DWORD
VMCAGetDefaultDomainName(
PSTR pszHostName,
DWORD dwPort,
PSTR* ppDomainName)
{
DWORD dwError = 0; // LDAP_SUCCESS
PVMCA_LDAP_CONTEXT pLotus = NULL;
if (!pszHostName)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
if (strcasecmp(pszHostName, "localhost") == 0)
{
pszHostName = "127.0.0.1";
}
dwError = VMCALdapConnect(pszHostName, dwPort, NULL, NULL, &pLotus);
BAIL_ON_ERROR(dwError);
dwError = VMCAGetDefaultDomainName2(pLotus, ppDomainName);
BAIL_ON_ERROR(dwError);
error :
if (pLotus)
{
VMCALdapClose(pLotus);
}
return dwError;
}
DWORD
VMCACheckLdapConnection(
PSTR pszHostName,
DWORD dwPort
)
{
DWORD dwError = 0;
PVMCA_LDAP_CONTEXT pContext = NULL;
dwError = VMCALdapConnect(pszHostName, dwPort, NULL, NULL, &pContext);
BAIL_ON_ERROR(dwError);
error:
if (pContext)
{
VMCALdapClose(pContext);
}
return dwError;
}
static
DWORD
VMCASrvUpdateRootCerts(
PVMCA_DIR_SYNC_PARAMS pDirSyncParams,
PBOOLEAN pbSynced
)
{
DWORD dwError = 0;
PVMCA_X509_CA pCA = NULL;
PSTR pszAccount = NULL;
PSTR pszPassword = NULL;
PSTR pszDomainName = NULL;
PSTR pszCAContainerDN = NULL;
PSTR pszCertificate = NULL;
PSTR pszCRL = NULL;
X509_CRL* pCrl = NULL;
DWORD dwCount = 0;
DWORD dwIndex = 0;
PVMCA_LDAP_CONTEXT pContext = NULL;
PSTR pszUPN = NULL;
dwError = VMCASrvValidateCA();
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCASrvGetCA(&pCA);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCASrvGetMachineAccountInfoA(
&pszAccount,
&pszDomainName,
&pszPassword);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCAAllocateStringPrintfA(
&pszUPN,
"%s@%s",
pszAccount,
pszDomainName);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCALdapConnect(
"localhost",
0, /* use default port */
pszUPN,
pszPassword,
&pContext);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCAGetDSERootAttribute(
pContext,
"configurationNamingContext",
&pszCAContainerDN);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VmcaSrvReGenCRL(
&pCrl
);
BAIL_ON_VMCA_ERROR (dwError);
dwError = VMCACRLToPEM(
pCrl,
&pszCRL
);
BAIL_ON_VMCA_ERROR (dwError);
dwCount = sk_X509_num(pCA->skCAChain);
for (; dwIndex <dwCount; dwIndex++)
{
X509 *pCert = sk_X509_value(
pCA->skCAChain,
dwIndex
);
dwError = VMCAUpdatePkiCAAttribute(
pContext,
pszCAContainerDN,
pCert
);
BAIL_ON_VMCA_ERROR(dwError);
}
dwError = VMCAUpdateCrlCAAttribute(
pContext,
pszCAContainerDN,
pszCRL
);
BAIL_ON_VMCA_ERROR (dwError);
*pbSynced = TRUE;
cleanup:
VMCA_SAFE_FREE_STRINGA(pszUPN);
VMCA_SAFE_FREE_STRINGA(pszDomainName);
VMCA_SAFE_FREE_STRINGA(pszCertificate);
VMCA_SAFE_FREE_STRINGA(pszAccount);
VMCA_SAFE_FREE_STRINGA(pszPassword);
VMCA_SAFE_FREE_STRINGA(pszCRL);
if (pContext)
{
VMCALdapClose(pContext);
}
if (pCA)
{
VMCAReleaseCA(pCA);
}
return dwError;
error:
*pbSynced = FALSE;
VMCA_LOG_ERROR("Failed to update root certs due to error [%u]", dwError);
// TODO : Check specific errors
dwError = 0;
goto cleanup;
}
DWORD
VMCAPolicySNValidate(
PVMCA_POLICY pPolicy,
PSTR pszPKCS10Request,
PVMCA_REQ_CONTEXT pReqContext,
PBOOLEAN pbBypass,
PBOOLEAN pbIsValid
)
{
DWORD dwError = 0;
DWORD dwOrgNamesLen = 0;
DWORD dwIdx = 0;
int nCount = 0;
PSTR *ppszOrgNames = NULL;
PSTR pszAuthBaseDN = NULL;
PSTR pszAuthDN = NULL;
PVMCA_LDAP_CONTEXT pLd = NULL;
BOOLEAN bBypass = FALSE;
BOOLEAN bIsValid = FALSE;
if (!pPolicy ||
IsNullOrEmptyString(pszPKCS10Request) ||
!pReqContext ||
!pbIsValid)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMCA_ERROR(dwError);
}
dwError = VMCAOpenLocalLdapServer(&pLd);
BAIL_ON_VMCA_ERROR(dwError);
dwError = VMCAConvertUPNToDN(
pLd,
pReqContext->pszAuthPrincipal,
&pszAuthDN);
BAIL_ON_VMCA_ERROR(dwError);
if (VMCAStringCompareA(pPolicy->Rules.SN.pMatch->pszData, VMCA_POLICY_REQ_UPN_DN, TRUE) == 0 &&
VMCAStringCompareA(pPolicy->Rules.SN.pMatch->pszCondition, VMCA_POLICY_COND_BEGINS, TRUE) == 0)
{
dwError = VMCAStringCountSubstring(
pszAuthDN,
pPolicy->Rules.SN.pMatch->pszWith,
&nCount);
BAIL_ON_VMCA_ERROR(dwError);
if (nCount == 0)
{
VMCA_LOG_INFO(
"[%s,%d] CSR requestor (%s) is not a member of policy baseDN...bypassing enforcement",
__FUNCTION__,
__LINE__,
pszAuthDN);
bIsValid = TRUE;
bBypass = TRUE;
goto ret;
}
}
else
{
VMCA_LOG_INFO(
"[%s,%d] Unknown SN policy match rules",
__FUNCTION__,
__LINE__);
dwError = VMCA_POLICY_CONFIG_ERROR;
BAIL_ON_VMCA_ERROR(dwError);
}
for (dwIdx = 0; dwIdx < pPolicy->Rules.SN.dwValidateLen; ++dwIdx)
{
if (!VMCAStringCompareA(
pPolicy->Rules.SN.ppValidate[dwIdx]->pszData,
VMCA_POLICY_REQ_CSR_SUBJ_ORGS,
TRUE))
{
dwError = VMCAOpenSSLGetValuesFromSubjectName(
pszPKCS10Request,
VMCA_OPENSSL_NID_O,
&dwOrgNamesLen,
&ppszOrgNames);
BAIL_ON_VMCA_ERROR(dwError);
if (!VMCAStringCompareA(
pPolicy->Rules.SN.ppValidate[dwIdx]->pszWith,
VMCA_POLICY_REQ_UPN_RDN,
TRUE))
{
dwError = VMCAPolicySNMatchAuthOUWithCSR(
pszAuthDN,
pPolicy->Rules.SN.pMatch->pszWith,
dwOrgNamesLen,
ppszOrgNames);
BAIL_ON_VMCA_ERROR(dwError);
}
else
{
VMCA_LOG_INFO(
"[%s,%d] Unknown SN policy validate rules",
__FUNCTION__,
__LINE__);
dwError = VMCA_POLICY_CONFIG_ERROR;
BAIL_ON_VMCA_ERROR(dwError);
}
VMCAFreeStringArrayA(ppszOrgNames, dwOrgNamesLen);
ppszOrgNames = NULL;
dwOrgNamesLen = 0;
}
else
{
VMCA_LOG_INFO(
"[%s,%d] Unknown SN policy validate rules",
__FUNCTION__,
__LINE__);
dwError = VMCA_POLICY_CONFIG_ERROR;
BAIL_ON_VMCA_ERROR(dwError);
}
}
bIsValid = TRUE;
ret:
*pbBypass = bBypass;
*pbIsValid = bIsValid;
cleanup:
VMCA_SAFE_FREE_STRINGA(pszAuthDN);
VMCA_SAFE_FREE_STRINGA(pszAuthBaseDN);
VMCAFreeStringArrayA(ppszOrgNames, dwOrgNamesLen);
if (pLd)
{
VMCALdapClose(pLd);
pLd = NULL;
}
return dwError;
error:
if (pbBypass)
{
*pbBypass = FALSE;
}
if (pbIsValid)
{
*pbIsValid = FALSE;
}
goto cleanup;
}
DWORD
VMCALdapConnect(
PSTR pszHostName,
DWORD dwPort,
PSTR pszUsername,
PSTR pszPassword,
PVMCA_LDAP_CONTEXT* ppLotus
)
{
DWORD dwError = 0;
PVMCA_LDAP_CONTEXT pContext = NULL;
PSTR pszUrl = NULL;
BerValue ldapBindPwd = {0};
//LDAP_SUCCESS is defined as Zero in the Standard
// Which plays well with our BAIL_ON_ERROR macro
DWORD dwVersion = LDAP_VERSION3;
DWORD dwReturns = 20;
if(dwPort == 0) {
// Let us use the default LDAP_PORT, 389
dwPort = LDAP_PORT;
}
dwError = VMCAAllocateMemory(sizeof(*pContext), (PVOID*)&pContext);
BAIL_ON_ERROR(dwError);
if (VMCAIsIPV6AddrFormat(pszHostName))
{
dwError = VMCAAllocateStringPrintfA(
&pszUrl,
"ldap://[%s]:%d",
pszHostName,
dwPort);
}
else
{
dwError = VMCAAllocateStringPrintfA(
&pszUrl,
"ldap://%s:%d",
pszHostName,
dwPort);
}
BAIL_ON_ERROR(dwError);
if(IsNullOrEmptyString(pszPassword))
{ // no credentials, do anonymous bind.
dwError = ldap_initialize(&pContext->pConnection, pszUrl);
BAIL_ON_ERROR(dwError);
if (pContext->pConnection == NULL) {
ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError);
//dwError = ld_errno; //LdapGetLastError();
BAIL_ON_ERROR(dwError);
}
dwError = ldap_set_option(pContext->pConnection,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&dwVersion);
BAIL_ON_ERROR(dwError);
dwError = ldap_set_option(pContext->pConnection,
LDAP_OPT_SIZELIMIT,
(void*)& dwReturns);
BAIL_ON_ERROR(dwError);
dwError = ldap_sasl_bind_s(
pContext->pConnection,
pszUsername,
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
}
else
{
dwError = VmCASASLSRPBind(
&pContext->pConnection,
pszUrl,
pszUsername,
pszPassword);
}
#ifdef LDAP_ERROR_MESSAGE
if(dwError != 0) {
printf("Error :%s\n",ldap_err2string(dwError));
}
#endif
BAIL_ON_ERROR(dwError);
*ppLotus = pContext;
cleanup:
VMCA_SAFE_FREE_STRINGA(pszUrl);
return dwError;
error:
if ((dwError != 0) && pContext)
{
VMCALdapClose(pContext);
}
goto cleanup;
}
