1 /* $NetBSD: afskrb5.c,v 1.1.1.1 2011/04/13 18:15:30 elric Exp $ */ 2 3 /* 4 * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "kafs_locl.h" 37 38 struct krb5_kafs_data { 39 krb5_context context; 40 krb5_ccache id; 41 krb5_const_realm realm; 42 }; 43 44 enum { 45 KAFS_RXKAD_2B_KVNO = 213, 46 KAFS_RXKAD_K5_KVNO = 256 47 }; 48 49 static int 50 v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524) 51 { 52 int kvno, ret; 53 54 kt->ticket = NULL; 55 56 /* check if des key */ 57 if (cred->session.keyvalue.length != 8) 58 return EINVAL; 59 60 if (local524) { 61 Ticket t; 62 unsigned char *buf; 63 size_t buf_len; 64 size_t len; 65 66 kvno = KAFS_RXKAD_2B_KVNO; 67 68 ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); 69 if (ret) 70 return ret; 71 if (t.tkt_vno != 5) 72 return -1; 73 74 ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part, 75 &len, ret); 76 free_Ticket(&t); 77 if (ret) 78 return ret; 79 if(buf_len != len) { 80 free(buf); 81 return KRB5KRB_ERR_GENERIC; 82 } 83 84 kt->ticket = buf; 85 kt->ticket_len = buf_len; 86 87 } else { 88 kvno = KAFS_RXKAD_K5_KVNO; 89 kt->ticket = malloc(cred->ticket.length); 90 if (kt->ticket == NULL) 91 return ENOMEM; 92 kt->ticket_len = cred->ticket.length; 93 memcpy(kt->ticket, cred->ticket.data, kt->ticket_len); 94 95 ret = 0; 96 } 97 98 99 /* 100 * Build a struct ClearToken 101 */ 102 103 kt->ct.AuthHandle = kvno; 104 memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8); 105 kt->ct.ViceId = uid; 106 kt->ct.BeginTimestamp = cred->times.starttime; 107 kt->ct.EndTimestamp = cred->times.endtime; 108 109 _kafs_fixup_viceid(&kt->ct, uid); 110 111 return 0; 112 } 113 114 static krb5_error_code 115 v5_convert(krb5_context context, krb5_ccache id, 116 krb5_creds *cred, uid_t uid, 117 const char *cell, 118 struct kafs_token *kt) 119 { 120 krb5_error_code ret; 121 char *c, *val; 122 123 c = strdup(cell); 124 if (c == NULL) 125 return ENOMEM; 126 _kafs_foldup(c, c); 127 krb5_appdefault_string (context, "libkafs", 128 c, 129 "afs-use-524", "2b", &val); 130 free(c); 131 132 if (strcasecmp(val, "local") == 0 || 133 strcasecmp(val, "2b") == 0) 134 ret = v5_to_kt(cred, uid, kt, 1); 135 else 136 ret = v5_to_kt(cred, uid, kt, 0); 137 138 free(val); 139 return ret; 140 } 141 142 143 /* 144 * 145 */ 146 147 static int 148 get_cred(struct kafs_data *data, const char *name, const char *inst, 149 const char *realm, uid_t uid, struct kafs_token *kt) 150 { 151 krb5_error_code ret; 152 krb5_creds in_creds, *out_creds; 153 struct krb5_kafs_data *d = data->data; 154 int invalid; 155 156 memset(&in_creds, 0, sizeof(in_creds)); 157 158 ret = krb5_make_principal(d->context, &in_creds.server, 159 realm, name, inst, NULL); 160 if(ret) 161 return ret; 162 ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); 163 if(ret){ 164 krb5_free_principal(d->context, in_creds.server); 165 return ret; 166 } 167 168 in_creds.session.keytype = ETYPE_DES_CBC_CRC; 169 170 /* check if des is disable, and in that case enable it for afs */ 171 invalid = krb5_enctype_valid(d->context, in_creds.session.keytype); 172 if (invalid) 173 krb5_enctype_enable(d->context, in_creds.session.keytype); 174 175 ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); 176 177 if (invalid) 178 krb5_enctype_disable(d->context, in_creds.session.keytype); 179 180 krb5_free_principal(d->context, in_creds.server); 181 krb5_free_principal(d->context, in_creds.client); 182 if(ret) 183 return ret; 184 185 ret = v5_convert(d->context, d->id, out_creds, uid, 186 (inst != NULL && inst[0] != '\0') ? inst : realm, kt); 187 krb5_free_creds(d->context, out_creds); 188 189 return ret; 190 } 191 192 static const char * 193 get_error(struct kafs_data *data, int error) 194 { 195 struct krb5_kafs_data *d = data->data; 196 return krb5_get_error_message(d->context, error); 197 } 198 199 static void 200 free_error(struct kafs_data *data, const char *str) 201 { 202 struct krb5_kafs_data *d = data->data; 203 krb5_free_error_message(d->context, str); 204 } 205 206 static krb5_error_code 207 afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh, 208 uid_t uid, const char *homedir) 209 { 210 krb5_error_code ret; 211 struct kafs_token kt; 212 krb5_principal princ; 213 const char *trealm; /* ticket realm */ 214 struct krb5_kafs_data *d = data->data; 215 216 if (cell == 0 || cell[0] == 0) 217 return _kafs_afslog_all_local_cells (data, uid, homedir); 218 219 ret = krb5_cc_get_principal (d->context, d->id, &princ); 220 if (ret) 221 return ret; 222 223 trealm = krb5_principal_get_realm (d->context, princ); 224 225 kt.ticket = NULL; 226 ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt); 227 krb5_free_principal (d->context, princ); 228 229 if(ret == 0) { 230 ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); 231 free(kt.ticket); 232 } 233 return ret; 234 } 235 236 static char * 237 get_realm(struct kafs_data *data, const char *host) 238 { 239 struct krb5_kafs_data *d = data->data; 240 krb5_realm *realms; 241 char *r; 242 if(krb5_get_host_realm(d->context, host, &realms)) 243 return NULL; 244 r = strdup(realms[0]); 245 krb5_free_host_realm(d->context, realms); 246 return r; 247 } 248 249 krb5_error_code 250 krb5_afslog_uid_home(krb5_context context, 251 krb5_ccache id, 252 const char *cell, 253 krb5_const_realm realm, 254 uid_t uid, 255 const char *homedir) 256 { 257 struct kafs_data kd; 258 struct krb5_kafs_data d; 259 krb5_error_code ret; 260 261 kd.name = "krb5"; 262 kd.afslog_uid = afslog_uid_int; 263 kd.get_cred = get_cred; 264 kd.get_realm = get_realm; 265 kd.get_error = get_error; 266 kd.free_error = free_error; 267 kd.data = &d; 268 if (context == NULL) { 269 ret = krb5_init_context(&d.context); 270 if (ret) 271 return ret; 272 } else 273 d.context = context; 274 if (id == NULL) { 275 ret = krb5_cc_default(d.context, &d.id); 276 if (ret) 277 goto out; 278 } else 279 d.id = id; 280 d.realm = realm; 281 ret = afslog_uid_int(&kd, cell, 0, uid, homedir); 282 if (id == NULL) 283 krb5_cc_close(context, d.id); 284 out: 285 if (context == NULL) 286 krb5_free_context(d.context); 287 return ret; 288 } 289 290 krb5_error_code 291 krb5_afslog_uid(krb5_context context, 292 krb5_ccache id, 293 const char *cell, 294 krb5_const_realm realm, 295 uid_t uid) 296 { 297 return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL); 298 } 299 300 krb5_error_code 301 krb5_afslog(krb5_context context, 302 krb5_ccache id, 303 const char *cell, 304 krb5_const_realm realm) 305 { 306 return krb5_afslog_uid (context, id, cell, realm, getuid()); 307 } 308 309 krb5_error_code 310 krb5_afslog_home(krb5_context context, 311 krb5_ccache id, 312 const char *cell, 313 krb5_const_realm realm, 314 const char *homedir) 315 { 316 return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir); 317 } 318 319 /* 320 * 321 */ 322 323 krb5_error_code 324 krb5_realm_of_cell(const char *cell, char **realm) 325 { 326 struct kafs_data kd; 327 328 kd.name = "krb5"; 329 kd.get_realm = get_realm; 330 kd.get_error = get_error; 331 kd.free_error = free_error; 332 return _kafs_realm_of_cell(&kd, cell, realm); 333 } 334 335 /* 336 * 337 */ 338 339 int 340 kafs_settoken5(krb5_context context, const char *cell, uid_t uid, 341 krb5_creds *cred) 342 { 343 struct kafs_token kt; 344 int ret; 345 346 ret = v5_convert(context, NULL, cred, uid, cell, &kt); 347 if (ret) 348 return ret; 349 350 ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); 351 352 free(kt.ticket); 353 354 return ret; 355 } 356