afskrb5.c revision 1.1
1 1.1 elric /* $NetBSD: afskrb5.c,v 1.1 2011/04/13 18:15:30 elric Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 1995-2003 Kungliga Tekniska Hgskolan 5 1.1 elric * (Royal Institute of Technology, Stockholm, Sweden). 6 1.1 elric * All rights reserved. 7 1.1 elric * 8 1.1 elric * Redistribution and use in source and binary forms, with or without 9 1.1 elric * modification, are permitted provided that the following conditions 10 1.1 elric * are met: 11 1.1 elric * 12 1.1 elric * 1. Redistributions of source code must retain the above copyright 13 1.1 elric * notice, this list of conditions and the following disclaimer. 14 1.1 elric * 15 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 elric * notice, this list of conditions and the following disclaimer in the 17 1.1 elric * documentation and/or other materials provided with the distribution. 18 1.1 elric * 19 1.1 elric * 3. Neither the name of the Institute nor the names of its contributors 20 1.1 elric * may be used to endorse or promote products derived from this software 21 1.1 elric * without specific prior written permission. 22 1.1 elric * 23 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 elric * SUCH DAMAGE. 34 1.1 elric */ 35 1.1 elric 36 1.1 elric #include "kafs_locl.h" 37 1.1 elric 38 1.1 elric struct krb5_kafs_data { 39 1.1 elric krb5_context context; 40 1.1 elric krb5_ccache id; 41 1.1 elric krb5_const_realm realm; 42 1.1 elric }; 43 1.1 elric 44 1.1 elric enum { 45 1.1 elric KAFS_RXKAD_2B_KVNO = 213, 46 1.1 elric KAFS_RXKAD_K5_KVNO = 256 47 1.1 elric }; 48 1.1 elric 49 1.1 elric static int 50 1.1 elric v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524) 51 1.1 elric { 52 1.1 elric int kvno, ret; 53 1.1 elric 54 1.1 elric kt->ticket = NULL; 55 1.1 elric 56 1.1 elric /* check if des key */ 57 1.1 elric if (cred->session.keyvalue.length != 8) 58 1.1 elric return EINVAL; 59 1.1 elric 60 1.1 elric if (local524) { 61 1.1 elric Ticket t; 62 1.1 elric unsigned char *buf; 63 1.1 elric size_t buf_len; 64 1.1 elric size_t len; 65 1.1 elric 66 1.1 elric kvno = KAFS_RXKAD_2B_KVNO; 67 1.1 elric 68 1.1 elric ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); 69 1.1 elric if (ret) 70 1.1 elric return ret; 71 1.1 elric if (t.tkt_vno != 5) 72 1.1 elric return -1; 73 1.1 elric 74 1.1 elric ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part, 75 1.1 elric &len, ret); 76 1.1 elric free_Ticket(&t); 77 1.1 elric if (ret) 78 1.1 elric return ret; 79 1.1 elric if(buf_len != len) { 80 1.1 elric free(buf); 81 1.1 elric return KRB5KRB_ERR_GENERIC; 82 1.1 elric } 83 1.1 elric 84 1.1 elric kt->ticket = buf; 85 1.1 elric kt->ticket_len = buf_len; 86 1.1 elric 87 1.1 elric } else { 88 1.1 elric kvno = KAFS_RXKAD_K5_KVNO; 89 1.1 elric kt->ticket = malloc(cred->ticket.length); 90 1.1 elric if (kt->ticket == NULL) 91 1.1 elric return ENOMEM; 92 1.1 elric kt->ticket_len = cred->ticket.length; 93 1.1 elric memcpy(kt->ticket, cred->ticket.data, kt->ticket_len); 94 1.1 elric 95 1.1 elric ret = 0; 96 1.1 elric } 97 1.1 elric 98 1.1 elric 99 1.1 elric /* 100 1.1 elric * Build a struct ClearToken 101 1.1 elric */ 102 1.1 elric 103 1.1 elric kt->ct.AuthHandle = kvno; 104 1.1 elric memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8); 105 1.1 elric kt->ct.ViceId = uid; 106 1.1 elric kt->ct.BeginTimestamp = cred->times.starttime; 107 1.1 elric kt->ct.EndTimestamp = cred->times.endtime; 108 1.1 elric 109 1.1 elric _kafs_fixup_viceid(&kt->ct, uid); 110 1.1 elric 111 1.1 elric return 0; 112 1.1 elric } 113 1.1 elric 114 1.1 elric static krb5_error_code 115 1.1 elric v5_convert(krb5_context context, krb5_ccache id, 116 1.1 elric krb5_creds *cred, uid_t uid, 117 1.1 elric const char *cell, 118 1.1 elric struct kafs_token *kt) 119 1.1 elric { 120 1.1 elric krb5_error_code ret; 121 1.1 elric char *c, *val; 122 1.1 elric 123 1.1 elric c = strdup(cell); 124 1.1 elric if (c == NULL) 125 1.1 elric return ENOMEM; 126 1.1 elric _kafs_foldup(c, c); 127 1.1 elric krb5_appdefault_string (context, "libkafs", 128 1.1 elric c, 129 1.1 elric "afs-use-524", "2b", &val); 130 1.1 elric free(c); 131 1.1 elric 132 1.1 elric if (strcasecmp(val, "local") == 0 || 133 1.1 elric strcasecmp(val, "2b") == 0) 134 1.1 elric ret = v5_to_kt(cred, uid, kt, 1); 135 1.1 elric else 136 1.1 elric ret = v5_to_kt(cred, uid, kt, 0); 137 1.1 elric 138 1.1 elric free(val); 139 1.1 elric return ret; 140 1.1 elric } 141 1.1 elric 142 1.1 elric 143 1.1 elric /* 144 1.1 elric * 145 1.1 elric */ 146 1.1 elric 147 1.1 elric static int 148 1.1 elric get_cred(struct kafs_data *data, const char *name, const char *inst, 149 1.1 elric const char *realm, uid_t uid, struct kafs_token *kt) 150 1.1 elric { 151 1.1 elric krb5_error_code ret; 152 1.1 elric krb5_creds in_creds, *out_creds; 153 1.1 elric struct krb5_kafs_data *d = data->data; 154 1.1 elric int invalid; 155 1.1 elric 156 1.1 elric memset(&in_creds, 0, sizeof(in_creds)); 157 1.1 elric 158 1.1 elric ret = krb5_make_principal(d->context, &in_creds.server, 159 1.1 elric realm, name, inst, NULL); 160 1.1 elric if(ret) 161 1.1 elric return ret; 162 1.1 elric ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); 163 1.1 elric if(ret){ 164 1.1 elric krb5_free_principal(d->context, in_creds.server); 165 1.1 elric return ret; 166 1.1 elric } 167 1.1 elric 168 1.1 elric in_creds.session.keytype = ETYPE_DES_CBC_CRC; 169 1.1 elric 170 1.1 elric /* check if des is disable, and in that case enable it for afs */ 171 1.1 elric invalid = krb5_enctype_valid(d->context, in_creds.session.keytype); 172 1.1 elric if (invalid) 173 1.1 elric krb5_enctype_enable(d->context, in_creds.session.keytype); 174 1.1 elric 175 1.1 elric ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); 176 1.1 elric 177 1.1 elric if (invalid) 178 1.1 elric krb5_enctype_disable(d->context, in_creds.session.keytype); 179 1.1 elric 180 1.1 elric krb5_free_principal(d->context, in_creds.server); 181 1.1 elric krb5_free_principal(d->context, in_creds.client); 182 1.1 elric if(ret) 183 1.1 elric return ret; 184 1.1 elric 185 1.1 elric ret = v5_convert(d->context, d->id, out_creds, uid, 186 1.1 elric (inst != NULL && inst[0] != '\0') ? inst : realm, kt); 187 1.1 elric krb5_free_creds(d->context, out_creds); 188 1.1 elric 189 1.1 elric return ret; 190 1.1 elric } 191 1.1 elric 192 1.1 elric static const char * 193 1.1 elric get_error(struct kafs_data *data, int error) 194 1.1 elric { 195 1.1 elric struct krb5_kafs_data *d = data->data; 196 1.1 elric return krb5_get_error_message(d->context, error); 197 1.1 elric } 198 1.1 elric 199 1.1 elric static void 200 1.1 elric free_error(struct kafs_data *data, const char *str) 201 1.1 elric { 202 1.1 elric struct krb5_kafs_data *d = data->data; 203 1.1 elric krb5_free_error_message(d->context, str); 204 1.1 elric } 205 1.1 elric 206 1.1 elric static krb5_error_code 207 1.1 elric afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh, 208 1.1 elric uid_t uid, const char *homedir) 209 1.1 elric { 210 1.1 elric krb5_error_code ret; 211 1.1 elric struct kafs_token kt; 212 1.1 elric krb5_principal princ; 213 1.1 elric const char *trealm; /* ticket realm */ 214 1.1 elric struct krb5_kafs_data *d = data->data; 215 1.1 elric 216 1.1 elric if (cell == 0 || cell[0] == 0) 217 1.1 elric return _kafs_afslog_all_local_cells (data, uid, homedir); 218 1.1 elric 219 1.1 elric ret = krb5_cc_get_principal (d->context, d->id, &princ); 220 1.1 elric if (ret) 221 1.1 elric return ret; 222 1.1 elric 223 1.1 elric trealm = krb5_principal_get_realm (d->context, princ); 224 1.1 elric 225 1.1 elric kt.ticket = NULL; 226 1.1 elric ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt); 227 1.1 elric krb5_free_principal (d->context, princ); 228 1.1 elric 229 1.1 elric if(ret == 0) { 230 1.1 elric ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); 231 1.1 elric free(kt.ticket); 232 1.1 elric } 233 1.1 elric return ret; 234 1.1 elric } 235 1.1 elric 236 1.1 elric static char * 237 1.1 elric get_realm(struct kafs_data *data, const char *host) 238 1.1 elric { 239 1.1 elric struct krb5_kafs_data *d = data->data; 240 1.1 elric krb5_realm *realms; 241 1.1 elric char *r; 242 1.1 elric if(krb5_get_host_realm(d->context, host, &realms)) 243 1.1 elric return NULL; 244 1.1 elric r = strdup(realms[0]); 245 1.1 elric krb5_free_host_realm(d->context, realms); 246 1.1 elric return r; 247 1.1 elric } 248 1.1 elric 249 1.1 elric krb5_error_code 250 1.1 elric krb5_afslog_uid_home(krb5_context context, 251 1.1 elric krb5_ccache id, 252 1.1 elric const char *cell, 253 1.1 elric krb5_const_realm realm, 254 1.1 elric uid_t uid, 255 1.1 elric const char *homedir) 256 1.1 elric { 257 1.1 elric struct kafs_data kd; 258 1.1 elric struct krb5_kafs_data d; 259 1.1 elric krb5_error_code ret; 260 1.1 elric 261 1.1 elric kd.name = "krb5"; 262 1.1 elric kd.afslog_uid = afslog_uid_int; 263 1.1 elric kd.get_cred = get_cred; 264 1.1 elric kd.get_realm = get_realm; 265 1.1 elric kd.get_error = get_error; 266 1.1 elric kd.free_error = free_error; 267 1.1 elric kd.data = &d; 268 1.1 elric if (context == NULL) { 269 1.1 elric ret = krb5_init_context(&d.context); 270 1.1 elric if (ret) 271 1.1 elric return ret; 272 1.1 elric } else 273 1.1 elric d.context = context; 274 1.1 elric if (id == NULL) { 275 1.1 elric ret = krb5_cc_default(d.context, &d.id); 276 1.1 elric if (ret) 277 1.1 elric goto out; 278 1.1 elric } else 279 1.1 elric d.id = id; 280 1.1 elric d.realm = realm; 281 1.1 elric ret = afslog_uid_int(&kd, cell, 0, uid, homedir); 282 1.1 elric if (id == NULL) 283 1.1 elric krb5_cc_close(context, d.id); 284 1.1 elric out: 285 1.1 elric if (context == NULL) 286 1.1 elric krb5_free_context(d.context); 287 1.1 elric return ret; 288 1.1 elric } 289 1.1 elric 290 1.1 elric krb5_error_code 291 1.1 elric krb5_afslog_uid(krb5_context context, 292 1.1 elric krb5_ccache id, 293 1.1 elric const char *cell, 294 1.1 elric krb5_const_realm realm, 295 1.1 elric uid_t uid) 296 1.1 elric { 297 1.1 elric return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL); 298 1.1 elric } 299 1.1 elric 300 1.1 elric krb5_error_code 301 1.1 elric krb5_afslog(krb5_context context, 302 1.1 elric krb5_ccache id, 303 1.1 elric const char *cell, 304 1.1 elric krb5_const_realm realm) 305 1.1 elric { 306 1.1 elric return krb5_afslog_uid (context, id, cell, realm, getuid()); 307 1.1 elric } 308 1.1 elric 309 1.1 elric krb5_error_code 310 1.1 elric krb5_afslog_home(krb5_context context, 311 1.1 elric krb5_ccache id, 312 1.1 elric const char *cell, 313 1.1 elric krb5_const_realm realm, 314 1.1 elric const char *homedir) 315 1.1 elric { 316 1.1 elric return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir); 317 1.1 elric } 318 1.1 elric 319 1.1 elric /* 320 1.1 elric * 321 1.1 elric */ 322 1.1 elric 323 1.1 elric krb5_error_code 324 1.1 elric krb5_realm_of_cell(const char *cell, char **realm) 325 1.1 elric { 326 1.1 elric struct kafs_data kd; 327 1.1 elric 328 1.1 elric kd.name = "krb5"; 329 1.1 elric kd.get_realm = get_realm; 330 1.1 elric kd.get_error = get_error; 331 1.1 elric kd.free_error = free_error; 332 1.1 elric return _kafs_realm_of_cell(&kd, cell, realm); 333 1.1 elric } 334 1.1 elric 335 1.1 elric /* 336 1.1 elric * 337 1.1 elric */ 338 1.1 elric 339 1.1 elric int 340 1.1 elric kafs_settoken5(krb5_context context, const char *cell, uid_t uid, 341 1.1 elric krb5_creds *cred) 342 1.1 elric { 343 1.1 elric struct kafs_token kt; 344 1.1 elric int ret; 345 1.1 elric 346 1.1 elric ret = v5_convert(context, NULL, cred, uid, cell, &kt); 347 1.1 elric if (ret) 348 1.1 elric return ret; 349 1.1 elric 350 1.1 elric ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); 351 1.1 elric 352 1.1 elric free(kt.ticket); 353 1.1 elric 354 1.1 elric return ret; 355 1.1 elric } 356
Indexes created Sat Feb 28 05:31:39 UTC 2026