UserCredentialsImpl.mesa
Copyright © 1985 by Xerox Corporation. All rights reserved.
Levin on September 23, 1983 5:44 pm
Birrell, December 13, 1983 3:48 pm
Bob Hagmann May 3, 1985 11:24:25 am PDT
Russ Atkinson (RRA) May 13, 1985 10:05:55 pm PDT
DIRECTORY
Ascii USING [BS, ControlA, ControlQ, ControlW, ControlX, CR, DEL, Digit, ESC, Letter, SP],
Basics USING [BITXOR, RawWords],
Booting USING [CheckpointProc, RegisterProcs, RollbackProc],
ConvertUnsafe USING [AppendRope, ToRope],
DefaultRemoteNames USING [Get],
DESFace USING [Block, DecryptBlock, EncryptBlock, MakeKey],
Disk USING [DriveAttributes],
File USING [wordsPerPage],
GermSwap USING [LP, mdsiGerm],
GVBasics USING [maxRNameLength],
GVNames USING [Authenticate],
IO USING [EraseChar, GetChar, PutChar, PutRope, STREAM],
PhysicalVolume USING [NextPhysical, Physical, PhysicalInfo, ReadCredentials, WriteCredentials],
PrincOps USING [GFT, SD, sGFTLength],
Process USING [Detach, InitializeMonitor, Pause, SecondsToTicks],
Rope USING [Concat, Equal, Fetch, Find, FromChar, Length, ROPE, Substr],
UserCredentials USING [CredentialsChangeProc, defaultOptions, LoginOptions, State],
UserCredentialsBackdoor USING [GuestProcsRec],
VM USING [AddressForPageNumber, Allocate, Free, Interval, PageCount, PagesForWords, SwapIn, WordsForPages];
UserCredentialsImpl:
MONITOR
IMPORTS Ascii, Basics, Booting, ConvertUnsafe, DESFace, DefaultRemoteNames, Disk, GermSwap, GVNames, IO, PhysicalVolume, Process, Rope, VM
EXPORTS PhysicalVolume, UserCredentials, UserCredentialsBackdoor =
BEGIN OPEN UserCredentials;
Errors
IllegalParameter: ERROR = CODE;
Bug: ERROR = CODE;
DiskNotReady: ERROR = CODE;
BrokenDisk: ERROR = CODE;
Declarations for data structures on disk
credentialsImplID: CARDINAL = 08312;
obsoleteImplID: CARDINAL = credentialsImplID - 1; -- anything other than credentialsImplID
decryptedID: DESFace.Block = ALL[credentialsImplID];
Credentials: TYPE = LONG POINTER TO CredentialsObject;
CredentialsObject:
PUBLIC TYPE =
MACHINE
DEPENDENT
RECORD [
implementationID(0): CARDINAL ← credentialsImplID,
checksum(1): CARDINAL ← 0,
fill(2:0..13): CARDINAL[0..17777B] ← 0,
kind(2:14..14+2+6*16-1):
SELECT state(2:14..15): State
FROM
noCredentials => NULL,
name => [
encryptedID(3): DESFace.Block ← NULL,
userName(7): StringBody ← [length: 0, maxlength: NULL, text: NULL]
The text portion of the userName follows here
],
nameHint, nameAndPassword => [
userName(3): StringBody ← [length: 0, maxlength: NULL, text: NULL]
The text portion of the userName follows here
If state = nameAndPassword, another StringBody follows
],
ENDCASE
];
bogusCredentials: CredentialsObject = [implementationID: obsoleteImplID, kind: noCredentials[]];
Declarations for data structures in memory (germ)
The credentials are stored in the tail of the germ's MDS, just after the GFT. We can only rely on enough space to fill out the pages containing the germ's GFT.
GermString: TYPE = LONG POINTER TO LONG STRING;
germGFT: LONG POINTER = GermSwap.LP[PrincOps.GFT, GermSwap.mdsiGerm];
germSD: LONG POINTER TO Basics.RawWords = GermSwap.LP[PrincOps.SD, GermSwap.mdsiGerm];
gftLen: CARDINAL = germSD[PrincOps.sGFTLength];
nameInGerm: GermString = LOOPHOLE[germGFT+gftLen];
passwordInGerm: GermString = nameInGerm + SIZE[LONG STRING];
germFreeSpace: LONG POINTER = passwordInGerm + SIZE[LONG STRING];
germFreeSpaceCount:
CARDINAL =
VM.WordsForPages[
VM.PagesForWords[gftLen]] - (gftLen + 2*
SIZE[
LONG
STRING]);
CredentialsChange: TYPE = RECORD [proc: CredentialsChangeProc, clientData: REF ANY];
CredentialsChangeList: TYPE = LIST OF CredentialsChange;
Global Variables (protected by the monitor)
credentials: Credentials ← NIL;
credentialsBuffer: VM.Interval;
credentialsPV: PhysicalVolume.Physical;
procs: CredentialsChangeList ← NIL;
in, out: IO.STREAM ← NIL;
checkpointing: BOOL ← FALSE;
rolledBack: CONDITION ← [timeout: 0];
checkpointName, checkpointPassword: ROPE ← NIL;
IsGuestProcess: PROC [] RETURNS [isGuest: BOOL] ← FalseProc;
GuestProcs: REF UserCredentialsBackdoor.GuestProcsRec ← NEW[UserCredentialsBackdoor.GuestProcsRec ← [FalseProc]] ;
Default IsGuestProcess
FalseProc:
SAFE PROC
RETURNS [isGuest:
BOOL] =
CHECKED {
isGuest ← FALSE;
};
Exported to UserCredentialsBackdoor
RegisterGuestProcs:
PUBLIC
SAFE
PROC [newProcs:
REF UserCredentialsBackdoor.GuestProcsRec] =
CHECKED {
GuestProcs ← newProcs;
IsGuestProcess ← newProcs.IsGuestProcess;
};
Exports to UserCredentials
Login:
PUBLIC
ENTRY
SAFE PROC [
startInteraction:
SAFE PROC
RETURNS [in, out:
IO.
STREAM],
endInteraction:
SAFE PROC [in, out:
IO.
STREAM],
options: LoginOptions ← defaultOptions] =
TRUSTED {
ENABLE UNWIND => NULL;
dirty: BOOL ← FALSE;
terminalOn: BOOL ← FALSE;
oldName, oldPassword: ROPE;
newName, newPassword: ROPE;
EnsureTerminalOn:
PROC = {
IF ~terminalOn THEN {[in, out] ← startInteraction[]; terminalOn ← TRUE};
};
EnsureTerminalOff:
PROC = {
IF terminalOn THEN {endInteraction[in, out]; in ← out ← NIL; terminalOn ← FALSE};
};
HandleDiskNotReady:
PROC = {
EnsureTerminalOn[];
IO.PutRope[out, "Disk is not ready...will retry..."];
Process.Pause[Process.SecondsToTicks[5]];
IO.PutRope[out, "retrying\N"];
};
CleanupOnAbort:
PROC = {
IF options.ignoreDiskEntirely THEN FreeCredentials[] ELSE ReleaseDiskCredentials[FALSE];
SetCredentialsInGerm[oldName, oldPassword];
NotifyCredentialsChangeProcs[];
EnsureTerminalOff[];
};
EnsureInitialized[];
IF IsGuestProcess[] THEN GuestProcs.Login[startInteraction, endInteraction, options];
IF ~options.alwaysInteract
AND nameInGerm^.length > 0
THEN
already logged in
RETURN;
[oldName, oldPassword] ← GetInternal[];
AllocateCredentials[];
IF options.ignoreDiskEntirely
THEN credentials^ ← bogusCredentials
ELSE AcquireDiskCredentials[ ! DiskNotReady => {HandleDiskNotReady[]; RETRY}];
IF credentials.implementationID = credentialsImplID
THEN {
CheckCredentials:
PROC [credentials: Credentials]
RETURNS [ok:
BOOL ←
TRUE] = {
Downgrade:
PROC [state: State] = {
[] ← ChangeStateInternal[state]; dirty ← TRUE; ok ← FALSE};
WITH cred: credentials
SELECT
FROM
nameHint => {
diskUserName: ROPE = ConvertUnsafe.ToRope[@cred.userName];
EnsureTerminalOn[];
SetCredentialsInGerm[diskUserName, NIL];
[] ← GetAndAuthenticate[ ! UNWIND => CleanupOnAbort[]];
IF (dirty ← ~diskUserName.Equal[ConvertUnsafe.ToRope[nameInGerm^]])
THEN
[] ← ChangeStateInternal[nameHint];
};
nameAndPassword => {
diskUserName: ROPE = ConvertUnsafe.ToRope[@cred.userName];
diskPassword: ROPE = ConvertUnsafe.ToRope[@cred.userName + SIZE[StringBody[diskUserName.Length[]]]];
SetCredentialsInGerm[diskUserName, diskPassword];
SELECT GVNames.Authenticate[diskUserName, diskPassword]
FROM
individual, allDown => NULL;
notFound, group => Downgrade[nameHint];
badPwd => Downgrade[name];
ENDCASE => ERROR Bug;
};
name => {
EnsureTerminalOn[];
SetCredentialsInGerm[ConvertUnsafe.ToRope[@cred.userName], NIL];
DO
-- loops only if GV down and password supplied doesn't work.
block: DESFace.Block;
SELECT GetAndAuthenticate[passwordOnly !
UNWIND => CleanupOnAbort[]]
FROM
ok => {
Grapevine is up, and the credentials are valid. The password used to encrypt the information in the credentials file may not be the same one that was used (successfully) to authenticate the user to Grapevine. After all, the user may have changed his password in the Grapevine database since this procedure was last called. However, since the user name presented to Grapevine was forced to come from the disk and Grapevine authenticated the user, we can be confident that this is the same user who requested that the encrypted information be stored on the disk originally. We therefore encrypt with the new password and rewrite the credentials file. In effect, this gives us a cache of the last successful Grapevine authentication, which will be useful if Grapevine proves to be down on a subsequent Login.
DESFace.DecryptBlock[
key: DESFace.MakeKey[passwordInGerm^],
from: @cred.encryptedID, to: @block];
IF (dirty ← dirty
OR (block ~= decryptedID))
THEN
[] ← ChangeStateInternal[name];
};
bogusGVName => Downgrade[nameHint];
gvDown => {
Grapevine is down, so we must fall back on our cached information on the disk. We use the password supplied by the user to decrypt then compare it with the expected value. If it matches, the user is assumed to be authentic, and the password he supplied is highly likely to be the one he last successfully used to authenticate himself with Grapevine.
DESFace.DecryptBlock[
key: DESFace.MakeKey[passwordInGerm^],
from: @cred.encryptedID, to: @block];
IF block ~= decryptedID THEN {IO.PutRope[out, "Wrong credentials!\N"]; LOOP};
};
ENDCASE;
EXIT
ENDLOOP;
};
ENDCASE => ERROR Bug;
};
UNTIL CheckCredentials[credentials] DO ENDLOOP;
}
ELSE {
ENABLE UNWIND => CleanupOnAbort[];
RewriteDisk:
PROCEDURE
RETURNS [rewrite:
BOOLEAN] =
INLINE {
IF options.ignoreDiskEntirely THEN RETURN[FALSE];
IF ~options.confirmCredentialsOverwrite THEN RETURN[TRUE];
RETURN[~Confirm["Disk credentials missing or obsolete; shall I leave it that way? "]]
};
EnsureTerminalOn[];
IF (dirty ← RewriteDisk[])
THEN
[] ← ChangeStateInternal[
IF GetAndAuthenticate[] = ok
AND ~options.prohibitDiskProtection
AND
Confirm["Do you wish to prevent others from accessing your disk? "] THEN name
ELSE nameHint
]
ELSE [] ← GetAndAuthenticate[];
};
IF options.ignoreDiskEntirely
THEN FreeCredentials[]
ELSE
ReleaseDiskCredentials[dirty
! BrokenDisk => {
EnsureTerminalOn[];
IO.PutRope[out, "Disk error rewriting credentials file...I give up\N"];
DO ENDLOOP;
};
DiskNotReady => {HandleDiskNotReady[]; RETRY};
];
EnsureTerminalOff[];
[newName, newPassword] ← GetInternal[];
IF ~(oldName.Equal[newName,
FALSE]
AND oldPassword.Equal[newPassword])
THEN
NotifyCredentialsChangeProcs[];
};
GetState:
PUBLIC
ENTRY
SAFE
PROC
RETURNS [state: State] =
TRUSTED {
ENABLE UNWIND => NULL;
IF IsGuestProcess[] THEN RETURN GuestProcs.GetState[];
AcquireDiskCredentials[];
state ← credentials.state;
ReleaseDiskCredentials[FALSE];
};
ChangeState:
PUBLIC
ENTRY
SAFE PROC [new: State]
RETURNS [old: State] =
TRUSTED {
The internal signals from AcquireDiskCredentials and ReleaseDiskCredentials are presently uncaught, since we don't have any better way of dealing with them.
ENABLE UNWIND => NULL;
IF IsGuestProcess[] THEN RETURN GuestProcs.ChangeState[new];
AcquireDiskCredentials[];
old ← ChangeStateInternal[new];
ReleaseDiskCredentials[TRUE];
};
Get:
PUBLIC
ENTRY
SAFE PROC RETURNS [name, password:
ROPE] =
TRUSTED {
ENABLE UNWIND => NULL;
EnsureInitialized[];
IF IsGuestProcess[] THEN RETURN GuestProcs.Get[];
[name, password] ← GetInternal[];
};
RegisterForChange:
PUBLIC
ENTRY
SAFE
PROC [proc: CredentialsChangeProc, clientData:
REF
ANY ←
NIL] =
TRUSTED {
procs ← CONS[[proc, clientData], procs];
};
UnRegisterForChange:
PUBLIC
ENTRY
SAFE
PROC [proc: CredentialsChangeProc, clientData:
REF
ANY ←
NIL] =
TRUSTED {
prev: CredentialsChangeList ← NIL;
FOR cur: CredentialsChangeList ← procs, cur.rest
UNTIL cur =
NIL
DO
IF cur.first.proc = proc
AND cur.first.clientData = clientData
THEN {
IF prev = NIL THEN procs ← cur.rest ELSE prev.rest ← cur.rest;
EXIT
};
prev ← cur;
ENDLOOP;
};
*** For emergency use only ***
BreakIn:
PROC = {
BreakInInternal:
ENTRY
PROC =
INLINE {
AllocateCredentials[];
[] ← ChangeStateInternal[noCredentials];
ReleaseDiskCredentials[TRUE];
};
Process.InitializeMonitor[@LOCK];
BreakInInternal[];
};
Internal procedures
EnsureInitialized:
INTERNAL
PROC = {
Note: one might think that this could be done at module start time, rather than on every call to a public procedure of this module. However, the contents of the germ mds can change after this module is started (e.g., a checkpoint is taken, then a physical boot causes a rollback).
WHILE checkpointing DO WAIT rolledBack; ENDLOOP;
IF nameInGerm^ = NIL THEN SetCredentialsInGerm[NIL, NIL];
};
GetInternal:
PROC RETURNS [name, password:
ROPE] =
TRUSTED {
name ← ConvertUnsafe.ToRope[nameInGerm^];
password ← ConvertUnsafe.ToRope[passwordInGerm^];
};
SetCredentialsInGerm:
PROC [name, password:
ROPE] = {
nameLen: NAT = name.Length[];
passwordLen: NAT = password.Length[];
IF
SIZE[StringBody[nameLen]] +
SIZE[StringBody[passwordLen]] > germFreeSpaceCount
OR nameLen > GVBasics.maxRNameLength
OR passwordLen > GVBasics.maxRNameLength
THEN
ERROR IllegalParameter;
nameInGerm^ ← germFreeSpace;
nameInGerm^^ ← StringBody[maxlength: nameLen, text: ];
ConvertUnsafe.AppendRope[to: nameInGerm^, from: name];
passwordInGerm^ ← nameInGerm^ + SIZE[StringBody[nameLen]];
passwordInGerm^^ ← StringBody[maxlength: passwordLen, text: ];
ConvertUnsafe.AppendRope[to: passwordInGerm^, from: password];
};
ChangeStateInternal:
PROC [new: State]
RETURNS [old: State] = {
MoveString:
PROC [new, old:
LONG
STRING] = {
ConvertUnsafe.AppendRope[to: new, from: ConvertUnsafe.ToRope[old]]};
words: CARDINAL;
old ← credentials.state;
SELECT new
FROM
noCredentials => {
credentials^ ← bogusCredentials;
words ← SIZE[noCredentials CredentialsObject];
};
name => {
credentials^ ←
[kind: name[encryptedID: , userName: StringBody[maxlength: nameInGerm^.length, text: ]]];
WITH cred: credentials
SELECT
FROM
name => {
block: DESFace.Block ← decryptedID;
DESFace.EncryptBlock[
key: DESFace.MakeKey[passwordInGerm^],
from: @block, to: @cred.encryptedID];
MoveString[@cred.userName, nameInGerm^];
};
ENDCASE => ERROR Bug;
words ←
SIZE[name CredentialsObject] +
(SIZE[StringBody[nameInGerm^.length]] - SIZE[StringBody[0]]);
};
nameHint => {
credentials^ ←
[kind: nameHint[userName: StringBody[maxlength: nameInGerm^.length, text: ]]];
WITH cred: credentials
SELECT
FROM
nameHint => MoveString[@cred.userName, nameInGerm^];
ENDCASE => ERROR Bug;
words ←
SIZE[nameHint CredentialsObject] +
(SIZE[StringBody[nameInGerm^.length]] - SIZE[StringBody[0]]);
};
nameAndPassword => {
credentials^ ←
[kind: nameAndPassword[userName: StringBody[maxlength: nameInGerm^.length, text: ]]];
WITH cred: credentials
SELECT
FROM
nameAndPassword => {
diskUserName: LONG STRING = @cred.userName;
diskPassword: LONG STRING = @cred.userName + SIZE[StringBody[nameInGerm^.length]];
MoveString[@cred.userName, nameInGerm^];
diskPassword^ ← StringBody[maxlength: passwordInGerm^.length, text: ];
MoveString[diskPassword, passwordInGerm^];
};
ENDCASE => ERROR Bug;
words ←
SIZE[nameAndPassword CredentialsObject] +
(SIZE[StringBody[nameInGerm^.length]] - SIZE[StringBody[0]]) +
SIZE[StringBody[passwordInGerm^.length]];
};
ENDCASE => ERROR Bug;
credentials.checksum ← ComputeChecksum[DESCRIPTOR[credentials, words]];
};
ComputeChecksum:
PROC [input:
LONG
DESCRIPTOR
FOR
ARRAY
OF
WORD]
RETURNS [checksum: WORD ← 0] = {
FOR i:
CARDINAL
IN [0..input.
LENGTH)
DO
checksum ← Basics.BITXOR[checksum, input[i]];
ENDLOOP;
};
ValidChecksum:
PROC [input:
LONG
DESCRIPTOR
FOR
ARRAY
OF
WORD]
RETURNS [ok: BOOLEAN] = {
checksum: WORD ← 0;
FOR i:
CARDINAL
IN [0..input.
LENGTH)
DO
checksum ← Basics.BITXOR[checksum, input[i]];
ENDLOOP;
RETURN[checksum = 0]
};
GetAndAuthenticate:
PROC [askFor: {both, passwordOnly} ← both]
RETURNS [outcome: {ok, bogusGVName, gvDown} ← ok] = {
Rubout: ERROR = CODE;
GetID:
PROC [default:
ROPE, echo:
BOOL ←
TRUE]
RETURNS [id:
ROPE] = {
OPEN Ascii;
firstTime: BOOLEAN ← TRUE;
c: CHAR;
EraseAll:
PROC = {
IF echo
THEN
FOR i: INT DECREASING IN [0..id.Length[]) DO out.EraseChar[id.Fetch[i]]; ENDLOOP;
id ← NIL;
};
Done:
PROC [c:
CHAR]
RETURNS [
BOOL] =
INLINE {
IF firstTime
THEN {
SELECT c
FROM
ControlA, BS, ControlQ, ControlW, ControlX, CR, SP => NULL;
ENDCASE => EraseAll[];
firstTime ← FALSE;
};
RETURN[c = SP OR c = CR]
};
id ← default;
IF echo THEN IO.PutRope[out, default];
c ← in.GetChar[];
UNTIL Done[c]
DO
SELECT c
FROM
DEL => ERROR Rubout;
ControlA,
BS => {
len: INT ← id.Length[];
IF len > 0
THEN {
len ← len - 1;
IF echo THEN out.EraseChar[id.Fetch[len]];
id ← id.Substr[len: len];
};
};
ControlW, ControlQ => {
text to be backed up is of the form ...<non-alpha><alpha><non-alpha>, the <alpha> and following <non-alpha> are to be removed.
alpha: BOOL ← FALSE;
FOR i:
INT
DECREASING
IN [0..id.Length[])
DO
ch: CHAR = id.Fetch[i];
IF Ascii.Letter[ch] OR Ascii.Digit[ch] THEN alpha ← TRUE
ELSE IF alpha THEN {id ← id.Substr[len: i + 1]; EXIT};
IF echo THEN out.EraseChar[ch];
REPEAT
FINISHED => id ← NIL;
ENDLOOP;
};
ControlX => EraseAll[];
ENDCASE => {id ← id.Concat[Rope.FromChar[c]]; IF echo THEN out.PutChar[c]};
c ← in.GetChar[];
ENDLOOP;
};
name, password: ROPE ← NIL;
cancelString: ROPE = " XXX\N";
DO
ENABLE UNWIND => IO.PutRope[out, cancelString];
name ← ConvertUnsafe.ToRope[nameInGerm^];
IO.PutRope[out, "Name: "];
IF askFor = passwordOnly
THEN IO.PutRope[out, name]
ELSE {
name ← GetID[name ! Rubout => {IO.PutRope[out, cancelString]; LOOP}];
IF name.Find["."] = -1
THEN {
defaultRegistry: ROPE = Rope.Concat[".", DefaultRemoteNames.Get[].registry];
IO.PutRope[out, defaultRegistry]; name ← name.Concat[defaultRegistry]};
};
IO.PutRope[out, " password: "];
password ← GetID[NIL, FALSE ! Rubout => {IO.PutRope[out, cancelString]; LOOP}];
SetCredentialsInGerm[name, password];
IO.PutRope[out, " GV..."];
SELECT GVNames.Authenticate[name, password]
FROM
individual => {IO.PutRope[out, "ok\N"]; EXIT};
notFound, group => {
IO.PutRope[out, "invalid user name"];
IF askFor = passwordOnly THEN {out.PutChar['\N]; outcome ← bogusGVName; EXIT};
};
badPwd => IO.PutRope[out, "incorrect password"];
allDown => {
IO.PutRope[out, "Grapevine down, proceeding anyway\N"]; outcome ← gvDown; EXIT};
ENDCASE;
IO.PutRope[out, ", try again.\N"];
ENDLOOP;
};
Confirm:
PROCEDURE [message:
ROPE ←
NIL]
RETURNS [
BOOL] = {
DO
IF message ~= NIL THEN IO.PutRope[out, message];
SELECT in.GetChar[ !
UNWIND =>
IO.PutRope[out, " XXX\N"]]
FROM
'y, 'Y, Ascii.SP, Ascii.CR, Ascii.ESC => {IO.PutRope[out, "Yes\N"]; RETURN[TRUE]};
'n, 'N, Ascii.DEL => {IO.PutRope[out, "No\N"]; RETURN[FALSE]};
ENDCASE;
ENDLOOP};
Registration stuff
NotifyCredentialsChangeProcs:
PROC = {
RRA: fork the notifier process so we can call to Get to obtain the credentials. After all, it does seem natural to use the user name when noticing that the credentials have changed, doesn't it? Copy the list to allow changes to occur without disturbing our enumeration.
Process.Detach[FORK NotifyProcess[CopyCredentialsChangeList[procs]]];
};
NotifyProcess:
PROC [list: CredentialsChangeList] = {
WHILE list #
NIL
DO
list.first.proc[list.first.clientData];
list ← list.rest;
ENDLOOP;
};
CopyCredentialsChangeList:
PROC [list: CredentialsChangeList]
RETURNS [head: CredentialsChangeList ←
NIL] = {
IF list #
NIL
THEN {
tail: CredentialsChangeList ← head ← LIST[list.first];
DO
list ← list.rest;
IF list = NIL THEN EXIT;
tail ← tail.rest ← LIST[list.first];
ENDLOOP;
};
};
Disk access
AllocateCredentials:
PROC = {
diskCredentialsPages:
VM.PageCount =
VM.PagesForWords[File.wordsPerPage];
PhysicalVolume assumes that the credentials occupy a maximum of File.wordsPerPage words. We assert that:
File.wordsPerPage >= SIZE[nameAndPassword CredentialsObject] - SIZE[StringBody[0]] +
2*SIZE[StringBody[GVBasics.maxRNameLength]]];
credentialsBuffer ← VM.Allocate[diskCredentialsPages];
credentials ← VM.AddressForPageNumber[credentialsBuffer.page];
VM.SwapIn[interval: credentialsBuffer, kill: TRUE, pin: TRUE];
};
FreeCredentials:
PROC = {
VM.Free[credentialsBuffer];
credentials ← NIL;
};
AcquireDiskCredentials:
PROC = {
IF credentialsPV = NIL THEN GetCredentialsVolume[];
IF credentials = NIL THEN AllocateCredentials[];
SELECT PhysicalVolume.ReadCredentials[credentialsPV, credentials]
FROM
ok => {
words: CARDINAL;
WITH cred: credentials
SELECT
FROM
noCredentials => words ← SIZE[noCredentials CredentialsObject];
name =>
words ←
SIZE[name CredentialsObject] +
(SIZE[StringBody[cred.userName.length]] - SIZE[StringBody[0]]);
nameHint =>
words ←
SIZE[nameHint CredentialsObject] +
(SIZE[StringBody[cred.userName.length]] - SIZE[StringBody[0]]);
nameAndPassword => {
diskUserName: LONG STRING = @cred.userName;
diskPassword: LONG STRING = @cred.userName + SIZE[StringBody[diskUserName.length]];
words ←
SIZE[nameAndPassword CredentialsObject] +
(SIZE[StringBody[diskUserName.length]] - SIZE[StringBody[0]]) +
SIZE[StringBody[diskPassword.length]];
};
ENDCASE;
IF ~ValidChecksum[
DESCRIPTOR[credentials, words]]
THEN
credentials^ ← bogusCredentials;
};
hardware, software =>
The disk is there, but it doesn't seem to work, treat as "no credentials" now.
credentials^ ← bogusCredentials;
wentOffline => ERROR DiskNotReady;
ENDCASE => ERROR Bug;
};
ReleaseDiskCredentials:
PROC [dirty:
BOOL] = {
IF dirty
THEN {
IF credentialsPV = NIL THEN GetCredentialsVolume[];
SELECT PhysicalVolume.WriteCredentials[credentialsPV, credentials]
FROM
ok => NULL;
hardware => ERROR BrokenDisk;
wentOffline => ERROR DiskNotReady;
ENDCASE => ERROR Bug;
};
FreeCredentials[];
};
GetCredentialsVolume:
PROC = {
UNTIL (credentialsPV ← PhysicalVolume.NextPhysical[credentialsPV]) =
NIL
OR
Disk.DriveAttributes[PhysicalVolume.PhysicalInfo[credentialsPV].channel].ordinal = 0 DO
ENDLOOP;
};
Checkpointing:
ENTRY Booting.CheckpointProc =
TRUSTED {
EnsureInitialized[];
checkpointing ← TRUE;
[checkpointName, checkpointPassword] ← GetInternal[];
};
RollingBack:
ENTRY Booting.RollbackProc =
TRUSTED {
name, password: ROPE;
IF ~checkpointing THEN ERROR;
checkpointing ← FALSE;
EnsureInitialized[];
[name, password] ← GetInternal[];
IF ~(name.Equal[checkpointName,
FALSE]
AND password.Equal[checkpointPassword])
THEN
NotifyCredentialsChangeProcs[];
BROADCAST rolledBack;
};
Start code
Initialize:
ENTRY
PROC = {
EnsureInitialized[];
Booting.RegisterProcs[c: Checkpointing, r: RollingBack];
};
Initialize[];
END.
Bob Hagmann March 18, 1985 9:16:47 am PST
changes to: DIRECTORY, Login, GetState, ChangeState, Get
Bob Hagmann May 3, 1985 11:24:25 am PDT
changes to: UserCredentialsImpl