From cd9bc84240c99ed744e5ee44db18d925a5292ffd Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: May 26 2016 16:47:05 +0000 Subject: Rename syncreq.[ch] to otpctrl.[ch] This gives us a place to handle all OTP related controls. Also, genericize otpctrl_present() so that the OID can be specified as an argument to the function call. These changes are preparatory for the subsequent patches. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose --- diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 078ff9c..46a6491 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -47,7 +47,7 @@ libipa_pwd_extop_la_SOURCES = \ encoding.c \ prepost.c \ ipa_pwd_extop.c \ - syncreq.c \ + otpctrl.c \ $(KRB5_UTIL_SRCS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.c new file mode 100644 index 0000000..ce26abe --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.c @@ -0,0 +1,107 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Nathaniel McCallum + * + * Copyright (C) 2013 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include "../libotp/otp_token.h" +#include "otpctrl.h" + +bool otpctrl_present(Slapi_PBlock *pb, const char *oid) +{ + LDAPControl **controls = NULL; + + if (slapi_pblock_get(pb, SLAPI_REQCONTROLS, &controls) != 0) + return false; + + return ldap_control_find(oid, controls, NULL) != NULL; +} + +bool otpctrl_sync_handle(const struct otp_config *cfg, Slapi_PBlock *pb, + const char *user_dn) +{ + struct otp_token **tokens = NULL; + LDAPControl **controls = NULL; + struct berval *second = NULL; + struct berval *first = NULL; + BerElement *ber = NULL; + char *token_dn = NULL; + bool success; + + if (slapi_pblock_get(pb, SLAPI_REQCONTROLS, &controls) != 0) + return false; + + if (controls == NULL || controls[0] == NULL) + return false; + + for (int i = 0; controls[i] != NULL; i++) { + if (strcmp(controls[i]->ldctl_oid, OTP_SYNC_REQUEST_OID) != 0) + continue; + + /* Decode the request. */ + ber = ber_init(&controls[i]->ldctl_value); + if (ber == NULL) + return false; + + /* Decode the token codes. */ + if (ber_scanf(ber, "{OO", &first, &second) == LBER_ERROR) { + ber_free(ber, 1); + return false; + } + + /* Decode the optional token DN. */ + (void)ber_scanf(ber, "a", &token_dn); + + /* Process the synchronization. */ + success = false; + if (ber_scanf(ber, "}") != LBER_ERROR) { + tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL); + if (tokens != NULL) { + success = otp_token_validate_berval(tokens, first, second); + otp_token_free_array(tokens); + } + } + + ber_memfree(token_dn); token_dn = NULL; + ber_bvfree(second); + ber_bvfree(first); + ber_free(ber, 1); + if (!success) + return false; + } + + return true; +} diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.h new file mode 100644 index 0000000..c38d491 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otpctrl.h @@ -0,0 +1,63 @@ +/** BEGIN COPYRIGHT BLOCK + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Additional permission under GPLv3 section 7: + * + * In the following paragraph, "GPL" means the GNU General Public + * License, version 3 or any later version, and "Non-GPL Code" means + * code that is governed neither by the GPL nor a license + * compatible with the GPL. + * + * You may link the code of this Program with Non-GPL Code and convey + * linked combinations including the two, provided that such Non-GPL + * Code only links to the code of this Program through those well + * defined interfaces identified in the file named EXCEPTION found in + * the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline + * functions from the Approved Interfaces without causing the resulting + * work to be covered by the GPL. Only the copyright holders of this + * Program may make changes or additions to the list of Approved + * Interfaces. + * + * Authors: + * Nathaniel McCallum + * + * Copyright (C) 2013 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + + +#ifndef OTPCTRL_H_ +#define OTPCTRL_H_ + +#include "../libotp/otp_config.h" +#include + +/* + * The ASN.1 encoding of the request structure: + * + * OTPSyncRequest ::= SEQUENCE { + * firstCode OCTET STRING, + * secondCode OCTET STRING, + * tokenDN OCTET STRING OPTIONAL + * } + */ +#define OTP_SYNC_REQUEST_OID "2.16.840.1.113730.3.8.10.6" + +bool otpctrl_present(Slapi_PBlock *pb, const char *oid); + +bool otpctrl_sync_handle(const struct otp_config *cfg, Slapi_PBlock *pb, + const char *user_dn); + +#endif /* OTPCTRL_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index c1fc7fe..f41b1ac 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -62,7 +62,7 @@ #include "ipapwd.h" #include "util.h" -#include "syncreq.h" +#include "otpctrl.h" #define IPAPWD_OP_NULL 0 #define IPAPWD_OP_ADD 1 @@ -1450,7 +1450,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } /* Try to do OTP first. */ - syncreq = sync_request_present(pb); + syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID); if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) goto invalid_creds; @@ -1466,7 +1466,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } /* Attempt to handle a token synchronization request. */ - if (syncreq && !sync_request_handle(otp_config, pb, dn)) + if (syncreq && !otpctrl_sync_handle(otp_config, pb, dn)) goto invalid_creds; /* Attempt to write out kerberos keys for the user. */ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c deleted file mode 100644 index 3a31529..0000000 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c +++ /dev/null @@ -1,107 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * Additional permission under GPLv3 section 7: - * - * In the following paragraph, "GPL" means the GNU General Public - * License, version 3 or any later version, and "Non-GPL Code" means - * code that is governed neither by the GPL nor a license - * compatible with the GPL. - * - * You may link the code of this Program with Non-GPL Code and convey - * linked combinations including the two, provided that such Non-GPL - * Code only links to the code of this Program through those well - * defined interfaces identified in the file named EXCEPTION found in - * the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline - * functions from the Approved Interfaces without causing the resulting - * work to be covered by the GPL. Only the copyright holders of this - * Program may make changes or additions to the list of Approved - * Interfaces. - * - * Authors: - * Nathaniel McCallum - * - * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -#include "../libotp/otp_token.h" -#include "syncreq.h" - -bool sync_request_present(Slapi_PBlock *pb) -{ - LDAPControl **controls = NULL; - - if (slapi_pblock_get(pb, SLAPI_REQCONTROLS, &controls) != 0) - return false; - - return ldap_control_find(OTP_SYNC_REQUEST_OID, controls, NULL) != NULL; -} - -bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb, - const char *user_dn) -{ - struct otp_token **tokens = NULL; - LDAPControl **controls = NULL; - struct berval *second = NULL; - struct berval *first = NULL; - BerElement *ber = NULL; - char *token_dn = NULL; - bool success; - - if (slapi_pblock_get(pb, SLAPI_REQCONTROLS, &controls) != 0) - return false; - - if (controls == NULL || controls[0] == NULL) - return false; - - for (int i = 0; controls[i] != NULL; i++) { - if (strcmp(controls[i]->ldctl_oid, OTP_SYNC_REQUEST_OID) != 0) - continue; - - /* Decode the request. */ - ber = ber_init(&controls[i]->ldctl_value); - if (ber == NULL) - return false; - - /* Decode the token codes. */ - if (ber_scanf(ber, "{OO", &first, &second) == LBER_ERROR) { - ber_free(ber, 1); - return false; - } - - /* Decode the optional token DN. */ - (void)ber_scanf(ber, "a", &token_dn); - - /* Process the synchronization. */ - success = false; - if (ber_scanf(ber, "}") != LBER_ERROR) { - tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL); - if (tokens != NULL) { - success = otp_token_validate_berval(tokens, first, second); - otp_token_free_array(tokens); - } - } - - ber_memfree(token_dn); token_dn = NULL; - ber_bvfree(second); - ber_bvfree(first); - ber_free(ber, 1); - if (!success) - return false; - } - - return true; -} diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h deleted file mode 100644 index 98a97c4..0000000 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h +++ /dev/null @@ -1,63 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * Additional permission under GPLv3 section 7: - * - * In the following paragraph, "GPL" means the GNU General Public - * License, version 3 or any later version, and "Non-GPL Code" means - * code that is governed neither by the GPL nor a license - * compatible with the GPL. - * - * You may link the code of this Program with Non-GPL Code and convey - * linked combinations including the two, provided that such Non-GPL - * Code only links to the code of this Program through those well - * defined interfaces identified in the file named EXCEPTION found in - * the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline - * functions from the Approved Interfaces without causing the resulting - * work to be covered by the GPL. Only the copyright holders of this - * Program may make changes or additions to the list of Approved - * Interfaces. - * - * Authors: - * Nathaniel McCallum - * - * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - - -#ifndef SYNCREQ_H_ -#define SYNCREQ_H_ - -#include "../libotp/otp_config.h" -#include - -/* - * The ASN.1 encoding of the request structure: - * - * OTPSyncRequest ::= SEQUENCE { - * firstCode OCTET STRING, - * secondCode OCTET STRING, - * tokenDN OCTET STRING OPTIONAL - * } - */ -#define OTP_SYNC_REQUEST_OID "2.16.840.1.113730.3.8.10.6" - -bool sync_request_present(Slapi_PBlock *pb); - -bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb, - const char *user_dn); - -#endif /* SYNCREQ_H_ */