + +/* Save the configurations */ +char *write_exauth(char *segment) { + /* Write buffer */ + char *conf_buf = NULL; + + /* Buffer offset */ + int buf_offset = 0; + int i; + + if (strlen(segment) == 0) { + get_auth_conf(&shm_p, &g_exauth_conf); + + /* + * * * Malloc string buffer + * * * + * * * admin aaa on | off + + * * * admin aaa authorize on | off + + * * * admin aaa method + + * * * admin aaa server * server number + * * * + * * * Each cmd line can have maximum LINE_LEN characters + * * */ + conf_buf = (char *)malloc(LINE_LEN * 5); + if (conf_buf == NULL) { + printf("Could not save the admin aaa configuration.\n"); + return NULL; + } + + memset(conf_buf, 0, LINE_LEN * 4); + + /* Show admin aaa on | off */ + if (g_exauth_conf.external_auth_on == EXT_AUTH_ON) { + buf_offset += sprintf(conf_buf + buf_offset, "%s %d\n", CLI_EXAUTH_ON, g_exauth_conf.ext_auth_priority); + } + + if (g_exauth_conf.external_auth_on == EXT_AUTH_OFF) { + buf_offset += sprintf(conf_buf + buf_offset, "%s\n", CLI_EXAUTH_OFF); + } + + if (g_exauth_conf.external_authorize_on == EXT_AUTHORIZE_ON) { + buf_offset += sprintf(conf_buf + buf_offset, "%s\n", CLI_EXAUTHORIZE_ON); + } else { + buf_offset += sprintf(conf_buf + buf_offset, "%s\n", CLI_EXAUTHORIZE_OFF); + } + + /* Show admin aaa method */ + if (g_exauth_conf.exau_method == METHOD_LDAP) { + buf_offset += sprintf(conf_buf + buf_offset, "%s %s\n", CLI_EXAUTH_METHOD, EXAUTH_METHOD_STRING_LDAP); + } else { + printf("show %s failed\n", CLI_EXAUTH_METHOD); + return NULL; + } + + /* Show admin aaa server */ + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) { + if (g_exauth_conf.exauth_servers[i].id && g_exauth_conf.exauth_servers[i].id[0] != '\0') { + buf_offset += sprintf(conf_buf + buf_offset, "%s ldap %s \"%s\" %d \"%s\" \"%s\"\n", + CLI_EXAUTH_SERVER, + g_exauth_conf.exauth_servers[i].id, + g_exauth_conf.exauth_servers[i].host, + g_exauth_conf.exauth_servers[i].port, + g_exauth_conf.exauth_servers[i].dn, + g_exauth_conf.exauth_servers[i].memberOf); + } + } + } + return conf_buf; +} + + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.h =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.h (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.h (working copy) @@ -0,0 +1,35 @@ +#ifndef _AUTH_EXT_IPC_H_ +#define _AUTH_EXT_IPC_H_ + +#define EXAUTH_SHM_KEY 0xcaf25001 +#define EXAUTH_SEM_KEY 0xcaf25002 + +#define AAA_SECRET_ENCRYPTED "ENCRYPTED" + +/*creat shared mem and sem*/ +int exauth_init_ipc(); + +/*lock the shared mem*/ +int exauth_lockshm(); + +/*unlock the shared mem*/ +int exauth_unlockshm(); + +/*update the shared mem*/ +int set_auth_conf(exauth_conf_t **shm_p_p, exauth_conf_t *conf_p); + +/*get exauth conf from the shared mem*/ +int get_auth_conf(exauth_conf_t **shm_p_p, exauth_conf_t *conf_p); + +/*release exauth ipc resource*/ +int exauth_release_ipc(exauth_conf_t *shm_p); + +int get_shmid(void); +int get_semid(void); +int show_conf(exauth_conf_t *conf_p, int shmid, int semid, char* title); + +int encrypt_secret(const unsigned char *secret_in, unsigned char *secret_out); +int decrypt_secret(const unsigned char *secret_in, unsigned char *secret_out); +#endif + + Index: /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.c =================================================================== --- /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.c (revision 0) +++ /branches/rel_avx_2_7_2/lib/exauth/auth_ext_ipc.c (working copy) @@ -0,0 +1,505 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "auth_ext.h" +#include "auth_ext_cli.h" +#include "auth_ext_ipc.h" + +union semun { + int val; /* Value for SETVAL */ + struct semid_ds *buf; /* Buffer for IPC_STAT, IPC_SET */ + unsigned short *array; /* Array for GETALL, SETALL */ + struct seminfo *__buf; /* Buffer for IPC_INFO (Linux-specific) */ +}; +#include +#include + +/* Global Variables */ +static int shmid, semid; /* shared mem/semaphore ids */ +static int initialized = 0; + +/*creat shared mem and sem*/ +int exauth_init_ipc(exauth_conf_t **shm_p_p) +{ + union semun arg; + int perm = IPC_CREAT|IPC_EXCL|0666; + int shm_existed = 0; + + /*create the semid*/ + semid = semget(EXAUTH_SEM_KEY, 1, perm); + + if (semid < 0) + { + if (errno == EEXIST) + { + /*printf("exauth: semid already existed\n");*/ + + /*get the existed semid*/ + semid = semget(EXAUTH_SEM_KEY, 0, 0); + } + else + { + printf("exauth: create semid error\n"); + return -1; + } + } + + arg.val = 1; + if (semctl(semid, 0, SETVAL, arg) < 0) + { + printf("exauth: set semaphore value error\n"); + + /*release the resource*/ + if ((semctl(semid, 0, IPC_RMID, arg)) <0) + { + printf("exauth: release semaphore error\n"); + } + return -1; + } + + /*create the shmid*/ + shmid = shmget(EXAUTH_SHM_KEY, sizeof(exauth_conf_t), perm); + if (shmid < 0) + { + if (errno == EEXIST) + { + /*printf("exauth: shmid already existed\n");*/ + shmid = shmget(EXAUTH_SHM_KEY, 0, 0); + shm_existed = 1; + } + else + { + printf("exauth: create shmid error\n"); + return -1; + } + } + + /*attach the shared mem*/ + *shm_p_p = (exauth_conf_t *)shmat(shmid, 0, 0); + if ((char *)(*shm_p_p) == (char *)(-1)) + { + printf("exauth: shmat error"); + if ((shmctl(shmid, IPC_RMID, 0)) < 0) + { + printf("exauth: release shared memomy error\n"); + } + return -1; + } + + /*init the shared mem*/ + if (!shm_existed) + { + memset(*shm_p_p, 0, sizeof(exauth_conf_t)); + } + + initialized = 1; + + return 0; +} + + +/*lock the shared mem*/ +int exauth_lockshm() +{ + struct sembuf op[1]; + int ret; + + if (!semid) + return (-1); + + op[0].sem_num = 0; + op[0].sem_op = -1; + op[0].sem_flg = SEM_UNDO; + ret = semop(semid, op, 1); + + if (ret) + { + printf("semaphore lock error: %d\n", ret); + perror("exauth_lockshm"); + } + + return (ret); +} + + +/*unlock the shared mem*/ +int exauth_unlockshm() +{ + struct sembuf op[1]; + int ret; + + if (!semid) + return (-1); + + op[0].sem_num = 0; + op[0].sem_op = 1; + /* bug 21614, chengfei, 20090409 + * * * SEM_UNDO: automatically unlock semphore when process exit. + * * * The flag should be set/unset consistent with lock operation. + * * */ + op[0].sem_flg = SEM_UNDO; + ret = semop(semid, op, 1); + + if (ret) + { + printf("semaphore unlock error: %d\n", ret); + perror("exauth_unlockshm"); + } + + return (ret); +} + +/*update the shared mem*/ +int set_auth_conf(exauth_conf_t **shm_p_p, exauth_conf_t *conf_p) +{ + exauth_conf_t *shm_p = NULL; + + if (!initialized) + { + if (exauth_init_ipc(shm_p_p) < 0) + { + return -1; + } + } + + shm_p = *shm_p_p; + + if (shm_p == NULL) + { + printf ("set_auth_conf: shm_p is NULL\n"); + return -1; + } + + if (conf_p == NULL) + { + printf ("set_auth_conf: conf_p is NULL\n"); + return -1; + } + + /*lock the mem*/ + if (exauth_lockshm() < 0) + { + printf("set_auth_conf: semaphore lock error\n"); + return -1; + } + + /*update the shared mem*/ + memcpy(shm_p, conf_p, sizeof(exauth_conf_t)); + + /*unlock the mem*/ + if (exauth_unlockshm() < 0) + { + printf("set_auth_conf: semaphore unlock error\n"); + return -1; + } + + /* + * * show_conf(shm_p, shmid, semid,"set_auth_conf: shm_p"); + * * show_conf(conf_p, shmid, semid,"set_auth_conf: conf_p"); + * * */ + + return 0; +} + + +/*get exauth conf from the shared mem*/ +int get_auth_conf(exauth_conf_t **shm_p_p, exauth_conf_t *conf_p) +{ + exauth_conf_t *shm_p = NULL; + int ret = 0; + + if (!initialized) + { + if (exauth_init_ipc(shm_p_p) < 0) + { + return -1; + } + } + + shm_p = *shm_p_p; + + if (shm_p == NULL) + { + printf ("get_auth_conf: shm_p is NULL\n"); + return -1; + } + + if (conf_p == NULL) + { + printf ("get_auth_conf: conf_p is NULL\n"); + return -1; + } + + /*lock the mem*/ + if ((ret =exauth_lockshm()) < 0) + { + printf("get_auth_conf: semaphore lock error\n"); + return -1; + } + + /*get the conf*/ + memcpy(conf_p, shm_p, sizeof(exauth_conf_t)); + + /*unlock the mem*/ + if ((ret = exauth_unlockshm()) < 0) + { + printf("get_auth_conf: semaphore unlock error\n"); + return -1; + } + + /* + * * show_conf(shm_p, shmid, semid,"get_auth_conf: shm_p"); + * * show_conf(conf_p, shmid, semid,"get_auth_conf: conf_p"); + * * */ + + return 0; +} + +/*release exauth ipc resource*/ +int exauth_release_ipc(exauth_conf_t *shm_p) +{ + int ret =0 ; + union semun arg; + + if (shmdt((char *)shm_p) < 0) + { + printf("exauth_release_ipc: release shared memory error\n"); + ret = -1; + } + + if ((shmctl(shmid, IPC_RMID, 0)) < 0) + { + printf("exauth_release_ipc: release shared memomy error\n"); + ret = -1; + } + + if ((semctl(semid, 0, IPC_RMID, arg)) <0) + { + printf("exauth_release_ipc: release semaphore error\n"); + ret = -1; + } + + return ret; +} + +int get_shmid(void) +{ + return shmid; +} + +int get_semid(void) +{ + return semid; +} + +int show_conf(exauth_conf_t *conf_p, int shmid, int semid, char* title) +{ + int i = 0; + + exau_log ("**************** BEGIN %s ****************", title); + + exau_log ("shmid: %d, semid: %d",shmid, semid); + + if (conf_p) + { + exau_log ("Address of %s: %p", title, conf_p); + + if (conf_p->external_auth_on == EXT_AUTH_ON) + { + exau_log ("external_auth_on: EXT_AUTH_ON"); + } + + if (conf_p->external_auth_on == EXT_AUTH_OFF) + { + exau_log ("external_auth_on: EXT_AUTH_OFF"); + } + + if (conf_p->external_authorize_on == EXT_AUTHORIZE_ON) + { + exau_log ("external_authorize_on: EXT_AUTHORIZE_ON"); + } + + if (conf_p->external_authorize_on == EXT_AUTHORIZE_OFF) + { + exau_log ("external_authorize_on: EXT_AUTHORIZE_OFF"); + } + + if (conf_p->exau_method == METHOD_LDAP) + { + exau_log ("exau_method: LDAP"); + } + + for (i = 0; i < MAX_EXAU_SERVER_NUM; i++) + { + exau_log ("exauth_servers[%d]:", i); + if (*conf_p->exauth_servers[i].id == '\0') + { + exau_log("\tid: NULL"); + } + else + { + exau_log("\tid: %s", conf_p->exauth_servers[i].id); + exau_log("\tid.len: %d", strlen(conf_p->exauth_servers[i].id)); + } + + if (*conf_p->exauth_servers[i].host == '\0') + { + exau_log("\thost: NULL"); + } + else + { + exau_log("\thost: %s", conf_p->exauth_servers[i].host); + exau_log("\thost.len: %d", strlen(conf_p->exauth_servers[i].host)); + } + + exau_log ("\tport: %d",conf_p->exauth_servers[i].port); + + if (*conf_p->exauth_servers[i].secret == '\0') + { + exau_log("\tsecret: NULL"); + } + else + { + exau_log("\tsecret: %s", conf_p->exauth_servers[i].secret); + exau_log("\tsecret.len: %d", strlen(conf_p->exauth_servers[i].secret)); + } + + exau_log ("\ttimeout: %d",conf_p->exauth_servers[i].timeout); + exau_log ("\tmax_retry: %d",conf_p->exauth_servers[i].max_retry); + exau_log (""); + } + + } + else + { + exau_log ("conf_p is NULL"); + } + + exau_log ("**************** END %s ****************", title); + + return 0; +} + +#undef AES_BLOCK_SIZE +#define AES_BLOCK_SIZE 16 + +/*********************************************************************** + * * * This func is for changing server secret from plaintext to ciphertext + * * * via AES128 encrypt and base64 encode + * * * + * * * secret_in: server secret in plaintext, max length is SECRET_LEN + * * * secret_out: server secret in ciphertext, this is looger than secret_in + * * * but shorter than 2 times of SECRET_LEN + * * * + * * ************************************************************************/ + +int +encrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[AES_BLOCK_SIZE]; + unsigned char iv[AES_BLOCK_SIZE]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, SECRET_LEN); + len = strlen((char *)temp) + 1; + + if (len % AES_BLOCK_SIZE != 0) { + len = (len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE; + } + + for (i = 0; i < AES_BLOCK_SIZE; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < AES_BLOCK_SIZE; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_encrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(secret_in, temp, len, &aes_key, iv, AES_ENCRYPT); + + EVP_EncodeBlock(secret_out, temp, len); + + return 0; +} + +/*********************************************************************** + * * * This func is for changing server secret from ciphertext to plaintext + * * * via base64 decode and AES128 decrypt + * * * + * * * secret_in: server secret in ciphertext, max length is 4/3 times of + * * * SECRET_LEN + * * * secret_out: server secret in plaintext, this is shorter than SECRET_LEN + * * * + * * ************************************************************************/ + +int +decrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[AES_BLOCK_SIZE]; + unsigned char iv[AES_BLOCK_SIZE]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, 2 * SECRET_LEN); + temp[2 * SECRET_LEN - 1] = '\0'; + len = strlen((char *)temp); + + if (len > (SECRET_LEN / 3 * 4)) { + return -1; + } + + if (len < 24) { + /* encrypted secret is 16 Byte at least, after base64 it is 24 */ + return -1; + } + + len = EVP_DecodeBlock(temp, secret_in, len); + + if (len == -1) { + return -1; + } + + len -= len % AES_BLOCK_SIZE; + + for (i = 0; i < AES_BLOCK_SIZE; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < AES_BLOCK_SIZE; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_decrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(temp, secret_out, len, &aes_key, iv, AES_DECRYPT); + + return 0; +} + +#undef AES_BLOCK_SIZE + + Index: /branches/rel_avx_2_7_2/src/backend/Makefile =================================================================== --- /branches/rel_avx_2_7_2/src/backend/Makefile (revision 8838) +++ /branches/rel_avx_2_7_2/src/backend/Makefile (working copy) @@ -18,6 +18,8 @@ LIBS+= -lcrypt -lcurses -lm \ -lpthread -lxml2 -lvirt\ -L${TOP}/lib/casnmp -lcasnmp\ + -L${TOP}/centos72/usr/lib64 -lldap\ + -L${TOP}/lib/exauth -lexauth\ -L${TOP}/lib/avxpci -lavxpci\ -L${TOP}/lib/vtch -lvtch -lmsgpack -lresolv\ -lxmlrpc_util -lxmlrpc -lxmlrpc_client\ @@ -47,7 +49,7 @@ ROBJS=recovery.o FLAGS =$(JSON_LIB) -Wformat -Wall -Wno-long-long -O -I${TOP}/kern/monitor -I${TOP}/lib/ \ - -I${TOP}/lib/casnmp -I${TOP}/lib/avxpci -I${TOP}/lib/feactl \ + -I${TOP}/lib/casnmp -I${TOP}/lib/exauth -I${TOP}/lib/avxpci -I${TOP}/lib/feactl \ -I ${TOP}/src/library/avxnet/ \ -I ${TOP}/src/library/avx_log -I$(TOP)/src/library/avxha \ -I ${TOP}/src/library/avxresource/ -L${TOP}/src/library/avxresource/ Index: /branches/rel_avx_2_7_2/src/cli/Makefile =================================================================== --- /branches/rel_avx_2_7_2/src/cli/Makefile (revision 8838) +++ /branches/rel_avx_2_7_2/src/cli/Makefile (working copy) @@ -21,6 +21,8 @@ -L ../../lib/vtch/ -lvtch -lmsgpack \ -L ../../lib/feactl/ -lfeactl -lpcre \ -L ../library/avxnet -lavxnet \ + -L ${TOP}/centos72/usr/lib64/ -lldap \ + -L../../lib/exauth -lexauth \ -L../../lib/casnmp -lcasnmp -lcurl -luuid -L../library/avxha -lavxha -lxmlrpc_util -lxmlrpc -lxmlrpc_client \ -I${TOP}/src/library/avxresource/ -L${TOP}/src/library/avxresource/ -lavxresource Index: /branches/rel_avx_2_7_2/src/generator/commands.pm =================================================================== --- /branches/rel_avx_2_7_2/src/generator/commands.pm (revision 8838) +++ /branches/rel_avx_2_7_2/src/generator/commands.pm (working copy) @@ -7206,6 +7206,229 @@ optional => "NO", }, ], }, + { + obj_type => "MENU", + name => "admin", + parent_menu => ".", + uniq_name => "root_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Administration configuration", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_admin", + uniq_name => "root_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication configuration", + }, + { + obj_type => "ITEM", + name => "on", + menu => "root_admin_aaa", + help_string => "Turn on external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_on", + function_args => [ + { + type => "U32", + help_string => "Priority. 0: local database first; 1: external AAA server first. (Default = 0)", + optional => "YES", + default_value => 0, + }, + ], + }, + { + obj_type => "ITEM", + name => "off", + menu => "root_admin_aaa", + help_string => "Turn off external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_off", + function_args => [], + }, + { + obj_type => "ITEM", + name => "method", + menu => "root_admin_aaa", + help_string => "Set external authentication method", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_method", + function_args => [{ + type => "STRING", + help_string => "method name(LDAP, default is LDAP)", + optional => "YES", + default_value => "\"LDAP\"", + },], + }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, + { + obj_type => "ITEM", + name => "ldap", + menu => "root_admin_server_aaa", + help_string => "Configure external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_server", + function_args => [{ + type => "STRING", + help_string => "id, es01(request will be sent to server es01)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "dn (Ex. OU=Eng,dc=example,dc=in)", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "memberOf (Ex. CN=Engineering,DC=example,DC=in)", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "MENU", + name => "authorize", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_aaa_authorize", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "External authorization configuration", + }, + { + obj_type => "ITEM", + name => "on", + menu => "root_admin_aaa_authorize", + help_string => "Turn on external authorization", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_authorize_on", + function_args => [], + }, + { + obj_type => "ITEM", + name => "off", + menu => "root_admin_aaa_authorize", + help_string => "Turn off external authorization", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_authorize_off", + function_args => [], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_show", + uniq_name => "root_show_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "show administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_show_admin", + uniq_name => "root_show_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display external authentication configurations", + }, + { + obj_type => "ITEM", + name => "all", + menu => "root_show_admin_aaa", + help_string => "Display all external authentication configurations", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_ENABLE", + function_name => "show_exauth_all", + function_args => [], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_no", + uniq_name => "root_no_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Delete administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_no_admin", + uniq_name => "root_no_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Delete external authentication configurations", + }, + { + obj_type => "ITEM", + name => "server", + menu => "root_no_admin_aaa", + help_string => "Delete external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "no_exauth_server", + function_args => [{ + type => "STRING", + help_string => "server id", + optional => "NO", + },], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_clear", + uniq_name => "root_clear_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Clear administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_clear_admin", + uniq_name => "root_clear_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Clear external authentication configurations", + }, + { + obj_type => "ITEM", + name => "all", + menu => "root_clear_admin_aaa", + help_string => "Clear all external authentication configurations", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "clear_exauth_all", + function_args => [], + }, ); # This method is required to expost the command table to the caller.