lib/kafs/afskrb5.c

1.1     elric /*	$NetBSD: afskrb5.c,v 1.3 2023/06/19 21:41:44 christos Exp $	*/
1.1     elric
1.1     elric /*
1.1     elric  * Copyright (c) 1995-2003 Kungliga Tekniska Hgskolan
1.1     elric  * (Royal Institute of Technology, Stockholm, Sweden).
1.1     elric  * All rights reserved.
1.1     elric  *
1.1     elric  * Redistribution and use in source and binary forms, with or without
1.1     elric  * modification, are permitted provided that the following conditions
1.1     elric  * are met:
1.1     elric  *
1.1     elric  * 1. Redistributions of source code must retain the above copyright
1.1     elric  *    notice, this list of conditions and the following disclaimer.
1.1     elric  *
1.1     elric  * 2. Redistributions in binary form must reproduce the above copyright
1.1     elric  *    notice, this list of conditions and the following disclaimer in the
1.1     elric  *    documentation and/or other materials provided with the distribution.
1.1     elric  *
1.1     elric  * 3. Neither the name of the Institute nor the names of its contributors
1.1     elric  *    may be used to endorse or promote products derived from this software
1.1     elric  *    without specific prior written permission.
1.1     elric  *
1.1     elric  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
1.1     elric  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.1     elric  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.1     elric  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
1.1     elric  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.1     elric  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.1     elric  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.1     elric  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.1     elric  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.1     elric  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.1     elric  * SUCH DAMAGE.
1.1     elric  */
1.1     elric
1.1     elric #include "kafs_locl.h"
1.1     elric
1.1     elric struct krb5_kafs_data {
1.1     elric     krb5_context context;
1.1     elric     krb5_ccache id;
1.1     elric     krb5_const_realm realm;
1.1     elric };
1.1     elric
1.1     elric enum {
1.1     elric     KAFS_RXKAD_2B_KVNO = 213,
1.1     elric     KAFS_RXKAD_K5_KVNO = 256
1.1     elric };
1.1     elric
1.1     elric static int
1.1     elric v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524)
1.1     elric {
1.1     elric     int kvno, ret;
1.1     elric
1.1     elric     kt->ticket = NULL;
1.1     elric
1.1     elric     if (local524) {
1.1     elric 	Ticket t;
1.1     elric 	unsigned char *buf;
1.1     elric 	size_t buf_len;
1.1     elric 	size_t len;
1.1     elric
1.1     elric 	kvno = KAFS_RXKAD_2B_KVNO;
1.1     elric
1.1     elric 	ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
1.1     elric 	if (ret)
1.1     elric 	    return ret;
1.1     elric 	if (t.tkt_vno != 5)
1.1     elric 	    return -1;
1.1     elric
1.1     elric 	ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part,
1.1     elric 			   &len, ret);
1.1     elric 	free_Ticket(&t);
1.1     elric 	if (ret)
1.1     elric 	    return ret;
1.1     elric 	if(buf_len != len) {
1.1     elric 	    free(buf);
1.1     elric 	    return KRB5KRB_ERR_GENERIC;
1.1     elric 	}
1.1     elric
1.1     elric 	kt->ticket = buf;
1.1     elric 	kt->ticket_len = buf_len;
1.1     elric
1.1     elric     } else {
1.1     elric 	kvno = KAFS_RXKAD_K5_KVNO;
1.1     elric 	kt->ticket = malloc(cred->ticket.length);
1.1     elric 	if (kt->ticket == NULL)
1.1     elric 	    return ENOMEM;
1.1     elric 	kt->ticket_len = cred->ticket.length;
1.1     elric 	memcpy(kt->ticket, cred->ticket.data, kt->ticket_len);
1.1     elric     }
1.1     elric
1.1     elric
1.1     elric     /*
1.1     elric      * Build a struct ClearToken
1.1     elric      */
1.1     elric
1.2  christos     ret = _kafs_derive_des_key(cred->session.keytype,
1.2  christos 			       cred->session.keyvalue.data,
1.2  christos 			       cred->session.keyvalue.length,
1.2  christos 			       kt->ct.HandShakeKey);
1.2  christos     if (ret) {
1.2  christos 	free(kt->ticket);
1.2  christos 	kt->ticket = NULL;
1.2  christos 	return ret;
1.2  christos     }
1.1     elric     kt->ct.AuthHandle = kvno;
1.1     elric     kt->ct.ViceId = uid;
1.1     elric     kt->ct.BeginTimestamp = cred->times.starttime;
1.1     elric     kt->ct.EndTimestamp = cred->times.endtime;
1.1     elric
1.1     elric     _kafs_fixup_viceid(&kt->ct, uid);
1.1     elric
1.1     elric     return 0;
1.1     elric }
1.1     elric
1.1     elric static krb5_error_code
1.1     elric v5_convert(krb5_context context, krb5_ccache id,
1.1     elric 	   krb5_creds *cred, uid_t uid,
1.1     elric 	   const char *cell,
1.1     elric 	   struct kafs_token *kt)
1.1     elric {
1.1     elric     krb5_error_code ret;
1.1     elric     char *c, *val;
1.1     elric
1.1     elric     c = strdup(cell);
1.1     elric     if (c == NULL)
1.1     elric 	return ENOMEM;
1.1     elric     _kafs_foldup(c, c);
1.1     elric     krb5_appdefault_string (context, "libkafs",
1.1     elric 			    c,
1.1     elric 			    "afs-use-524", "2b", &val);
1.1     elric     free(c);
1.1     elric
1.1     elric     if (strcasecmp(val, "local") == 0 ||
1.1     elric 	strcasecmp(val, "2b") == 0)
1.1     elric 	ret = v5_to_kt(cred, uid, kt, 1);
1.1     elric     else
1.1     elric 	ret = v5_to_kt(cred, uid, kt, 0);
1.1     elric
1.1     elric     free(val);
1.1     elric     return ret;
1.1     elric }
1.1     elric
1.1     elric
1.1     elric /*
1.1     elric  *
1.1     elric  */
1.1     elric
1.1     elric static int
1.1     elric get_cred(struct kafs_data *data, const char *name, const char *inst,
1.1     elric 	 const char *realm, uid_t uid, struct kafs_token *kt)
1.1     elric {
1.1     elric     krb5_error_code ret;
1.1     elric     krb5_creds in_creds, *out_creds;
1.1     elric     struct krb5_kafs_data *d = data->data;
1.1     elric     int invalid;
1.1     elric
1.1     elric     memset(&in_creds, 0, sizeof(in_creds));
1.1     elric
1.1     elric     ret = krb5_make_principal(d->context, &in_creds.server,
1.1     elric 			      realm, name, inst, NULL);
1.1     elric     if(ret)
1.1     elric 	return ret;
1.1     elric     ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
1.1     elric     if(ret){
1.1     elric 	krb5_free_principal(d->context, in_creds.server);
1.1     elric 	return ret;
1.1     elric     }
1.1     elric
1.1     elric     /* check if des is disable, and in that case enable it for afs */
1.2  christos     invalid = krb5_enctype_valid(d->context, ETYPE_DES_CBC_CRC);
1.1     elric     if (invalid)
1.2  christos 	krb5_enctype_enable(d->context, ETYPE_DES_CBC_CRC);
1.1     elric
1.1     elric     ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
1.1     elric
1.1     elric     if (invalid)
1.2  christos 	krb5_enctype_disable(d->context, ETYPE_DES_CBC_CRC);
1.1     elric
1.1     elric     krb5_free_principal(d->context, in_creds.server);
1.1     elric     krb5_free_principal(d->context, in_creds.client);
1.1     elric     if(ret)
1.1     elric 	return ret;
1.1     elric
1.1     elric     ret = v5_convert(d->context, d->id, out_creds, uid,
1.1     elric 		     (inst != NULL && inst[0] != '\0') ? inst : realm, kt);
1.1     elric     krb5_free_creds(d->context, out_creds);
1.1     elric
1.1     elric     return ret;
1.1     elric }
1.1     elric
1.1     elric static const char *
1.1     elric get_error(struct kafs_data *data, int error)
1.1     elric {
1.1     elric     struct krb5_kafs_data *d = data->data;
1.1     elric     return krb5_get_error_message(d->context, error);
1.1     elric }
1.1     elric
1.1     elric static void
1.1     elric free_error(struct kafs_data *data, const char *str)
1.1     elric {
1.1     elric     struct krb5_kafs_data *d = data->data;
1.1     elric     krb5_free_error_message(d->context, str);
1.1     elric }
1.1     elric
1.1     elric static krb5_error_code
1.1     elric afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh,
1.1     elric 	       uid_t uid, const char *homedir)
1.1     elric {
1.1     elric     krb5_error_code ret;
1.1     elric     struct kafs_token kt;
1.1     elric     krb5_principal princ;
1.1     elric     const char *trealm; /* ticket realm */
1.1     elric     struct krb5_kafs_data *d = data->data;
1.1     elric
1.1     elric     if (cell == 0 || cell[0] == 0)
1.1     elric 	return _kafs_afslog_all_local_cells (data, uid, homedir);
1.1     elric
1.1     elric     ret = krb5_cc_get_principal (d->context, d->id, &princ);
1.1     elric     if (ret)
1.1     elric 	return ret;
1.1     elric
1.1     elric     trealm = krb5_principal_get_realm (d->context, princ);
1.1     elric
1.1     elric     kt.ticket = NULL;
1.1     elric     ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt);
1.1     elric     krb5_free_principal (d->context, princ);
1.1     elric
1.1     elric     if(ret == 0) {
1.1     elric 	ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
1.1     elric 	free(kt.ticket);
1.1     elric     }
1.1     elric     return ret;
1.1     elric }
1.1     elric
1.1     elric static char *
1.1     elric get_realm(struct kafs_data *data, const char *host)
1.1     elric {
1.1     elric     struct krb5_kafs_data *d = data->data;
1.1     elric     krb5_realm *realms;
1.1     elric     char *r;
1.1     elric     if(krb5_get_host_realm(d->context, host, &realms))
1.1     elric 	return NULL;
1.1     elric     r = strdup(realms[0]);
1.1     elric     krb5_free_host_realm(d->context, realms);
1.1     elric     return r;
1.1     elric }
1.1     elric
1.1     elric krb5_error_code
1.1     elric krb5_afslog_uid_home(krb5_context context,
1.1     elric 		     krb5_ccache id,
1.1     elric 		     const char *cell,
1.1     elric 		     krb5_const_realm realm,
1.1     elric 		     uid_t uid,
1.1     elric 		     const char *homedir)
1.1     elric {
1.1     elric     struct kafs_data kd;
1.1     elric     struct krb5_kafs_data d;
1.1     elric     krb5_error_code ret;
1.1     elric
1.1     elric     kd.name = "krb5";
1.1     elric     kd.afslog_uid = afslog_uid_int;
1.1     elric     kd.get_cred = get_cred;
1.1     elric     kd.get_realm = get_realm;
1.1     elric     kd.get_error = get_error;
1.1     elric     kd.free_error = free_error;
1.1     elric     kd.data = &d;
1.1     elric     if (context == NULL) {
1.1     elric 	ret = krb5_init_context(&d.context);
1.1     elric 	if (ret)
1.1     elric 	    return ret;
1.1     elric     } else
1.1     elric 	d.context = context;
1.1     elric     if (id == NULL) {
1.1     elric 	ret = krb5_cc_default(d.context, &d.id);
1.1     elric 	if (ret)
1.1     elric 	    goto out;
1.1     elric     } else
1.1     elric 	d.id = id;
1.1     elric     d.realm = realm;
1.1     elric     ret = afslog_uid_int(&kd, cell, 0, uid, homedir);
1.1     elric     if (id == NULL)
1.1     elric 	krb5_cc_close(context, d.id);
1.1     elric  out:
1.1     elric     if (context == NULL)
1.1     elric 	krb5_free_context(d.context);
1.1     elric     return ret;
1.1     elric }
1.1     elric
1.1     elric krb5_error_code
1.1     elric krb5_afslog_uid(krb5_context context,
1.1     elric 		krb5_ccache id,
1.1     elric 		const char *cell,
1.1     elric 		krb5_const_realm realm,
1.1     elric 		uid_t uid)
1.1     elric {
1.1     elric     return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
1.1     elric }
1.1     elric
1.1     elric krb5_error_code
1.1     elric krb5_afslog(krb5_context context,
1.1     elric 	    krb5_ccache id,
1.1     elric 	    const char *cell,
1.1     elric 	    krb5_const_realm realm)
1.1     elric {
1.1     elric     return krb5_afslog_uid (context, id, cell, realm, getuid());
1.1     elric }
1.1     elric
1.1     elric krb5_error_code
1.1     elric krb5_afslog_home(krb5_context context,
1.1     elric 		 krb5_ccache id,
1.1     elric 		 const char *cell,
1.1     elric 		 krb5_const_realm realm,
1.1     elric 		 const char *homedir)
1.1     elric {
1.1     elric     return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
1.1     elric }
1.1     elric
1.1     elric /*
1.1     elric  *
1.1     elric  */
1.1     elric
1.1     elric krb5_error_code
1.1     elric krb5_realm_of_cell(const char *cell, char **realm)
1.1     elric {
1.1     elric     struct kafs_data kd;
1.1     elric
1.1     elric     kd.name = "krb5";
1.1     elric     kd.get_realm = get_realm;
1.1     elric     kd.get_error = get_error;
1.1     elric     kd.free_error = free_error;
1.1     elric     return _kafs_realm_of_cell(&kd, cell, realm);
1.1     elric }
1.1     elric
1.1     elric /*
1.1     elric  *
1.1     elric  */
1.1     elric
1.1     elric int
1.1     elric kafs_settoken5(krb5_context context, const char *cell, uid_t uid,
1.1     elric 	       krb5_creds *cred)
1.1     elric {
1.1     elric     struct kafs_token kt;
1.1     elric     int ret;
1.1     elric
1.1     elric     ret = v5_convert(context, NULL, cred, uid, cell, &kt);
1.1     elric     if (ret)
1.1     elric 	return ret;
1.1     elric
1.1     elric     ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
1.1     elric
1.1     elric     free(kt.ticket);
1.1     elric
1.1     elric     return ret;
1.1     elric }