usr/src/cmd/ndmpd/ndmp/ndmpd_connect.c

root/usr/src/cmd/ndmpd/ndmp/ndmpd_connect.c
/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * BSD 3 Clause License
 *
 * Copyright (c) 2007, The Storage Networking Industry Association.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *      - Redistributions of source code must retain the above copyright
 *        notice, this list of conditions and the following disclaimer.
 *
 *      - Redistributions in binary form must reproduce the above copyright
 *        notice, this list of conditions and the following disclaimer in
 *        the documentation and/or other materials provided with the
 *        distribution.
 *
 *      - Neither the name of The Storage Networking Industry Association (SNIA)
 *        nor the names of its contributors may be used to endorse or promote
 *        products derived from this software without specific prior written
 *        permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
/* Copyright (c) 2007, The Storage Networking Industry Association. */
/* Copyright (c) 1996, 1997 PDC, Network Appliance. All Rights Reserved */
/* Copyright 2014 Nexenta Systems, Inc. All rights reserved. */

#include <sys/types.h>
#include <errno.h>
#include <pwd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/queue.h>
#include <arpa/inet.h>
#include <md5.h>
#include <shadow.h>
#include <crypt.h>
#include <alloca.h>
#include "ndmpd_common.h"
#include "ndmpd.h"
#include <libndmp.h>
#include <ndmpd_door.h>
#include <security/pam_appl.h>


static int ndmpd_connect_auth_text(char *uname, char *auth_id,
    char *auth_password);
static int ndmpd_connect_auth_md5(char *uname, char *auth_id, char *auth_digest,
    unsigned char *auth_challenge);
static struct conn_list *ndmp_connect_list_find(ndmp_connection_t *connection);
static void create_md5_digest(unsigned char *digest, char *passwd,
    unsigned char *challenge);
static struct conn_list *ndmp_connect_list_find_id(int id);

/* routines for connection info */
void ndmp_connect_list_get(ndmp_door_ctx_t *enc_ctx);
static void connection_get(struct conn_list *clp, ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_conn(struct conn_list *clp,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_v2(ndmp_connection_t *connection,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_scsi_v2(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_tape_v2(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_mover_v2(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_data_v2(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_v3(ndmp_connection_t *connection,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_mover_v3(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
static void ndmp_connect_get_data_v3(ndmpd_session_t *session,
    ndmp_door_ctx_t *enc_ctx);
void ndmpd_get_devs(ndmp_door_ctx_t *enc_ctx);

#ifndef LIST_FOREACH
#define LIST_FOREACH(var, head, field)                                  \
        for ((var) = (head)->lh_first; (var); (var) = (var)->field.le_next)
#endif /* LIST_FOREACH */

/*
 * List of active connections.
 */
struct conn_list {
        LIST_ENTRY(conn_list) cl_q;
        int cl_id;
        ndmp_connection_t *cl_conn;
};
LIST_HEAD(cl_head, conn_list);

/*
 * Head of the active connections.
 */
static struct cl_head cl_head;

mutex_t cl_mutex = DEFAULTMUTEX;


/*
 * Set this variable to non-zero to print verbose information.
 */
int ndmp_connect_print_verbose = 0;


/*
 * ************************************************************************
 * NDMP V2 HANDLERS
 * ************************************************************************
 */

/*
 * ndmpd_connect_open_v2
 *
 * This handler sets the protocol version to be used on the connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   body       (input) - request message body.
 *
 * Returns:
 *   void
 */

void
ndmpd_connect_open_v2(ndmp_connection_t *connection, void *body)
{
        ndmp_connect_open_request *request = (ndmp_connect_open_request *)body;
        ndmp_connect_open_reply reply;
        ndmpd_session_t *session;

        reply.error = NDMP_NO_ERR;

        if (!(session = (ndmpd_session_t *)ndmp_get_client_data(connection)))
                return;

        if (session->ns_mover.md_state != NDMP_MOVER_STATE_IDLE ||
            session->ns_data.dd_state != NDMP_DATA_STATE_IDLE)
                reply.error = NDMP_ILLEGAL_STATE_ERR;
        else if (request->protocol_version > ndmp_ver)
                reply.error = NDMP_ILLEGAL_ARGS_ERR;

        ndmp_send_reply(connection, (void *) &reply,
            "sending connect_open reply");

        /*
         * Set the protocol version.
         * Must wait until after sending the reply since the reply
         * must be sent using the same protocol version that was used
         * to process the request.
         */
        if (reply.error == NDMP_NO_ERR) {
                NDMP_LOG(LOG_DEBUG, "set ver to: %d",
                    request->protocol_version);
                ndmp_set_version(connection, request->protocol_version);
                session->ns_protocol_version = request->protocol_version;
        }
}


/*
 * ndmpd_connect_client_auth_v2
 *
 * This handler authorizes the NDMP connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpd_connect_client_auth_v2(ndmp_connection_t *connection, void *body)
{
        ndmp_connect_client_auth_request *request;
        ndmp_connect_client_auth_reply reply;
        ndmp_auth_text *auth;
        ndmpd_session_t *session;
        ndmp_auth_md5 *md5;
        unsigned char md5_digest[16];
        char *passwd, *dec_passwd;
        char *uname;

        request = (ndmp_connect_client_auth_request *)body;
        NDMP_LOG(LOG_DEBUG, "auth_type:%s",
            request->auth_data.auth_type == NDMP_AUTH_NONE ? "None" :
            (request->auth_data.auth_type == NDMP_AUTH_TEXT ? "Text" :
            (request->auth_data.auth_type == NDMP_AUTH_MD5 ? "MD5" :
            "Invalid")));

        reply.error = NDMP_NO_ERR;

        switch (request->auth_data.auth_type) {
        case NDMP_AUTH_NONE:
                /*
                 * Allow no authorization for development.
                 * Comment the following for a non-secure production server.
                 */
                NDMP_LOG(LOG_ERR, "Authorization denied.");
                NDMP_LOG(LOG_ERR,
                    "Authorization type should be md5 or cleartext.");
                reply.error = NDMP_ILLEGAL_ARGS_ERR;
                ndmpd_audit_connect(connection, EINVAL);
                break;

        case NDMP_AUTH_TEXT:
                /* Check authorization.  */
                if ((uname = ndmpd_get_prop(NDMP_CLEARTEXT_USERNAME)) == NULL ||
                    *uname == 0) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR, "User name is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                }
                auth = &request->auth_data.ndmp_auth_data_u.auth_text;
                if (strcmp(uname, auth->user) != 0) {
                        NDMP_LOG(LOG_ERR,
                            "Authorization denied. Not a valid user.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        break;
                }
                passwd = ndmpd_get_prop(NDMP_CLEARTEXT_PASSWORD);
                if (!passwd || !*passwd) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR,
                            "Cleartext password is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                } else {
                        dec_passwd = ndmp_base64_decode(passwd);
                }
                if (!dec_passwd || !*dec_passwd ||
                    strcmp(auth->password, dec_passwd) != 0) {
                        NDMP_LOG(LOG_ERR,
                            "Authorization denied. Invalid password.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                } else {
                        NDMP_LOG(LOG_DEBUG, "Authorization granted.");
                }
                ndmpd_audit_connect(connection, reply.error ?
                    ADT_FAIL_PAM + PAM_AUTH_ERR : 0);

                free(dec_passwd);
                break;

        case NDMP_AUTH_MD5:
                /* Check authorization.  */
                if ((uname = ndmpd_get_prop(NDMP_CRAM_MD5_USERNAME)) == NULL ||
                    *uname == 0) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR,  "User name is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                }
                md5 = &request->auth_data.ndmp_auth_data_u.auth_md5;
                passwd = ndmpd_get_prop(NDMP_CRAM_MD5_PASSWORD);
                if (!passwd || !*passwd) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR, "MD5 password is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                } else {
                        dec_passwd = ndmp_base64_decode(passwd);
                }
                session = ndmp_get_client_data(connection);
                create_md5_digest(md5_digest, dec_passwd,
                    session->ns_challenge);

                if (strcmp(uname, md5->user) != 0) {
                        NDMP_LOG(LOG_ERR,
                            "Authorization denied. Not a valid user.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                } else if (memcmp(md5_digest, md5->auth_digest,
                    sizeof (md5_digest)) != 0) {
                        NDMP_LOG(LOG_ERR,
                            "Authorization denied. Invalid password.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                } else {
                        NDMP_LOG(LOG_DEBUG, "Authorization granted");
                }
                ndmpd_audit_connect(connection, reply.error ?
                    ADT_FAIL_PAM + PAM_AUTH_ERR : 0);

                free(dec_passwd);
                break;

        default:
                reply.error = NDMP_ILLEGAL_ARGS_ERR;
        }

        if (reply.error == NDMP_NO_ERR)
                ndmp_set_authorized(connection, TRUE);
        else
                ndmp_set_authorized(connection, FALSE);

        ndmp_send_reply(connection, (void *) &reply,
            "sending ndmp_connect_client_auth reply");
}


/*
 * ndmpd_connect_server_auth_v2
 *
 * This handler authenticates the server to the client.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpd_connect_server_auth_v2(ndmp_connection_t *connection, void *body)
{
        ndmp_connect_server_auth_request *request;
        ndmp_connect_server_auth_reply reply;

        request = (ndmp_connect_server_auth_request *)body;

        NDMP_LOG(LOG_DEBUG, "auth_type:%s",
            request->client_attr.auth_type == NDMP_AUTH_NONE ? "None" :
            (request->client_attr.auth_type == NDMP_AUTH_TEXT ? "Text" :
            (request->client_attr.auth_type == NDMP_AUTH_MD5 ? "MD5" :
            "Invalid")));

        reply.error = NDMP_NO_ERR;
        reply.auth_result.auth_type = request->client_attr.auth_type;
        switch (request->client_attr.auth_type) {
        case NDMP_AUTH_NONE:
                break;

        case NDMP_AUTH_TEXT:
                reply.auth_result.ndmp_auth_data_u.auth_text.user = "ndmpd";
                reply.auth_result.ndmp_auth_data_u.auth_text.password =
                    "ndmpsdk";
                break;

        case NDMP_AUTH_MD5:
                reply.error = NDMP_ILLEGAL_ARGS_ERR;
                break;

        default:
                reply.error = NDMP_ILLEGAL_ARGS_ERR;
        }

        ndmp_send_reply(connection, (void *) &reply,
            "sending ndmp_connect_auth reply");
}


/*
 * ndmpd_connect_close_v2
 *
 * This handler closes the connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
/*ARGSUSED*/
void
ndmpd_connect_close_v2(ndmp_connection_t *connection, void *body)
{
        ndmpd_session_t *session;

        if ((session = (ndmpd_session_t *)ndmp_get_client_data(connection))) {
                (void) ndmp_close(connection);
                session->ns_eof = TRUE;
        }
}

/*
 * ************************************************************************
 * NDMP V3 HANDLERS
 * ************************************************************************
 */

/*
 * ndmpd_connect_client_auth_v3
 *
 * This handler authorizes the NDMP connection.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
void
ndmpd_connect_client_auth_v3(ndmp_connection_t *connection, void *body)
{
        ndmp_connect_client_auth_request_v3 *request;
        ndmp_connect_client_auth_reply_v3 reply;
        ndmp_auth_text_v3 *auth;
        ndmpd_session_t *session;
        ndmp_auth_md5_v3 *md5;
        struct in_addr addr;
        char *uname;
        char *type;

        request = (ndmp_connect_client_auth_request_v3 *)body;
        NDMP_LOG(LOG_DEBUG, "auth_type %s",
            request->auth_data.auth_type == NDMP_AUTH_NONE ? "None" :
            request->auth_data.auth_type == NDMP_AUTH_TEXT ? "Text" :
            request->auth_data.auth_type == NDMP_AUTH_MD5 ? "MD5" : "Invalid");

        reply.error = NDMP_NO_ERR;

        switch (request->auth_data.auth_type) {
        case NDMP_AUTH_NONE:
                type = "none";
                reply.error = NDMP_NOT_SUPPORTED_ERR;
                ndmpd_audit_connect(connection, ENOTSUP);
                break;

        case NDMP_AUTH_TEXT:
                /* Check authorization.  */
                if ((uname = ndmpd_get_prop(NDMP_CLEARTEXT_USERNAME)) == NULL ||
                    *uname == 0) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR, "User name is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                }
                type = "text";
                auth = &request->auth_data.ndmp_auth_data_v3_u.auth_text;
                reply.error = ndmpd_connect_auth_text(uname, auth->auth_id,
                    auth->auth_password);
                ndmpd_audit_connect(connection, reply.error ?
                    ADT_FAIL_PAM + PAM_AUTH_ERR : 0);
                break;

        case NDMP_AUTH_MD5:
                /* Check authorization.  */
                if ((uname = ndmpd_get_prop(NDMP_CRAM_MD5_USERNAME)) == NULL ||
                    *uname == 0) {
                        NDMP_LOG(LOG_ERR, "Authorization denied.");
                        NDMP_LOG(LOG_ERR, "User name is not set at server.");
                        reply.error = NDMP_NOT_AUTHORIZED_ERR;
                        ndmp_set_authorized(connection, FALSE);
                        ndmp_send_reply(connection, (void *) &reply,
                            "sending ndmp_connect_client_auth reply");
                        ndmpd_audit_connect(connection,
                            ADT_FAIL_PAM + PAM_AUTH_ERR);
                        return;
                }
                type = "md5";
                session = ndmp_get_client_data(connection);
                md5 = &request->auth_data.ndmp_auth_data_v3_u.auth_md5;
                reply.error = ndmpd_connect_auth_md5(uname, md5->auth_id,
                    md5->auth_digest, session->ns_challenge);
                ndmpd_audit_connect(connection, reply.error ?
                    ADT_FAIL_PAM + PAM_AUTH_ERR : 0);
                break;

        default:
                type = "unknown";
                reply.error = NDMP_ILLEGAL_ARGS_ERR;
                ndmpd_audit_connect(connection, EINVAL);
        }

        if (reply.error == NDMP_NO_ERR) {
                ndmp_set_authorized(connection, TRUE);
        } else {
                ndmp_set_authorized(connection, FALSE);
                if (tcp_get_peer(connection->conn_sock, &addr.s_addr,
                    NULL) != -1) {
                        NDMP_LOG(LOG_ERR,
                            "Authorization(%s) denied for %s.", type,
                            inet_ntoa(IN_ADDR(addr)));
                }
        }

        ndmp_send_reply(connection, (void *) &reply,
            "sending ndmp_connect_auth reply");
}


/*
 * ndmpd_connect_close_v3
 *
 * Close the connection to the DMA.
 * Send the SHUTDOWN message before closing the socket connection to the DMA.
 *
 * Parameters:
 *   connection (input) - connection handle.
 *   msginfo    (input) - request message.
 *
 * Returns:
 *   void
 */
/*ARGSUSED*/
void
ndmpd_connect_close_v3(ndmp_connection_t *connection, void *body)
{
        ndmpd_session_t *session;
        ndmp_lbr_params_t *nlp;
        ndmp_notify_connected_request req;

        if (!(session = (ndmpd_session_t *)ndmp_get_client_data(connection)))
                return;
        if ((nlp = ndmp_get_nlp(session)) == NULL)
                return;

        NDMP_LOG(LOG_DEBUG, "ver: %u",
            session->ns_protocol_version);

        /* Send the SHUTDOWN message before closing the connection. */
        req.reason = NDMP_SHUTDOWN;
        req.protocol_version = session->ns_protocol_version;
        req.text_reason = "Connection closed by server.";

        if (ndmp_send_request(connection, NDMP_NOTIFY_CONNECTION_STATUS,
            NDMP_NO_ERR, (void *) &req, 0) < 0) {
                NDMP_LOG(LOG_NOTICE, "Sending connection shutdown notify");
                return;
        }

        (void) mutex_lock(&nlp->nlp_mtx);
        ndmp_close(connection);
        session->ns_eof = TRUE;
        (void) cond_broadcast(&nlp->nlp_cv);
        (void) mutex_unlock(&nlp->nlp_mtx);
}

/*
 * ************************************************************************
 * NDMP V4 HANDLERS
 * ************************************************************************
 */

/*
 * ************************************************************************
 * LOCALS
 * ************************************************************************
 */

/*
 * create_md5_digest
 *
 * This function uses the MD5 message-digest algorithm described
 * in RFC1321 to authenticate the client using a shared secret (password).
 * The message used to compute the MD5 digest is a concatenation of password,
 * null padding, the 64 byte fixed length challenge and a repeat of the
 * password. The length of the null padding is chosen to result in a 128 byte
 * fixed length message. The lengh of the padding can be computed as
 * 64 - 2*(length of the password). The client digest is computed using the
 * server challenge from the NDMP_CONFIG_GET_AUTH_ATTR reply.
 *
 * Parameters:
 *   digest (output) - 16 bytes MD5 digest
 *   passwd (input) - user password
 *   challenge (input) - 64 bytes server challenge
 *
 * Returns:
 *   void
 */
static void
create_md5_digest(unsigned char *digest, char *passwd, unsigned char *challenge)
{
        char buf[130];
        char *p = &buf[0];
        int len, i;
        MD5_CTX md;
        char *pwd;

        *p = 0;
        pwd = passwd;
        if ((len = strlen(pwd)) > MD5_PASS_LIMIT)
                len = MD5_PASS_LIMIT;
        (void) memcpy(p, pwd, len);
        p += len;

        for (i = 0; i < MD5_CHALLENGE_SIZE - 2 * len; i++)
                *p++ = 0;

        (void) memcpy(p, challenge, MD5_CHALLENGE_SIZE);
        p += MD5_CHALLENGE_SIZE;
        (void) strlcpy(p, pwd, MD5_PASS_LIMIT);

        MD5Init(&md);
        MD5Update(&md, buf, 128);
        MD5Final(digest, &md);
}

/*
 * ndmp_connect_list_find
 *
 * Find the element in the active connection list.
 *
 * Parameters:
 *   connection (input) - connection handler.
 *
 * Returns:
 *   NULL - error
 *   connection list element pointer
 */
static struct conn_list *
ndmp_connect_list_find(ndmp_connection_t *connection)
{
        struct conn_list *clp;

        NDMP_LOG(LOG_DEBUG, "connection: 0x%p",
            connection);

        LIST_FOREACH(clp, &cl_head, cl_q) {
                if (clp->cl_conn == connection) {
                        (void) mutex_unlock(&cl_mutex);
                        return (clp);
                }
        }
        return (NULL);
}

/*
 * ndmpconnect_list_add
 *
 * Add the new connection to the list of the active connections.
 *
 * Parameters:
 *   connection (input) - connection handler.
 *   id (input/output) - pointer to connection id.
 *
 * Returns:
 *   0 - success
 *  -1 - error
 */
int
ndmp_connect_list_add(ndmp_connection_t *connection, int *id)
{
        struct conn_list *clp;

        if (connection == NULL) {
                NDMP_LOG(LOG_DEBUG, "Invalid argument");
                return (-1);
        }

        if ((clp = ndmp_malloc(sizeof (struct conn_list))) == NULL)
                return (-1);

        clp->cl_conn = connection;
        clp->cl_id = *id;

        (void) mutex_lock(&cl_mutex);
        LIST_INSERT_HEAD(&cl_head, clp, cl_q);
        (*id)++;
        (void) mutex_unlock(&cl_mutex);

        return (0);
}

/*
 * ndmp_connect_list_del
 *
 * Delete the specified connection from the list.
 *
 * Parameters:
 *   connection (input) - connection handler.
 *
 * Returns:
 *   0 - success
 *  -1 - error
 */
int
ndmp_connect_list_del(ndmp_connection_t *connection)
{
        struct conn_list *clp;

        (void) mutex_lock(&cl_mutex);
        if (!(clp = ndmp_connect_list_find(connection))) {
                (void) mutex_unlock(&cl_mutex);
                NDMP_LOG(LOG_DEBUG, "connection not found");
                return (-1);
        }

        LIST_REMOVE(clp, cl_q);
        (void) mutex_unlock(&cl_mutex);
        free(clp);

        return (0);
}


/*
 * ndmpconnect_list_find_id
 *
 * Find the element specified by its id in the list of active connections.
 *
 * Parameters:
 *   id (input) - connection id.
 *
 * Returns:
 *   NULL - error
 *   connection list element pointer
 */
static struct conn_list *
ndmp_connect_list_find_id(int id)
{
        struct conn_list *clp;

        NDMP_LOG(LOG_DEBUG, "id: %d", id);

        (void) mutex_lock(&cl_mutex);
        LIST_FOREACH(clp, &cl_head, cl_q) {
                if (clp->cl_id == id) {
                        (void) mutex_unlock(&cl_mutex);
                        return (clp);
                }
        }

        (void) mutex_unlock(&cl_mutex);
        return (NULL);
}

/*
 * Get common fields of the active connection.
 */
static void
ndmp_connect_get_conn(struct conn_list *clp, ndmp_door_ctx_t *enc_ctx)
{
        int port;
        struct in_addr addr;
        char cl_addr[NDMP_CL_ADDR_LEN];
        ndmpd_session_t *session;

        if (!(session = (ndmpd_session_t *)ndmp_get_client_data(clp->cl_conn)))
                return;

        ndmp_door_put_int32(enc_ctx, clp->cl_id);
        ndmp_door_put_int32(enc_ctx, session->ns_protocol_version);
        ndmp_door_put_int32(enc_ctx, clp->cl_conn->conn_authorized);
        ndmp_door_put_int32(enc_ctx, session->ns_eof);
        if (tcp_get_peer(clp->cl_conn->conn_sock, &(addr.s_addr), &port) != -1)
                (void) snprintf(cl_addr, NDMP_CL_ADDR_LEN, "%s:%d",
                    (char *)inet_ntoa(addr), port);
        else
                cl_addr[0] = '\0';
        ndmp_door_put_string(enc_ctx, cl_addr);
}

/*
 * Get the connection SCSI info.
 */
static void
ndmp_connect_get_scsi_v2(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        ndmp_door_put_int32(enc_ctx, session->ns_scsi.sd_is_open);
        ndmp_door_put_string(enc_ctx, session->ns_scsi.sd_adapter_name);
        ndmp_door_put_int32(enc_ctx, session->ns_scsi.sd_valid_target_set);
        if (session->ns_scsi.sd_valid_target_set) {
                ndmp_door_put_int32(enc_ctx, session->ns_scsi.sd_sid);
                ndmp_door_put_int32(enc_ctx, session->ns_scsi.sd_lun);
        }
}

/*
 * Get the connection tape info.
 */
static void
ndmp_connect_get_tape_v2(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        char dev_name[NDMP_TAPE_DEV_NAME];

        ndmp_door_put_int32(enc_ctx, session->ns_tape.td_fd);
        if (session->ns_tape.td_fd != -1) {
                ndmp_door_put_uint64(enc_ctx, session->ns_tape.td_record_count);
                ndmp_door_put_int32(enc_ctx, session->ns_tape.td_mode);
                (void) snprintf(dev_name, NDMP_TAPE_DEV_NAME, "%st%02x%x",
                    session->ns_tape.td_adapter_name, session->ns_tape.td_sid,
                    session->ns_tape.td_lun);
                ndmp_door_put_string(enc_ctx, dev_name);
                ndmp_door_put_string(enc_ctx, session->ns_tape.td_adapter_name);
                ndmp_door_put_int32(enc_ctx, session->ns_tape.td_sid);
                ndmp_door_put_int32(enc_ctx, session->ns_tape.td_lun);
        }
}

/*
 * Get the connection mover info.
 */
static void
ndmp_connect_get_mover_v2(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_state);
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_mode);
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_pause_reason);
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_halt_reason);
        ndmp_door_put_uint64(enc_ctx, session->ns_mover.md_record_size);
        ndmp_door_put_uint64(enc_ctx, session->ns_mover.md_record_num);
        ndmp_door_put_uint64(enc_ctx, session->ns_mover.md_position);
        ndmp_door_put_uint64(enc_ctx, session->ns_mover.md_window_offset);
        ndmp_door_put_uint64(enc_ctx, session->ns_mover.md_window_length);
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_sock);
}

/*
 * Get the connection common data info.
 */
static void
ndmp_connect_get_data_common(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        int i;
        ndmp_pval *ep;
        int len;

        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_operation);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_state);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_halt_reason);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_sock);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_mover.addr_type);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_abort);
        ndmp_door_put_uint64(enc_ctx, session->ns_data.dd_read_offset);
        ndmp_door_put_uint64(enc_ctx, session->ns_data.dd_read_length);
        ndmp_door_put_uint64(enc_ctx, session->ns_data.dd_data_size);
        /* verify data.env has as much data as in session->ns_data.dd_env_len */
        len = 0;
        ep = session->ns_data.dd_env;
        for (i = 0; ep && i < session->ns_data.dd_env_len; i++, ep++)
                len++;

        /* put the len */
        (void) mutex_lock(&session->ns_lock);
        ndmp_door_put_uint64(enc_ctx, len);
        ep = session->ns_data.dd_env;
        for (i = 0; i < len; i++, ep++) {
                ndmp_door_put_string(enc_ctx, ep->name);
                ndmp_door_put_string(enc_ctx, ep->value);
        }
        (void) mutex_unlock(&session->ns_lock);
}

/*
 * Get the connection data info.
 */
static void
ndmp_connect_get_data_v2(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        int i;
        ndmp_name *np;
        char tcp_addr[NDMP_TCP_ADDR_SIZE];

        ndmp_connect_get_data_common(session, enc_ctx);

        switch (session->ns_data.dd_mover.addr_type) {
        case NDMP_ADDR_LOCAL:
                (void) snprintf(tcp_addr, NDMP_TCP_ADDR_SIZE, "%s", "Local");
                ndmp_door_put_string(enc_ctx, tcp_addr);
                break;
        case NDMP_ADDR_TCP:
                (void) snprintf(tcp_addr, NDMP_TCP_ADDR_SIZE, "%s:%d",
                    (char *)inet_ntoa(IN_ADDR(
                    session->ns_data.dd_mover.ndmp_mover_addr_u.addr.ip_addr)),
                    session->ns_data.dd_mover.ndmp_mover_addr_u.addr.port);
                ndmp_door_put_string(enc_ctx, tcp_addr);
                break;
        default:
                (void) snprintf(tcp_addr, NDMP_TCP_ADDR_SIZE, "%s", "Unknown");
                ndmp_door_put_string(enc_ctx, tcp_addr);
        }

        ndmp_door_put_uint64(enc_ctx, session->ns_data.dd_nlist_len);
        np = session->ns_data.dd_nlist;
        for (i = 0; np && i < (int)session->ns_data.dd_nlist_len; i++, np++) {
                ndmp_door_put_string(enc_ctx, np->name);
                ndmp_door_put_string(enc_ctx, np->dest);
        }
}

/*
 * Get V2 connection info.
 */
static void
ndmp_connect_get_v2(ndmp_connection_t *connection, ndmp_door_ctx_t *enc_ctx)
{
        ndmpd_session_t *session;

        if ((session = (ndmpd_session_t *)ndmp_get_client_data(connection))) {
                ndmp_connect_get_scsi_v2(session, enc_ctx);
                ndmp_connect_get_tape_v2(session, enc_ctx);
                ndmp_connect_get_mover_v2(session, enc_ctx);
                ndmp_connect_get_data_v2(session, enc_ctx);
        }
}

/*
 * Get the V3 connection mover info.
 */
static void
ndmp_connect_get_mover_v3(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        char tcp_addr[NDMP_TCP_ADDR_SIZE];

        /* get all the V2 mover data first */
        ndmp_connect_get_mover_v2(session, enc_ctx);

        /* get the V3 mover data now */
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_listen_sock);
        ndmp_door_put_int32(enc_ctx, session->ns_mover.md_data_addr.addr_type);
        tcp_addr[0] = '\0';
        (void) snprintf(tcp_addr, NDMP_TCP_ADDR_SIZE, "%s:%d",
            (char *)
            inet_ntoa(IN_ADDR(session->ns_mover.md_data_addr.tcp_ip_v3)),
            (int)session->ns_mover.md_data_addr.tcp_port_v3);
        ndmp_door_put_string(enc_ctx, tcp_addr);
}

/*
 * Get the connection data info.
 */
static void
ndmp_connect_get_data_v3(ndmpd_session_t *session, ndmp_door_ctx_t *enc_ctx)
{
        ulong_t i;
        mem_ndmp_name_v3_t *np;
        char tcp_addr[NDMP_TCP_ADDR_SIZE];

        ndmp_connect_get_data_common(session, enc_ctx);

        (void) snprintf(tcp_addr, NDMP_TCP_ADDR_SIZE, "%s:%d",
            (char *)inet_ntoa(IN_ADDR(session->ns_data.dd_data_addr.tcp_ip_v3)),
            (int)session->ns_data.dd_data_addr.tcp_port_v3);
        ndmp_door_put_string(enc_ctx, tcp_addr);
        ndmp_door_put_int32(enc_ctx, session->ns_data.dd_listen_sock);
        ndmp_door_put_uint64(enc_ctx,
            session->ns_data.dd_module.dm_stats.ms_bytes_processed);
        ndmp_door_put_uint64(enc_ctx, session->ns_data.dd_nlist_len);
        np = session->ns_data.dd_nlist_v3;
        for (i = 0; np && i < (int)session->ns_data.dd_nlist_len; i++, np++) {
                ndmp_door_put_string(enc_ctx, np->nm3_opath);
                ndmp_door_put_string(enc_ctx, np->nm3_dpath);
                ndmp_door_put_uint64(enc_ctx, np->nm3_node);
                ndmp_door_put_uint64(enc_ctx, np->nm3_fh_info);
        }
}

/*
 * Get V3 connection info.
 */
static void
ndmp_connect_get_v3(ndmp_connection_t *connection, ndmp_door_ctx_t *enc_ctx)
{
        ndmpd_session_t *session;

        if ((session = (ndmpd_session_t *)ndmp_get_client_data(connection))) {
                ndmp_connect_get_scsi_v2(session, enc_ctx);
                ndmp_connect_get_tape_v2(session, enc_ctx);
                ndmp_connect_get_mover_v3(session, enc_ctx);
                ndmp_connect_get_data_v3(session, enc_ctx);
        }
}

/*
 * Get the list of all active sessions to the clients.  For each version,
 * call the appropriate get function.
 */
static void
connection_get(struct conn_list *clp, ndmp_door_ctx_t *enc_ctx)
{
        ndmpd_session_t *session;

        session = (ndmpd_session_t *)ndmp_get_client_data(clp->cl_conn);
        if (!session) {
                ndmp_door_put_int32(enc_ctx, NDMP_SESSION_NODATA);
                return;
        }
        ndmp_door_put_int32(enc_ctx, NDMP_SESSION_DATA);

        switch (session->ns_protocol_version) {
        case NDMPV2:
                ndmp_connect_get_conn(clp, enc_ctx);
                ndmp_connect_get_v2(clp->cl_conn, enc_ctx);
                break;
        case NDMPV3:
        case NDMPV4:
                ndmp_connect_get_conn(clp, enc_ctx);
                ndmp_connect_get_v3(clp->cl_conn, enc_ctx);
                break;
        default:
                NDMP_LOG(LOG_DEBUG,
                    "Invalid session (0x%p) version 0x%x", session,
                    session->ns_protocol_version);
        }
}

/*
 * ndmpd_connect_kill
 *
 * Kill the connection based on its version.
 *
 * Parameters:
 *   connection (input) - connection handler.
 *
 * Returns:
 *   0 - success
 *  -1 - error
 */
int
ndmpd_connect_kill(ndmp_connection_t *connection)
{
        ndmpd_session_t *session;

        if (!(session = (ndmpd_session_t *)ndmp_get_client_data(connection)))
                return (-1);

        switch (session->ns_protocol_version) {
        case NDMPV2:
                ndmpd_connect_close_v2(connection, (void *)NULL);
                break;
        case NDMPV3:
        case NDMPV4:
                ndmpd_connect_close_v3(connection, (void *)NULL);
                break;
        default:
                NDMP_LOG(LOG_DEBUG,
                    "Invalid session (0x%p) version 0x%x", session,
                    session->ns_protocol_version);
        }

        return (0);
}

/*
 * Get the list of all active sessions to the clients.
 */
void
ndmp_connect_list_get(ndmp_door_ctx_t *enc_ctx)
{
        int n;
        struct conn_list *clp;

        n = 0;
        (void) mutex_lock(&cl_mutex);
        LIST_FOREACH(clp, &cl_head, cl_q) {
                n++;
        }
        /* write number of connections */
        ndmp_door_put_int32(enc_ctx, n);
        n = 0;
        LIST_FOREACH(clp, &cl_head, cl_q) {
                connection_get(clp, enc_ctx);
                n++;
        }
        (void) mutex_unlock(&cl_mutex);
}

/*
 * ndmpd_connect_kill_id
 *
 * Find a connection by its id and kill it.
 *
 * Parameters:
 *   id (input) - connection id.
 *
 * Returns:
 *   0 - success
 *  -1 - error
 */
int
ndmpd_connect_kill_id(int id)
{
        struct conn_list *clp;

        if (!(clp = ndmp_connect_list_find_id(id)))
                return (-1);

        return (ndmpd_connect_kill(clp->cl_conn));
}

/* Get the devices info */
void
ndmpd_get_devs(ndmp_door_ctx_t *enc_ctx)
{
        int i, n;
        sasd_drive_t *sd;
        scsi_link_t *slink;

        if ((n = sasd_dev_count()) == 0) {
                ndmp_door_put_int32(enc_ctx, n);
                NDMP_LOG(LOG_DEBUG, "No device attached.");
                return;
        }
        ndmp_door_put_int32(enc_ctx, n);

        for (i = 0; i < n; i++) {
                sd = sasd_drive(i);
                slink = sasd_dev_slink(i);

                ndmp_door_put_int32(enc_ctx, slink->sl_type);
                ndmp_door_put_string(enc_ctx, sd->sd_name);
                ndmp_door_put_int32(enc_ctx, slink->sl_lun);
                ndmp_door_put_int32(enc_ctx, slink->sl_sid);
                ndmp_door_put_string(enc_ctx, sd->sd_vendor);
                ndmp_door_put_string(enc_ctx, sd->sd_id);
                ndmp_door_put_string(enc_ctx, sd->sd_rev);
                ndmp_door_put_string(enc_ctx, sd->sd_serial);
                ndmp_door_put_string(enc_ctx, sd->sd_wwn);
        }
}

/*
 * ndmpd_connect_auth_text
 *
 * Checks text authorization.
 *
 * Parameters:
 *   auth_id (input) - user name
 *   auth_password(input) - password
 *
 * Returns:
 *   NDMP_NO_ERR: on success
 *   Other NDMP_ error: invalid user name and password
 */
int
ndmpd_connect_auth_text(char *uname, char *auth_id, char *auth_password)
{
        char *passwd, *dec_passwd;
        int rv;

        if (strcmp(uname, auth_id) != 0) {
                rv = NDMP_NOT_AUTHORIZED_ERR;
        } else {
                passwd = ndmpd_get_prop(NDMP_CLEARTEXT_PASSWORD);
                if (!passwd || !*passwd) {
                        rv = NDMP_NOT_AUTHORIZED_ERR;
                } else {
                        dec_passwd = ndmp_base64_decode(passwd);
                        if (dec_passwd == NULL || *dec_passwd == 0)
                                rv = NDMP_NOT_AUTHORIZED_ERR;
                        else if (strcmp(auth_password, dec_passwd) != 0)
                                rv = NDMP_NOT_AUTHORIZED_ERR;
                        else
                                rv = NDMP_NO_ERR;

                        free(dec_passwd);
                }
        }

        if (rv == NDMP_NO_ERR) {
                NDMP_LOG(LOG_DEBUG, "Authorization granted.");
        } else {
                NDMP_LOG(LOG_ERR, "Authorization denied.");
        }

        return (rv);
}


/*
 * ndmpd_connect_auth_md5
 *
 * Checks MD5 authorization.
 *
 * Parameters:
 *   auth_id (input) - user name
 *   auth_digest(input) - MD5 digest
 *      This is a 16 bytes digest info which is a MD5 transform of 128 bytes
 *      message (password + padding + server challenge + password). Server
 *      challenge is a 64 bytes random string per NDMP session sent out to the
 *      client on demand (See NDMP_CONFIG_GET_AUTH_ATTR command).
 *
 * Returns:
 *   NDMP_NO_ERR: on success
 *   Other NDMP_ error: invalid user name and password
 */
int
ndmpd_connect_auth_md5(char *uname, char *auth_id, char *auth_digest,
    unsigned char *auth_challenge)
{
        char *passwd, *dec_passwd;
        unsigned char digest[16];
        int rv;

        if (strcmp(uname, auth_id) != 0) {
                rv = NDMP_NOT_AUTHORIZED_ERR;
        } else {
                passwd = ndmpd_get_prop(NDMP_CRAM_MD5_PASSWORD);
                if (passwd == NULL || *passwd == 0) {
                        rv = NDMP_NOT_AUTHORIZED_ERR;
                } else {
                        dec_passwd = ndmp_base64_decode(passwd);

                        if (dec_passwd == NULL || *dec_passwd == 0) {
                                rv = NDMP_NOT_AUTHORIZED_ERR;
                        } else {
                                create_md5_digest(digest, dec_passwd,
                                    auth_challenge);
                                if (memcmp(digest, auth_digest,
                                    sizeof (digest)) != 0) {
                                        rv = NDMP_NOT_AUTHORIZED_ERR;
                                } else {
                                        rv = NDMP_NO_ERR;
                                }
                        }
                        free(dec_passwd);
                }
        }

        if (rv == NDMP_NO_ERR) {
                NDMP_LOG(LOG_DEBUG, "Authorization granted.");
        } else {
                NDMP_LOG(LOG_ERR, "Authorization denied.");
        }

        return (rv);
}
Illumos
