connect.c

网络数据管理协议的开发

/*                               -*- Mode: C -*- 
 * connect.c
 * 
 * Description     : NDMP connection request handler functions.
 * 
 * Copyright (c) 1996,1997 PDC, Network Appliance. All Rights Reserved.
 *
 * $Id: connect.c,v 1.9 1998/02/09 06:52:29 tim Exp $
 */

#if !defined(lint) && !defined(SABER)
static char rcsId[] __attribute__ ((unused)) = "@(#) $Id: connect.c,v 1.9 1998/02/09 06:52:29 tim Exp $";
#endif

#include <errno.h>
#include <shadow.h>
#include <crypt.h>

#include "ndmp_common.h"
#include "md5.h"
#include "ndmpd.h"

#define MD5_PASSWORD	"ndmpsdk"

/*
 * ndmpdConnectOpen
 *
 * This handler sets the protocol version to be used on the connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   body       (input) - request message body.
 *
 * Returns:
 *   void
 */
void
ndmpdConnectOpen(NdmpConnection	connection,
				 void*			body)
{
	ndmp_connect_open_request	*request
		= (ndmp_connect_open_request *)body;

	ndmp_connect_open_reply		reply;
	NdmpdSession*				session = ndmpGetClientData(connection);

	Debug(DBG_CAT_CONNECT|DBG_FOC_FLOW,
	  "ndmpdConnectOpen: protocol_version:%ld.\n",
	   (u_long)request->protocol_version);

	memset((void*)&reply, 0, sizeof(reply));
	
	if (request->protocol_version != NDMPVER)
		reply.error = NDMP_ILLEGAL_ARGS_ERR;
	else
		reply.error = NDMP_NO_ERR;
	
	if (ndmpSendReply(connection, NDMP_NO_ERR, (void *)&reply) < 0)
		Error(LOG_ERR,
			  "ndmpdConnectOpen: error sending ndmp_connect_open_reply.\n");

	/*
	 * Set the protocol version.
	 * Must wait until after sending the reply since the reply
	 * must be sent using the same protocol version that was used
	 * to process the request.
	 */
	if (reply.error == NDMP_NO_ERR)
	{
		ndmpSetVersion(connection, request->protocol_version);
		session->protocolVersion = request->protocol_version;
	}
}


/*
 * ndmpdConnectClientAuth
 *
 * This handler authorizes the NDMP connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpdConnectClientAuth(NdmpConnection	connection,
					   void*			body)
{
	ndmp_connect_client_auth_request	*request
		= (ndmp_connect_client_auth_request *)body;

	ndmp_connect_client_auth_reply	reply;
	NdmpdSession*					session = ndmpGetClientData(connection);

	Debug(DBG_CAT_CONNECT|DBG_FOC_FLOW,
		  "ndmpdConnectClientAuth: auth_type:%s.\n",
		  request->auth_data.auth_type == NDMP_AUTH_NONE ? "None" :
		  (request->auth_data.auth_type == NDMP_AUTH_TEXT ? "Text" :
		   (request->auth_data.auth_type == NDMP_AUTH_MD5 ? "MD5" :
		   "Invalid")));

	memset((void*)&reply, 0, sizeof(reply));
	
	/*
	 * Check authorization.
	 */
	reply.error = NDMP_NO_ERR;

	switch (request->auth_data.auth_type)
	{
		case NDMP_AUTH_NONE:
		{
			/*
			 * Allow no authorization for development. 
			 * Uncomment the following for a secure production server.
			 */
			/* reply.error = NDMP_ILLEGAL_ARGS_ERR;*/
			break;
		}

		case NDMP_AUTH_TEXT:
		{
			ndmp_auth_text	*auth =
				&request->auth_data.ndmp_auth_data_u.auth_text;
			
			struct spwd*	pwent;
			
			/*
			 * Only support authorization by root.
			 */
			if (strcmp("root", auth->auth_id) != 0)
			{
				Error(LOG_ERR,
					  "ndmpdConnectClientAuth: attempted authorization by non-root user: %s.\n",
					  auth->auth_id);
				reply.error = NDMP_NOT_AUTHORIZED_ERR;
				break;
			}

			/*
			 * Get the password entry from the shadow password file.
			 */
			pwent = getspnam(auth->auth_id);
			if (pwent == 0)
			{
				Error(LOG_ERR,
					  "ndmpdConnectClientAuth: attempted authorization by unknown user: %s.\n",
					  auth->auth_id);
				reply.error = NDMP_NOT_AUTHORIZED_ERR;
				break;
			}

			/*
			 * Encrypt the password and compare it with the encrypted
			 * password from the shadow file. The first two characters
			 * of the encrypted password are the salt characters used when
			 * the password was originally encrypted.
			 */
			if (strcmp(pwent->sp_pwdp, crypt(auth->auth_password,
											 pwent->sp_pwdp)) != 0)
			{
				Error(LOG_ERR,
					  "ndmpdConnectClientAuth: authorization failure by user: %s.\n",
					  auth->auth_id);
				reply.error = NDMP_NOT_AUTHORIZED_ERR;
				break;
			}

			break;
		}
		
		case NDMP_AUTH_MD5:
		{
			ndmp_auth_md5	*auth =
				&request->auth_data.ndmp_auth_data_u.auth_md5;
			char	md5Digest[16];
			char	md5Challenge[64];
			
			/*
			 * Only support authorization by root.
			 */
			if (strcmp("root", auth->auth_id) != 0)
			{
				Error(LOG_ERR,
					  "ndmpdConnectClientAuth: attempted authorization by non-root user: %s.\n",
					  auth->auth_id);
				reply.error = NDMP_NOT_AUTHORIZED_ERR;
				break;
			}

			/*
			 * For the SDK, only accept the hardcoded password defined
			 * by MD5_PASSWORD.
			 * Can't use the shadow password file since the passwords are
			 * stored encrypted. A production server will have to store
			 * passwords in a file and do a lookup.
			 */
			
			ndmpdCreateMD5Challenge(session, md5Challenge);
			ndmpCreateMD5Digest(md5Digest, MD5_PASSWORD, md5Challenge);
			
			if (memcmp(auth->auth_digest, md5Digest, 16) != 0)
			{
				Error(LOG_ERR,
					  "ndmpdConnectClientAuth: MD5 authorization failure by user: %s.\n",
					  auth->auth_id);
				reply.error = NDMP_NOT_AUTHORIZED_ERR;
				break;
			}
			
			break;
		}
		
		default:
		{
			reply.error = NDMP_ILLEGAL_ARGS_ERR;
			break;
		}
	}
	
	if (reply.error == NDMP_NO_ERR)
		ndmpSetAuthorized(connection, TRUE);
	else
		ndmpSetAuthorized(connection, FALSE);

	if (ndmpSendReply(connection, NDMP_NO_ERR, (void *)&reply) < 0)
	{
		Error(LOG_ERR,
			  "ndmpConnectClientAuth: error sending ndmp_connect_client_auth reply.\n");
	}
}


/*
 * ndmpdConnectServerAuth
 *
 * This handler authenticates the server to the client.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpdConnectServerAuth(NdmpConnection	connection,
					   void*			body)
{
	ndmp_connect_server_auth_request	*request
		= (ndmp_connect_server_auth_request *)body;

	ndmp_connect_server_auth_reply		reply;

	Debug(DBG_CAT_CONNECT|DBG_FOC_FLOW,
		  "ndmpdConnectServerAuth: auth_type:%s.\n",
		  request->client_attr.auth_type == NDMP_AUTH_NONE ? "None" :
		  (request->client_attr.auth_type == NDMP_AUTH_TEXT ? "Text" :
		   (request->client_attr.auth_type == NDMP_AUTH_MD5 ? "MD5" :
		   "Invalid")));

	memset((void*)&reply, 0, sizeof(reply));
	
	reply.error = NDMP_NO_ERR;

	reply.server_result.auth_type = request->client_attr.auth_type;

	switch (request->client_attr.auth_type)
	{
		case NDMP_AUTH_NONE:
			break;

		case NDMP_AUTH_TEXT:
		{
			reply.server_result.ndmp_auth_data_u.auth_text.auth_id = "ndmpd";
			reply.server_result.ndmp_auth_data_u.auth_text.auth_password = MD5_PASSWORD;
			break;
		}
		
		case NDMP_AUTH_MD5:
		{
			/*
			 * Use a hardcoded user and password just to demonstrate
			 * the functionality.
			 */
			reply.server_result.ndmp_auth_data_u.auth_md5.auth_id = "ndmpd";

			ndmpCreateMD5Digest(reply.server_result.ndmp_auth_data_u.auth_md5.auth_digest,
								MD5_PASSWORD,
								request->client_attr.ndmp_auth_attr_u.challenge);
			break;
		}
		
		default:
		{
			reply.error = NDMP_ILLEGAL_ARGS_ERR;
			break;
		}
	}
	
	if (ndmpSendReply(connection, NDMP_NO_ERR, (void *)&reply) < 0)
	{
		Error(LOG_ERR,
			  "ndmpConnectClientAuth: error sending ndmp_connect_client_auth_reply.\n");
	}
}


/*
 * ndmpdConnectClose
 *
 * This handler closes the connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpdConnectClose(NdmpConnection	connection,
				  void*				body __attribute__ ((unused)))
{
	Debug(DBG_CAT_CONNECT|DBG_FOC_FLOW,
		  "ndmpdConnectClose: called.\n");

	(void)ndmpClose(connection);
}