summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
authorNathaniel McCallum <npmccallum@redhat.com>2013-04-16 16:00:09 -0400
committerMartin Kosek <mkosek@redhat.com>2013-05-17 09:30:51 +0200
commit5b58348cd316dd817672cb81358ed557c28e09d3 (patch)
tree0c59e7562938554fc3c217a42d0698e08dde3c3a /daemons
parent1e1bab4edc0ce4b70a370deac8109092b53b97a2 (diff)
downloadfreeipa-5b58348cd316dd817672cb81358ed557c28e09d3.tar.gz
freeipa-5b58348cd316dd817672cb81358ed557c28e09d3.tar.xz
freeipa-5b58348cd316dd817672cb81358ed557c28e09d3.zip
Add OTP support to ipa-pwd-extop
During LDAP bind, this now plugin determines if a user is enabled for OTP authentication. If so, then the OTP is validated in addition to the password. This allows 2FA during user binds. https://fedorahosted.org/freeipa/ticket/3367 http://freeipa.org/page/V3/OTP
Diffstat (limited to 'daemons')
-rw-r--r--daemons/configure.ac39
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am42
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/auth.c398
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c130
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c109
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h36
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/otp.c180
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c307
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c82
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/t_totp.c103
10 files changed, 1368 insertions, 58 deletions
diff --git a/daemons/configure.ac b/daemons/configure.ac
index 371c28d04..21d4e7a77 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -22,37 +22,10 @@ AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
AC_SUBST(VERSION)
dnl ---------------------------------------------------------------------------
-dnl - Check for NSPR
+dnl - Check for NSPR/NSS
dnl ---------------------------------------------------------------------------
-AC_CHECK_HEADER(nspr4/nspr.h)
-AC_CHECK_HEADER(nspr/nspr.h)
-if test "x$ac_cv_header_nspr4_nspr_h" = "xno" && test "x$ac_cv_header_nspr_nspr_h" = "xno" ; then
- AC_MSG_ERROR([Required NSPR header not available (nspr-devel)])
-fi
-if test "x$ac_cv_header_nspr4_nspr_h" = "xyes" ; then
- NSPR4="-I/usr/include/nspr4"
-fi
-if test "x$ac_cv_header_nspr_nspr_h" = "xyes" ; then
- NSPR4="-I/usr/include/nspr"
-fi
-
-dnl ---------------------------------------------------------------------------
-dnl - Check for NSS
-dnl ---------------------------------------------------------------------------
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR4
-AC_CHECK_HEADER(nss3/nss.h)
-AC_CHECK_HEADER(nss/nss.h)
-CPPFLAGS=$SAVE_CPPFLAGS
-if test "x$ac_cv_header_nss3_nss_h" = "xno" && test "x$ac_cv_header_nss_nss_h" = "xno" ; then
- AC_MSG_ERROR([Required NSS header not available (nss-devel)])
-fi
-if test "x$ac_cv_header_nss3_nss_h" = "xyes" ; then
- NSS3="-I/usr/include/nss3"
-fi
-if test "x$ac_cv_header_nss_nss_h" = "xyes" ; then
- NSS3="-I/usr/include/nss"
-fi
+PKG_CHECK_MODULES([NSPR], [nspr], [], [AC_MSG_ERROR([libnspr not found])])
+PKG_CHECK_MODULES([NSS], [nss], [], [AC_MSG_ERROR([libnss not found])])
dnl ---------------------------------------------------------------------------
dnl - Check for DS slapi plugin
@@ -60,7 +33,7 @@ dnl ---------------------------------------------------------------------------
# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR4
+CPPFLAGS=$NSPR_CFLAGS
AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
@@ -96,7 +69,7 @@ dnl - Check for Mozilla LDAP and OpenLDAP SDK
dnl ---------------------------------------------------------------------------
SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS="$NSPR4 $NSS3"
+CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
AC_CHECK_HEADER(svrcore.h)
AC_CHECK_HEADER(svrcore/svrcore.h)
if test "x$ac_cv_header_svrcore_h" = "xno" && test "x$ac_cv_header_svrcore_svrcore_h" = "xno" ; then
@@ -144,7 +117,7 @@ AC_ARG_WITH([openldap],
[compile plugins with openldap instead of mozldap])],
[], [])
-LDAP_CFLAGS="${OPENLDAP_CFLAGS} $NSPR4 $NSS3 -DUSE_OPENLDAP"
+LDAP_CFLAGS="${OPENLDAP_CFLAGS} $NSPR_CFLAGS $NSS_CFLAGS -DUSE_OPENLDAP"
LDAP_LIBS="${OPENLDAP_LIBS}"
AC_DEFINE_UNQUOTED(WITH_OPENLDAP, 1, [Use OpenLDAP libraries])
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index 90f940fd3..b53b2e1e4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -1,7 +1,8 @@
NULL =
-PLUGIN_COMMON_DIR=../common
-KRB5_UTIL_DIR= ../../../util
+MAINTAINERCLEANFILES = *~ Makefile.in
+PLUGIN_COMMON_DIR = ../common
+KRB5_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c \
$(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
@@ -23,13 +24,30 @@ AM_CPPFLAGS = \
$(SSL_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
+
+AM_LDFLAGS = \
+ $(KRB5_LIBS) \
+ $(SSL_LIBS) \
+ $(LDAP_LIBS) \
+ $(NSPR_LIBS) \
+ $(NSS_LIBS) \
+ -avoid-version \
+ -export-symbols-regex ^ipapwd_init$
-plugindir = $(libdir)/dirsrv/plugins
-plugin_LTLIBRARIES = \
- libipa_pwd_extop.la \
- $(NULL)
+# OTP Convenience Library and Tests
+noinst_LTLIBRARIES = libotp.la
+libotp_la_SOURCES = otp.c
+check_PROGRAMS = t_hotp t_totp
+t_hotp_LDADD = libotp.la
+t_totp_LDADD = libotp.la
+TESTS = $(check_PROGRAMS)
+# Plugin Binary
+plugindir = $(libdir)/dirsrv/plugins
+plugin_LTLIBRARIES = libipa_pwd_extop.la
+libipa_pwd_extop_la_LIBADD = libotp.la
libipa_pwd_extop_la_SOURCES = \
+ auth.c \
common.c \
encoding.c \
prepost.c \
@@ -37,14 +55,6 @@ libipa_pwd_extop_la_SOURCES = \
$(KRB5_UTIL_SRCS) \
$(NULL)
-libipa_pwd_extop_la_LDFLAGS = -avoid-version
-
-libipa_pwd_extop_la_LIBADD = \
- $(KRB5_LIBS) \
- $(SSL_LIBS) \
- $(LDAP_LIBS) \
- $(NULL)
-
appdir = $(IPA_DATA_DIR)
app_DATA = \
pwd-extop-conf.ldif \
@@ -55,6 +65,4 @@ EXTRA_DIST = \
$(app_DATA) \
$(NULL)
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
+
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/auth.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/auth.c
new file mode 100644
index 000000000..ae47bab33
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/auth.c
@@ -0,0 +1,398 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 3 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include "ipapwd.h"
+
+#define IPA_OTP_TOKEN_TOTP_OC "ipaTokenTOTP"
+#define IPA_OTP_DEFAULT_TOKEN_ALGORITHM "sha1"
+#define IPA_OTP_DEFAULT_TOKEN_OFFSET 0
+#define IPA_OTP_DEFAULT_TOKEN_STEP 30
+
+/*
+ * From otp.c
+ */
+bool ipapwd_hotp(const uint8_t *key, size_t len, const char *algo, int digits,
+ uint64_t counter, uint32_t *out);
+
+bool ipapwd_totp(const uint8_t *key, size_t len, const char *algo, int digits,
+ time_t time, int offset, unsigned int step, uint32_t *out);
+
+/* From ipa_pwd_extop.c */
+extern void *ipapwd_plugin_id;
+
+/* Data types. */
+struct token {
+ struct {
+ uint8_t *data;
+ size_t len;
+ } key;
+ char *algo;
+ int len;
+ union {
+ struct {
+ uint64_t counter;
+ } hotp;
+ struct {
+ unsigned int step;
+ int offset;
+ } totp;
+ };
+ bool (*auth)(const struct token *token, uint32_t otp);
+};
+
+struct credentials {
+ struct token token;
+ Slapi_Value *ltp;
+ uint32_t otp;
+};
+
+static const char *valid_algos[] = { "sha1", "sha256", "sha384",
+ "sha512", NULL };
+
+static inline bool is_algo_valid(const char *algo)
+{
+ int i, ret;
+
+ for (i = 0; valid_algos[i]; i++) {
+ ret = strcasecmp(algo, valid_algos[i]);
+ if (ret == 0)
+ return true;
+ }
+
+ return false;
+}
+
+static const struct berval *entry_attr_get_berval(const Slapi_Entry* e,
+ const char *type)
+{
+ Slapi_Attr* attr = NULL;
+ Slapi_Value *v;
+ int ret;
+
+ ret = slapi_entry_attr_find(e, type, &attr);
+ if (ret != 0 || attr == NULL)
+ return NULL;
+
+ ret = slapi_attr_first_value(attr, &v);
+ if (ret < 0)
+ return NULL;
+
+ return slapi_value_get_berval(v);
+}
+
+/* Authenticate a totp token. Return zero on success. */
+static bool auth_totp(const struct token *token, uint32_t otp)
+{
+ time_t times[5];
+ uint32_t val;
+ int i;
+
+ /* Get the token value for now and two steps in either direction. */
+ times[0] = time(NULL);
+ times[1] = times[0] + token->totp.step * 1;
+ times[2] = times[0] - token->totp.step * 1;
+ times[3] = times[0] + token->totp.step * 2;
+ times[4] = times[0] - token->totp.step * 2;
+ if (times[0] == -1)
+ return false;
+
+ /* Check all the times for a match. */
+ for (i = 0; i < sizeof(times) / sizeof(times[0]); i++) {
+ if (!ipapwd_totp(token->key.data, token->key.len, token->algo,
+ token->len, times[i], token->totp.offset,
+ token->totp.step, &val)) {
+ return false;
+ }
+
+ if (val == otp) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static void token_free_contents(struct token *token)
+{
+ if (token == NULL)
+ return;
+
+ slapi_ch_free_string(&token->algo);
+ slapi_ch_free((void **) &token->key.data);
+}
+
+/* Decode an OTP token entry. Return zero on success. */
+static bool token_decode(Slapi_Entry *te, struct token *token)
+{
+ const struct berval *tmp;
+
+ /* Get key. */
+ tmp = entry_attr_get_berval(te, IPA_OTP_TOKEN_KEY_TYPE);
+ if (tmp == NULL) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "token_decode: key not set for token \"%s\".\n",
+ slapi_entry_get_ndn(te));
+ return false;
+ }
+ token->key.len = tmp->bv_len;
+ token->key.data = (void *) slapi_ch_malloc(token->key.len);
+ memcpy(token->key.data, tmp->bv_val, token->key.len);
+
+ /* Get length. */
+ token->len = slapi_entry_attr_get_int(te, IPA_OTP_TOKEN_LENGTH_TYPE);
+ if (token->len < 6 || token->len > 10) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "token_decode: %s is not defined or invalid "
+ "for token \"%s\".\n", IPA_OTP_TOKEN_LENGTH_TYPE,
+ slapi_entry_get_ndn(te));
+ token_free_contents(token);
+ return false;
+ }
+
+ /* Get algorithm. */
+ token->algo = slapi_entry_attr_get_charptr(te,
+ IPA_OTP_TOKEN_ALGORITHM_TYPE);
+ if (token->algo == NULL)
+ token->algo = slapi_ch_strdup(IPA_OTP_DEFAULT_TOKEN_ALGORITHM);
+ if (!is_algo_valid(token->algo)) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "token_decode: invalid token algorithm "
+ "specified for token \"%s\".\n",
+ slapi_entry_get_ndn(te));
+ token_free_contents(token);
+ return false;
+ }
+
+ /* Currently, we only support TOTP. */
+ token->auth = auth_totp;
+
+ /* Get offset. */
+ token->totp.offset = slapi_entry_attr_get_int(te,
+ IPA_OTP_TOKEN_OFFSET_TYPE);
+ if (token->totp.offset == 0)
+ token->totp.offset = IPA_OTP_DEFAULT_TOKEN_OFFSET;
+
+ /* Get step. */
+ token->totp.step = slapi_entry_attr_get_uint(te, IPA_OTP_TOKEN_STEP_TYPE);
+ if (token->totp.step == 0)
+ token->totp.step = IPA_OTP_DEFAULT_TOKEN_STEP;
+
+ return true;
+}
+
+static void credentials_free_contents(struct credentials *credentials)
+{
+ if (!credentials)
+ return;
+
+ token_free_contents(&credentials->token);
+ slapi_value_free(&credentials->ltp);
+}
+
+/* Parse credentials and token entry. Return zero on success. */
+static bool credentials_parse(Slapi_Entry *te, struct berval *creds,
+ struct credentials *credentials)
+{
+ char *tmp;
+ int len;
+
+ if (!token_decode(te, &credentials->token))
+ return false;
+
+ /* Is the credential too short? If so, error. */
+ if (credentials->token.len >= creds->bv_len) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "credentials_parse: supplied credential is less "
+ "than or equal to %s for token \"%s\".\n",
+ IPA_OTP_TOKEN_LENGTH_TYPE, slapi_entry_get_ndn(te));
+ token_free_contents(&credentials->token);
+ return false;
+ }
+
+ /* Extract the password from the supplied credential. We hand the
+ * memory off to a Slapi_Value, so we don't want to directly free the
+ * string. */
+ len = creds->bv_len - credentials->token.len;
+ tmp = slapi_ch_calloc(len + 1, sizeof(char));
+ strncpy(tmp, creds->bv_val, len);
+ credentials->ltp = slapi_value_new_string_passin(tmp);
+
+ /* Extract the token value as a (minimum) 32-bit unsigned integer. */
+ tmp = slapi_ch_calloc(credentials->token.len + 1, sizeof(char));
+ strncpy(tmp, creds->bv_val + len, credentials->token.len);
+ credentials->otp = strtoul(tmp, NULL, 10);
+ slapi_ch_free_string(&tmp);
+
+ return true;
+}
+
+/*
+ * Attempts to perform OTP authentication for the passed in bind entry using
+ * the passed in credentials.
+ */
+bool ipapwd_do_otp_auth(Slapi_Entry *bind_entry, struct berval *creds)
+{
+ Slapi_PBlock *search_pb = NULL;
+ Slapi_Value **pwd_vals = NULL;
+ Slapi_Attr *pwd_attr = NULL;
+ Slapi_Entry **tokens = NULL;
+ Slapi_DN *base_sdn = NULL;
+ Slapi_Backend *be = NULL;
+ char *user_dn = NULL;
+ char *filter = NULL;
+ int pwd_numvals = 0;
+ bool ret = false;
+ int result = 0;
+ int hint = 0;
+ int i = 0;
+
+ search_pb = slapi_pblock_new();
+
+ /* Fetch the user DN. */
+ user_dn = slapi_entry_get_ndn(bind_entry);
+ if (user_dn == NULL) {
+ slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: error retrieving bind DN.\n");
+ goto done;
+ }
+
+ /* Search for TOTP tokens associated with this user. We search for
+ * tokens who list this user as the owner in the same backend where
+ * the user entry is located. */
+ filter = slapi_ch_smprintf("(&(%s=%s)(%s=%s))", SLAPI_ATTR_OBJECTCLASS,
+ IPA_OTP_TOKEN_TOTP_OC, IPA_OTP_TOKEN_OWNER_TYPE,
+ user_dn);
+
+ be = slapi_be_select(slapi_entry_get_sdn(bind_entry));
+ if (be != NULL) {
+ base_sdn = (Slapi_DN *) slapi_be_getsuffix(be, 0);
+ }
+ if (base_sdn == NULL) {
+ slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: error determining the search "
+ "base for user \"%s\".\n",
+ user_dn);
+ }
+
+ slapi_search_internal_set_pb(search_pb, slapi_sdn_get_ndn(base_sdn),
+ LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL,
+ NULL, ipapwd_plugin_id, 0);
+
+ slapi_search_internal_pb(search_pb);
+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
+
+ if (LDAP_SUCCESS != result) {
+ slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: error searching for tokens "
+ "associated with user \"%s\" (err=%d).\n",
+ user_dn, result);
+ goto done;
+ }
+
+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &tokens);
+
+ if (tokens == NULL) {
+ /* This user has no associated tokens, so just bail out. */
+ goto done;
+ }
+
+ /* Fetch the userPassword values so we can perform the password checks
+ * when processing tokens below. */
+ if (slapi_entry_attr_find(bind_entry, SLAPI_USERPWD_ATTR, &pwd_attr) != 0 ||
+ slapi_attr_get_numvalues(pwd_attr, &pwd_numvals) != 0) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: no passwords are set for user "
+ "\"%s\".\n", user_dn);
+ goto done;
+ }
+
+ /* We need to create a Slapi_Value array of the present password values
+ * for the compare function. There's no nicer way of doing this. */
+ pwd_vals = (Slapi_Value **) slapi_ch_calloc(pwd_numvals,
+ sizeof(Slapi_Value *));
+
+ for (hint = slapi_attr_first_value(pwd_attr, &pwd_vals[i]); hint != -1;
+ hint = slapi_attr_next_value(pwd_attr, hint, &pwd_vals[i])) {
+ ++i;
+ }
+
+ /* Loop through each token and attempt to authenticate. */
+ for (i = 0; tokens && tokens[i]; i++) {
+ struct credentials credentials;
+
+ /* Parse the token entry and the credentials. */
+ if (!credentials_parse(tokens[i], creds, &credentials))
+ continue;
+
+ /* Check if the password portion of the credential is correct. */
+ i = slapi_pw_find_sv(pwd_vals, credentials.ltp);
+ if (i != 0) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: password check failed when "
+ "processing token \"%s\" for user \"%s\".\n",
+ slapi_entry_get_ndn(tokens[i]), user_dn);
+ credentials_free_contents(&credentials);
+ continue;
+ }
+
+ /* Attempt to perform OTP authentication for this token. */
+ if (!credentials.token.auth(&credentials.token, credentials.otp)) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: OTP auth failed when "
+ "processing token \"%s\" for user \"%s\".\n",
+ slapi_entry_get_ndn(tokens[i]), user_dn);
+ credentials_free_contents(&credentials);
+ continue;
+ }
+
+ /* Authentication successful! */
+ credentials_free_contents(&credentials);
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "ipapwd_do_otp_auth: successfully "
+ "authenticated user \"%s\" using token "
+ "\"%s\".\n",
+ user_dn, slapi_entry_get_ndn(tokens[i]));
+ ret = true;
+ break;
+ }
+
+done:
+ slapi_ch_free_string(&filter);
+ slapi_free_search_results_internal(search_pb);
+ slapi_pblock_destroy(search_pb);
+ return ret;
+}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index bb1d96ade..a54e91d87 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -40,6 +40,9 @@
#include "ipapwd.h"
#include "util.h"
+/* Attribute defines */
+#define IPA_OTP_USER_AUTH_TYPE "ipaUserAuthType"
+
/* Type of connection for this operation;*/
#define LDAP_EXTOP_PASSMOD_CONN_SECURE
@@ -67,6 +70,133 @@ static const char *ipapwd_def_encsalts[] = {
NULL
};
+static PRInt32 g_allowed_auth_types = 0;
+
+/*
+ * Checks if an authentication type is allowed. A NULL terminated
+ * list of allowed auth type values is passed in along with the flag
+ * for the auth type you are inquiring about. If auth_type_list is
+ * NULL, the global config will be consulted.
+ */
+bool ipapwd_is_auth_type_allowed(char **auth_type_list, int auth_type)
+{
+ char *auth_type_value = NULL;
+ int i = 0;
+
+ /* Get the string value for the authentication type we are checking for. */
+ switch (auth_type) {
+ case IPA_OTP_AUTH_TYPE_OTP:
+ auth_type_value = IPA_OTP_AUTH_TYPE_VALUE_OTP;
+ break;
+ case IPA_OTP_AUTH_TYPE_PASSWORD:
+ auth_type_value = IPA_OTP_AUTH_TYPE_VALUE_PASSWORD;
+ break;
+ case IPA_OTP_AUTH_TYPE_PKINIT:
+ auth_type_value = IPA_OTP_AUTH_TYPE_VALUE_PKINIT;
+ break;
+ default: /* Unknown type.*/
+ return false;
+ }
+
+ if (auth_type_list == NULL) {
+ /* Check if the requested authentication type is in the global list. */
+ PRInt32 auth_type_flags;
+
+ /* Do an atomic read of the allowed auth types bit field. */
+ auth_type_flags = PR_ATOMIC_ADD(&g_allowed_auth_types, 0);
+
+ /* Check if the flag for the desired auth type is set. */
+ return auth_type_flags & auth_type;
+ }
+
+ /* Check if the requested authentication type is in the user list. */
+ for (i = 0; auth_type_list[i]; i++) {
+ if (strcasecmp(auth_type_list[i], auth_type_value) == 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/*
+ * Parses and validates an OTP config entry. If apply is non-zero, then
+ * we will load and start using the new config. You can simply
+ * validate config without making any changes by setting apply to false.
+ */
+bool ipapwd_parse_otp_config_entry(Slapi_Entry * e, bool apply)
+{
+ PRInt32 allowed_auth_types = 0;
+ PRInt32 default_auth_types = 0;
+ char **auth_types = NULL;
+
+ /* If no auth types are set, we default to only allowing password
+ * authentication. Other authentication types can be allowed at the
+ * user level. */
+ default_auth_types |= IPA_OTP_AUTH_TYPE_PASSWORD;
+
+ if (e == NULL) {
+ /* There is no config entry, so just set the defaults. */
+ allowed_auth_types = default_auth_types;
+ goto done;
+ }
+
+ /* Parse and validate the config entry. We currently tolerate invalid
+ * config settings, so there is no real validation performed. We will
+ * likely want to reject invalid config as we expand the plug-in
+ * functionality, so the validation logic is here for us to use later. */
+
+ /* Fetch the auth type values from the config entry. */
+ auth_types = slapi_entry_attr_get_charray(e, IPA_OTP_USER_AUTH_TYPE);
+ if (auth_types == NULL) {
+ /* No allowed auth types are specified, so set the defaults. */
+ allowed_auth_types = default_auth_types;
+ goto done;
+ }
+
+ /* Check each type to see if it is set. */
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_DISABLED)) {
+ allowed_auth_types |= IPA_OTP_AUTH_TYPE_DISABLED;
+ }
+
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_PASSWORD)) {
+ allowed_auth_types |= IPA_OTP_AUTH_TYPE_PASSWORD;
+ }
+
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_OTP)) {
+ allowed_auth_types |= IPA_OTP_AUTH_TYPE_OTP;
+ }
+
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_PKINIT)) {
+ allowed_auth_types |= IPA_OTP_AUTH_TYPE_PKINIT;
+ }
+
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_RADIUS)) {
+ allowed_auth_types |= IPA_OTP_AUTH_TYPE_RADIUS;
+ }
+
+ slapi_ch_array_free(auth_types);
+
+done:
+ if (apply) {
+ /* Atomically set the global allowed types. */
+ PR_ATOMIC_SET(&g_allowed_auth_types, allowed_auth_types);
+ }
+
+ return true;
+}
+
+bool ipapwd_otp_is_disabled(void)
+{
+ PRInt32 auth_type_flags;
+
+ /* Do an atomic read of the allowed auth types bit field. */
+ auth_type_flags = PR_ATOMIC_ADD(&g_allowed_auth_types, 0);
+
+ /* Check if the disabled bit is set. */
+ return auth_type_flags & IPA_OTP_AUTH_TYPE_DISABLED;
+}
+
static struct ipapwd_krbcfg *ipapwd_getConfig(void)
{
krb5_error_code krberr;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index b64084e9d..88cdcb10f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -87,6 +87,30 @@ Slapi_PluginDesc ipapwd_plugin_desc = {
void *ipapwd_plugin_id;
static int usetxn = 0;
+static Slapi_DN *_ConfigAreaDN = NULL;
+static Slapi_DN *_PluginDN = NULL;
+static bool g_plugin_started = false;
+
+void *ipapwd_get_plugin_id(void)
+{
+ return ipapwd_plugin_id;
+}
+
+Slapi_DN *ipapwd_get_otp_config_area(void)
+{
+ return _ConfigAreaDN;
+}
+
+Slapi_DN *ipapwd_get_plugin_sdn(void)
+{
+ return _PluginDN;
+}
+
+bool ipapwd_get_plugin_started(void)
+{
+ return g_plugin_started;
+}
+
static int filter_keys(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_keyset *kset)
{
@@ -1195,6 +1219,35 @@ Slapi_Filter *ipapwd_string2filter(char *strfilter)
return ret;
}
+/* Loads the OTP config entry, parses it, and applies it. */
+static inline bool ipapwd_load_otp_config(void)
+{
+ char *config_attrs[] = { IPA_USER_AUTH_TYPE, NULL };
+ Slapi_Entry *config_entry = NULL;
+ Slapi_DN *config_sdn = NULL;
+
+ /* If we are using an alternate config area, check it for our
+ * configuration, otherwise we just use our main plug-in config
+ * entry. */
+ if ((config_sdn = ipapwd_get_otp_config_area()) == NULL) {
+ config_sdn = ipapwd_get_plugin_sdn();
+ }
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
+ "Looking for config settings in \"%s\".\n",
+ config_sdn ? slapi_sdn_get_ndn(config_sdn) : "null");
+
+ /* Fetch the config entry. */
+ slapi_search_internal_get_entry(config_sdn, config_attrs, &config_entry,
+ ipapwd_plugin_id);
+
+ /* Parse and apply the config. */
+ ipapwd_parse_otp_config_entry(config_entry, true);
+
+ slapi_entry_free(config_entry);
+ return true;
+}
+
/* Init data structs */
static int ipapwd_start( Slapi_PBlock *pb )
{
@@ -1203,8 +1256,37 @@ static int ipapwd_start( Slapi_PBlock *pb )
char *realm = NULL;
char *config_dn;
Slapi_Entry *config_entry = NULL;
+ Slapi_DN *plugindn = NULL;
+ char *config_area = NULL;
int ret;
+ /* Check if we're already started */
+ if (g_plugin_started) {
+ return LDAP_SUCCESS;
+ }
+
+ /* Get the plug-in target dn from the system and store for future use. */
+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+ if (plugindn == NULL || slapi_sdn_get_ndn_len(plugindn) == 0) {
+ LOG_FATAL("No plugin dn?\n");
+ return LDAP_OPERATIONS_ERROR;
+ }
+ _PluginDN = slapi_sdn_dup(plugindn);
+
+ /* Set the alternate config area if one is defined. */
+ slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
+ if (config_area != NULL) {
+ _ConfigAreaDN = slapi_sdn_new_normdn_byval(config_area);
+ }
+
+ /*
+ * Load the config.
+ */
+ if (!ipapwd_load_otp_config()) {
+ LOG_FATAL("Unable to load plug-in config\n");
+ return LDAP_OPERATIONS_ERROR;
+ }
+
krberr = krb5_init_context(&krbctx);
if (krberr) {
LOG_FATAL("krb5_init_context failed\n");
@@ -1273,6 +1355,7 @@ static int ipapwd_start( Slapi_PBlock *pb )
}
ret = LDAP_SUCCESS;
+ g_plugin_started = true;
done:
free(realm);
@@ -1281,7 +1364,25 @@ done:
return ret;
}
+/* Clean up any resources allocated at startup. */
+static int ipapwd_close(Slapi_PBlock * pb)
+{
+ if (!g_plugin_started) {
+ goto done;
+ }
+ g_plugin_started = false;
+
+ /* We are not guaranteed that other threads are finished accessing
+ * PluginDN or ConfigAreaDN, so we don't want to free them. This is
+ * only a one-time leak at shutdown, so it should be fine.
+ * slapi_sdn_free(&_PluginDN);
+ * slapi_sdn_free(&_ConfigAreaDN);
+ */
+
+done:
+ return 0;
+}
static char *ipapwd_oid_list[] = {
EXOP_PASSWD_OID,
@@ -1328,12 +1429,13 @@ int ipapwd_init( Slapi_PBlock *pb )
* plug-in function that handles the operation identified by
* OID 1.3.6.1.4.1.4203.1.11.1 . Also specify the version of the server
* plug-in */
- ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
+ ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void *)ipapwd_start);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, ipapwd_oid_list);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_NAMELIST, ipapwd_name_list);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void *)ipapwd_extop);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *)ipapwd_close);
if (ret) {
LOG("Failed to set plug-in version, function, and OID.\n" );
return -1;
@@ -1361,5 +1463,10 @@ int ipapwd_init( Slapi_PBlock *pb )
"IPA pwd post ops", NULL,
ipapwd_plugin_id);
+ slapi_register_plugin("internalpostoperation", 1,
+ "ipapwd_intpost_init", ipapwd_intpost_init,
+ "IPA pwd internal post ops", NULL,
+ ipapwd_plugin_id);
+
return 0;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 372441ddd..74b636276 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -76,6 +76,30 @@
#define IPA_CHANGETYPE_ADMIN 1
#define IPA_CHANGETYPE_DSMGR 2
+/*
+ * Attribute type defines
+ */
+#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
+#define IPA_OTP_TOKEN_OWNER_TYPE "ipaTokenOwner"
+#define IPA_OTP_TOKEN_LENGTH_TYPE "ipaTokenOTPDigits"
+#define IPA_OTP_TOKEN_KEY_TYPE "ipaTokenOTPKey"
+#define IPA_OTP_TOKEN_ALGORITHM_TYPE "ipaTokenOTPAlgorithm"
+#define IPA_OTP_TOKEN_OFFSET_TYPE "ipaTokenTOTPClockOffset"
+#define IPA_OTP_TOKEN_STEP_TYPE "ipaTokenTOTPTimeStep"
+
+/* Authentication type defines */
+#define IPA_OTP_AUTH_TYPE_NONE 0
+#define IPA_OTP_AUTH_TYPE_DISABLED 1
+#define IPA_OTP_AUTH_TYPE_PASSWORD 2
+#define IPA_OTP_AUTH_TYPE_OTP 4
+#define IPA_OTP_AUTH_TYPE_PKINIT 8
+#define IPA_OTP_AUTH_TYPE_RADIUS 16
+#define IPA_OTP_AUTH_TYPE_VALUE_DISABLED "DISABLED"
+#define IPA_OTP_AUTH_TYPE_VALUE_PASSWORD "PASSWORD"
+#define IPA_OTP_AUTH_TYPE_VALUE_OTP "OTP"
+#define IPA_OTP_AUTH_TYPE_VALUE_PKINIT "PKINIT"
+#define IPA_OTP_AUTH_TYPE_VALUE_RADIUS "RADIUS"
+
struct ipapwd_data {
Slapi_Entry *target;
char *dn;
@@ -112,6 +136,9 @@ struct ipapwd_krbcfg {
bool allow_nt_hash;
};
+bool ipapwd_is_auth_type_allowed(char **auth_type_list, int auth_type);
+bool ipapwd_parse_otp_config_entry(Slapi_Entry * e, bool apply);
+bool ipapwd_otp_is_disabled(void);
int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
int *is_root, int *is_krb, int *is_smb, int *is_ipant,
char *attr, int access);
@@ -152,6 +179,15 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
int ipapwd_ext_init(void);
int ipapwd_pre_init(Slapi_PBlock *pb);
int ipapwd_post_init(Slapi_PBlock *pb);
+int ipapwd_intpost_init(Slapi_PBlock *pb);
int ipapwd_pre_init_betxn(Slapi_PBlock *pb);
int ipapwd_post_init_betxn(Slapi_PBlock *pb);
+/* from ipa_pwd_extop.c */
+void *ipapwd_get_plugin_id(void);
+Slapi_DN *ipapwd_get_otp_config_area(void);
+Slapi_DN *ipapwd_get_plugin_sdn(void);
+bool ipapwd_get_plugin_started(void);
+
+/* from auth.c */
+bool ipapwd_do_otp_auth(Slapi_Entry *bind_entry, struct berval *creds);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/otp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otp.c
new file mode 100644
index 000000000..6c0f8554b
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/otp.c
@@ -0,0 +1,180 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 3 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+/*
+ * This file contains an implementation of HOTP (RFC 4226) and TOTP (RFC 6238).
+ * For details of how these algorithms work, please see the relevant RFCs.
+ */
+
+#include <stdbool.h>
+#include <time.h>
+
+#include <nss.h>
+#include <pk11pub.h>
+#include <hasht.h>
+#include <prnetdb.h>
+
+struct digest_buffer {
+ uint8_t buf[SHA512_LENGTH];
+ unsigned int len;
+};
+
+static const struct {
+ const char *algo;
+ CK_MECHANISM_TYPE mech;
+} algo2mech[] = {
+ { "sha1", CKM_SHA_1_HMAC },
+ { "sha256", CKM_SHA256_HMAC },
+ { "sha384", CKM_SHA384_HMAC },
+ { "sha512", CKM_SHA512_HMAC },
+ { }
+};
+
+/*
+ * This code is mostly cargo-cult taken from here:
+ * http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
+ *
+ * It should implement HMAC with the given mechanism (SHA: 1, 256, 384, 512).
+ */
+static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
+ struct digest_buffer *out)
+{
+ SECItem param = { siBuffer, NULL, 0 };
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symkey = NULL;
+ PK11Context *ctx = NULL;
+ bool ret = false;
+ SECStatus s;
+
+ slot = PK11_GetBestSlot(mech, NULL);
+ if (slot == NULL) {
+ slot = PK11_GetInternalKeySlot();
+ if (slot == NULL) {
+ goto done;
+ }
+ }
+
+ symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
+ CKA_SIGN, key, NULL);
+ if (symkey == NULL)
+ goto done;
+
+ ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, symkey, &param);
+ if (ctx == NULL)
+ goto done;
+
+ s = PK11_DigestBegin(ctx);
+ if (s != SECSuccess)
+ goto done;
+
+ s = PK11_DigestOp(ctx, in->data, in->len);
+ if (s != SECSuccess)
+ goto done;
+
+ s = PK11_DigestFinal(ctx, out->buf, &out->len, sizeof(out->buf));
+ if (s != SECSuccess)
+ goto done;
+
+ ret = true;
+
+done:
+ if (ctx != NULL)
+ PK11_DestroyContext(ctx, PR_TRUE);
+ if (symkey != NULL)
+ PK11_FreeSymKey(symkey);
+ if (slot != NULL)
+ PK11_FreeSlot(slot);
+ return ret;
+}
+
+/*
+ * An implementation of HOTP (RFC 4226).
+ */
+bool ipapwd_hotp(const uint8_t *key, size_t len, const char *algo, int digits,
+ uint64_t counter, uint32_t *out)
+{
+ const SECItem cntr = { siBuffer, (uint8_t *) &counter, sizeof(counter) };
+ SECItem keyitm = { siBuffer, (uint8_t *) key, len };
+ CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
+ PRUint64 offset, binary, div;
+ struct digest_buffer digest;
+ int i;
+
+ /* Convert counter to network byte order. */
+ counter = PR_htonll(counter);
+
+ /* Find the mech. */
+ for (i = 0; algo2mech[i].algo; i++) {
+ if (strcasecmp(algo2mech[i].algo, algo) == 0) {
+ mech = algo2mech[i].mech;
+ break;
+ }
+ }
+
+ /* Create the digits divisor. */
+ for (div = 1; digits > 0; digits--) {
+ div *= 10;
+ }
+
+ /* Do the digest. */
+ if (!hmac(&keyitm, mech, &cntr, &digest)) {
+ return false;
+ }
+
+ /* Truncate. */
+ offset = digest.buf[digest.len - 1] & 0xf;
+ binary = (digest.buf[offset + 0] & 0x7f) << 0x18;
+ binary |= (digest.buf[offset + 1] & 0xff) << 0x10;
+ binary |= (digest.buf[offset + 2] & 0xff) << 0x08;
+ binary |= (digest.buf[offset + 3] & 0xff) << 0x00;
+ binary = binary % div;
+
+ *out = binary;
+ return true;
+}
+
+/*
+ * An implementation of TOTP (RFC 6238).
+ */
+bool ipapwd_totp(const uint8_t *key, size_t len, const char *algo, int digits,
+ time_t time, int offset, unsigned int step, uint32_t *out)
+{
+ if (step == 0)
+ return false;
+
+ return ipapwd_hotp(key, len, algo, digits, (time - offset) / step, out);
+}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 0318cecdc..8a222650c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -67,6 +67,9 @@
#define IPAPWD_OP_ADD 1
#define IPAPWD_OP_MOD 2
+#define IPAPWD_OP_NOT_HANDLED 0
+#define IPAPWD_OP_HANDLED 1
+
extern Slapi_PluginDesc ipapwd_plugin_desc;
extern void *ipapwd_plugin_id;
extern const char *ipa_realm_tree;
@@ -975,7 +978,77 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
return ret;
}
-static int ipapwd_post_op(Slapi_PBlock *pb)
+/*
+ * Check if we want to process this operation. We need to be
+ * sure that the operation succeeded.
+ */
+static bool ipapwd_otp_oktodo(Slapi_PBlock *pb)
+{
+ bool ok = false;
+ int oprc = 0;
+ int ret = 1;
+
+ ret = slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc);
+ if (ret != 0) {
+ LOG_FATAL("Could not get parameters\n");
+ goto done;
+ }
+
+ /* This plugin should only execute if the operation succeeded. */
+ ok = oprc == 0;
+
+done:
+ return ok;
+}
+
+static bool ipapwd_dn_is_otp_config(Slapi_DN *sdn)
+{
+ bool ret = false;
+ Slapi_DN *dn;
+
+ /* If an alternate config area is configured, it is considered to be
+ * the config entry, otherwise the main plug-in config entry is used. */
+ if (sdn != NULL) {
+ dn = ipapwd_get_otp_config_area();
+ if (dn == NULL)
+ dn = ipapwd_get_plugin_sdn();
+
+ ret = slapi_sdn_compare(sdn, dn) == 0;
+ }
+
+ return ret;
+}
+
+static int ipapwd_post_modadd_otp(Slapi_PBlock *pb)
+{
+ Slapi_Entry *config_entry = NULL;
+ Slapi_DN *sdn = NULL;
+
+ /* Just bail if we are not started yet, or if the operation failed. */
+ if (!ipapwd_get_plugin_started() || !ipapwd_otp_oktodo(pb)) {
+ goto done;
+ }
+
+ /* Check if a change affected our config entry and reload the
+ * in-memory config settings if needed. */
+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ipapwd_dn_is_otp_config(sdn)) {
+ /* The config entry was added or modified, so reload it from
+ * the post-op entry. */
+ slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &config_entry);
+ if (config_entry == NULL) {
+ LOG_FATAL("Unable to retrieve config entry.\n");
+ goto done;
+ }
+
+ ipapwd_parse_otp_config_entry(config_entry, true);
+ }
+
+done:
+ return 0;
+}
+
+static int ipapwd_post_modadd(Slapi_PBlock *pb)
{
void *op;
struct ipapwd_operation *pwdop = NULL;
@@ -991,6 +1064,11 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
LOG_TRACE("=>\n");
+ ret = ipapwd_post_modadd_otp(pb);
+ if (ret != 0) {
+ return ret;
+ }
+
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
@@ -1111,6 +1189,202 @@ done:
return 0;
}
+static int ipapwd_post_modrdn_otp(Slapi_PBlock *pb)
+{
+ Slapi_Entry *config_entry = NULL;
+ Slapi_DN *new_sdn = NULL;
+ Slapi_DN *sdn = NULL;
+
+ /* Just bail if we are not started yet, or if the operation failed. */
+ if (!ipapwd_get_plugin_started() || !ipapwd_otp_oktodo(pb)) {
+ goto done;
+ }
+
+ /* Check if a change affected our config entry and reload the
+ * in-memory config settings if needed. */
+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ipapwd_dn_is_otp_config(sdn)) {
+ /* Our config entry was renamed. We treat this like the entry
+ * was deleted, so just set the defaults. */
+ ipapwd_parse_otp_config_entry(NULL, true);
+ } else {
+ /* Check if an entry was renamed such that it has become our
+ * config entry. If so, reload the config from this new entry. */
+ slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &config_entry);
+ if (config_entry == NULL) {
+ LOG_FATAL("Unable to retrieve renamed entry.\n");
+ goto done;
+ }
+
+ new_sdn = slapi_entry_get_sdn(config_entry);
+ if (new_sdn == NULL) {
+ LOG_FATAL("Unable to retrieve DN of renamed entry.\n");
+ goto done;
+ }
+
+ if (ipapwd_dn_is_otp_config(new_sdn)) {
+ ipapwd_parse_otp_config_entry(config_entry, true);
+ }
+ }
+
+done:
+ return 0;
+}
+
+static int ipapwd_post_del_otp(Slapi_PBlock *pb)
+{
+ Slapi_DN *sdn = NULL;
+ int ret = 0;
+
+ /* Just bail if we are not started yet, or if the operation failed. */
+ if (!ipapwd_get_plugin_started() || !ipapwd_otp_oktodo(pb)) {
+ goto done;
+ }
+
+ /* Check if a change affected our config entry and reload the
+ * in-memory config settings if needed. */
+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ipapwd_dn_is_otp_config(sdn)) {
+ /* The config entry was deleted, so this just sets the defaults. */
+ ipapwd_parse_otp_config_entry(NULL, true);
+ }
+
+done:
+ return ret;
+}
+
+/* Handle OTP authentication. */
+static int ipapwd_pre_bind_otp(Slapi_PBlock * pb)
+{
+ char *user_attrs[] = { IPA_USER_AUTH_TYPE, NULL };
+ int ret = IPAPWD_OP_NOT_HANDLED;
+ Slapi_Entry *bind_entry = NULL;
+ struct berval *creds = NULL;
+ const char *bind_dn = NULL;
+ Slapi_DN *bind_sdn = NULL;
+ int result = LDAP_SUCCESS;
+ char **auth_types = NULL;
+ int method;
+ int i;
+
+ /* If we didn't start successfully, bail. */
+ if (!ipapwd_get_plugin_started()) {
+ goto done;
+ }
+
+ /* If global disabled flag is set, just punt. */
+ if (ipapwd_otp_is_disabled()) {
+ goto done;
+ }
+
+ /* Retrieve parameters for bind operation. */
+ i = slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
+ if (i == 0) {
+ i = slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &bind_sdn);
+ if (i == 0) {
+ i = slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &creds);
+ }
+ }
+ if (i != 0) {
+ LOG_FATAL("Not handled (can't retrieve bind parameters)\n");
+ goto done;
+ }
+
+ bind_dn = slapi_sdn_get_dn(bind_sdn);
+
+ /* We only handle non-anonymous simple binds. We just pass everything
+ * else through to the server. */
+ if (method != LDAP_AUTH_SIMPLE || *bind_dn == '\0' || creds->bv_len == 0) {
+ LOG_TRACE("Not handled (not simple bind or NULL dn/credentials)\n");
+ goto done;
+ }
+
+ /* Check if any allowed authentication types are set in the user entry.
+ * If not, we just use the global settings from the config entry. */
+ result = slapi_search_internal_get_entry(bind_sdn, user_attrs, &bind_entry,
+ ipapwd_get_plugin_id());
+ if (result != LDAP_SUCCESS) {
+ LOG_FATAL("Not handled (could not search for BIND dn %s - error "
+ "%d : %s)\n", bind_dn, result, ldap_err2string(result));
+ goto done;
+ }
+ if (bind_entry == NULL) {
+ LOG_FATAL("Not handled (could not find entry for BIND dn %s)\n", bind_dn);
+ goto done;
+ }
+
+ i = slapi_check_account_lock(pb, bind_entry, 0, 0, 0);
+ if (i == 1) {
+ LOG_TRACE("Not handled (account %s inactivated.)\n", bind_dn);
+ goto done;
+ }
+
+ auth_types = slapi_entry_attr_get_charray(bind_entry, IPA_USER_AUTH_TYPE);
+
+ /*
+ * IMPORTANT SECTION!
+ *
+ * This section handles authentication logic, so be careful!
+ *
+ * The basic idea of this section is:
+ * 1. If OTP is enabled, try to use it first. If successful, send response.
+ * 2. If OTP was not enabled/successful, check if password is enabled.
+ * 3. If password is not enabled, send failure response.
+ * 4. Otherwise, fall through to standard server password authentication.
+ *
+ */
+
+ /* If OTP is allowed, attempt to do OTP authentication. */
+ if (ipapwd_is_auth_type_allowed(auth_types, IPA_OTP_AUTH_TYPE_OTP)) {
+ LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
+ "Attempting OTP authentication for '%s'.\n", bind_dn);
+ if (ipapwd_do_otp_auth(bind_entry, creds)) {
+ /* FIXME - NGK - If the auth type request control was sent,
+ * construct the response control to indicate what auth type was
+ * used. We might be able to do this in the
+ * SLAPI_PLUGIN_PRE_RESULT_FN callback instead of here. */
+
+ /* FIXME - NGK - What about other controls, like the pwpolicy
+ * control? If any other critical controls are set, we need to
+ * either process them properly or reject the operation with an
+ * unsupported critical control error. */
+
+ /* Send response approving authentication. */
+ slapi_send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);
+ ret = IPAPWD_OP_HANDLED;
+ }
+ }
+
+ /* If OTP failed or was not enabled, we need to figure out if we can fall
+ * back to standard password authentication or give an error. */
+ if (ret != IPAPWD_OP_HANDLED) {
+ if (!ipapwd_is_auth_type_allowed(auth_types,
+ IPA_OTP_AUTH_TYPE_PASSWORD)) {
+ /* Password authentication is disabled, so we have failed. */
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+ NULL, NULL, 0, NULL);
+ ret = IPAPWD_OP_HANDLED;
+ goto done;
+ }
+
+ /* Password authentication is permitted, so tell the server that we
+ * didn't handle this request. Then the server will perform standard
+ * password authentication. */
+ LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
+ "Attempting PASSWORD authentication for \"%s\".\n",
+ bind_dn);
+
+ /* FIXME - NGK - Do we need to figure out how to build
+ * the reponse control in this case? Maybe we can use a
+ * SLAPI_PLUGIN_PRE_RESULT_FN callback to handle that? */
+ }
+
+done:
+ slapi_ch_array_free(auth_types);
+ slapi_entry_free(bind_entry);
+ return ret;
+}
+
/* PRE BIND Operation:
* Used for password migration from DS to IPA.
* Gets the clean text password, authenticates the user and generates
@@ -1137,6 +1411,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
LOG_TRACE("=>\n");
+ /* Try to do OTP first. */
+ ret = ipapwd_pre_bind_otp(pb);
+ if (ret == IPAPWD_OP_HANDLED) {
+ return ret;
+ }
+
/* get BIND parameters */
ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
ret |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
@@ -1295,8 +1575,6 @@ done:
return 0;
}
-
-
/* Init pre ops */
int ipapwd_pre_init(Slapi_PBlock *pb)
{
@@ -1330,20 +1608,35 @@ int ipapwd_post_init(Slapi_PBlock *pb)
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *)ipapwd_post_op);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *)ipapwd_post_op);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *)ipapwd_post_modadd);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_del_otp);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *)ipapwd_post_modadd);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_modrdn_otp);
return ret;
}
+int ipapwd_intpost_init(Slapi_PBlock *pb)
+{
+ int ret;
+
+ ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_modadd_otp);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_del_otp);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_modadd_otp);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_modrdn_otp);
+ return ret;
+}
+
int ipapwd_post_init_betxn(Slapi_PBlock *pb)
{
int ret;
ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *)ipapwd_post_op);
- if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *)ipapwd_post_op);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *)ipapwd_post_modadd);
+ if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *)ipapwd_post_modadd);
return ret;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c
new file mode 100644
index 000000000..d57f9ab68
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c
@@ -0,0 +1,82 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 3 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <time.h>
+#include <string.h>
+#include <nss.h>
+
+/*
+ * From otp.c
+ */
+bool ipapwd_hotp(const uint8_t *key, size_t len, const char *algo, int digits,
+ uint64_t counter, uint32_t *out);
+
+/* All HOTP test examples from RFC 4226 (Appendix D). */
+static const uint8_t *key = (uint8_t *) "12345678901234567890";
+static const uint32_t answers[] = {
+ 755224,
+ 287082,
+ 359152,
+ 969429,
+ 338314,
+ 254676,
+ 287922,
+ 162583,
+ 399871,
+ 520489
+};
+
+int
+main(int argc, const char *argv[])
+{
+ uint32_t otp;
+ int i;
+
+ NSS_NoDB_Init(".");
+
+ for (i = 0; i < sizeof(answers) / sizeof(*answers); i++) {
+ assert(ipapwd_hotp(key, 20, "sha1", 6, i, &otp));
+ assert(otp == answers[i]);
+ }
+
+ NSS_Shutdown();
+ return 0;
+}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_totp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_totp.c
new file mode 100644
index 000000000..2df8d2458
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_totp.c
@@ -0,0 +1,103 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 3 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <time.h>
+#include <string.h>
+#include <nss.h>
+
+/*
+ * From otp.c
+ */
+bool ipapwd_totp(const uint8_t *key, size_t len, const char *algo, int digits,
+ time_t time, int offset, unsigned int step, uint32_t *out);
+
+#define SHA1 "sha1", (uint8_t *) "12345678901234567890", 20
+#define SHA256 "sha256", (uint8_t *) "12345678901234567890123456789012", 32
+#define SHA512 "sha512", (uint8_t *) "12345678901234567890123456789012" \
+ "34567890123456789012345678901234", 64
+
+/* All TOTP test examples from RFC 6238 (Appendix B). */
+const static struct {
+ const char *algo;
+ const uint8_t *key;
+ size_t len;
+ time_t time;
+ uint32_t answer;
+} tests[] = {
+ { SHA1, 59, 94287082 },
+ { SHA256, 59, 46119246 },
+ { SHA512, 59, 90693936 },
+ { SHA1, 1111111109, 7081804 },
+ { SHA256, 1111111109, 68084774 },
+ { SHA512, 1111111109, 25091201 },
+ { SHA1, 1111111111, 14050471 },
+ { SHA256, 1111111111, 67062674 },
+ { SHA512, 1111111111, 99943326 },
+ { SHA1, 1234567890, 89005924 },
+ { SHA256, 1234567890, 91819424 },
+ { SHA512, 1234567890, 93441116 },
+ { SHA1, 2000000000, 69279037 },
+ { SHA256, 2000000000, 90698825 },
+ { SHA512, 2000000000, 38618901 },
+#ifdef _LP64 /* Only do these tests on 64-bit systems. */
+ { SHA1, 20000000000, 65353130 },
+ { SHA256, 20000000000, 77737706 },
+ { SHA512, 20000000000, 47863826 },
+#endif
+};
+
+int
+main(int argc, const char *argv[])
+{
+ uint32_t otp;
+ int i;
+
+ NSS_NoDB_Init(".");
+
+ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+ assert(ipapwd_totp(tests[i].key, tests[i].len, tests[i].algo,
+ 8, tests[i].time, 0, 30, &otp));
+ assert(otp == tests[i].answer);
+ }
+
+ NSS_Shutdown();
+ return 0;
+}