source3/lib/afs.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Generate AFS tickets
   4  *  Copyright (C) Volker Lendecke 2003
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 2 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, write to the Free Software
  18  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  19  */
  20
  21 #include "includes.h"
  22
  23 #ifdef WITH_FAKE_KASERVER
  24
  25 #include <afs/stds.h>
  26 #include <afs/afs.h>
  27 #include <afs/auth.h>
  28 #include <afs/venus.h>
  29 #include <asm/unistd.h>
  30 #include <openssl/des.h>
  31
  32 struct ClearToken {
  33         uint32 AuthHandle;
  34         char HandShakeKey[8];
  35         uint32 ViceId;
  36         uint32 BeginTimestamp;
  37         uint32 EndTimestamp;
  38 };
  39
  40 static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
  41                               const struct ClearToken *ct)
  42 {
  43         char *base64_ticket;
  44         char *result;
  45
  46         DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
  47         char *base64_key;
  48
  49         base64_ticket = base64_encode_data_blob(ticket);
  50         if (base64_ticket == NULL)
  51                 return NULL;
  52
  53         base64_key = base64_encode_data_blob(key);
  54         if (base64_key == NULL) {
  55                 free(base64_ticket);
  56                 return NULL;
  57         }
  58
  59         asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
  60                  ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
  61                  ct->EndTimestamp, base64_ticket);
  62
  63         DEBUG(10, ("Got ticket string:\n%s\n", result));
  64
  65         free(base64_ticket);
  66         free(base64_key);
  67
  68         return result;
  69 }
  70
  71 /* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
  72  * ViceId set, this should be set by the caller. */
  73
  74 static BOOL afs_createtoken(const char *username, const char *cell,
  75                             DATA_BLOB *ticket, struct ClearToken *ct)
  76 {
  77         fstring clear_ticket;
  78         char *p = clear_ticket;
  79         uint32 len;
  80         uint32 now;
  81
  82         struct afs_key key;
  83         des_key_schedule key_schedule;
  84
  85         if (!secrets_init())
  86                 return False;
  87
  88         if (!secrets_fetch_afs_key(cell, &key)) {
  89                 DEBUG(1, ("Could not fetch AFS service key\n"));
  90                 return False;
  91         }
  92
  93         ct->AuthHandle = key.kvno;
  94
  95         /* Build the ticket. This is going to be encrypted, so in our
  96            way we fill in ct while we still have the unencrypted
  97            form. */
  98
  99         p = clear_ticket;
 100
 101         /* The byte-order */
 102         *p = 1;
 103         p += 1;
 104
 105         /* "Alice", the client username */
 106         strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
 107         p += strlen(p)+1;
 108         strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
 109         p += strlen(p)+1;
 110         strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
 111         p += strlen(p)+1;
 112
 113         /* Alice's network layer address. At least Openafs-1.2.10
 114            ignores this, so we fill in a dummy value here. */
 115         SIVAL(p, 0, 0);
 116         p += 4;
 117
 118         /* We need to create a session key */
 119         generate_random_buffer(p, 8);
 120
 121         /* Our client code needs the the key in the clear, it does not
 122            know the server-key ... */
 123         memcpy(ct->HandShakeKey, p, 8);
 124
 125         p += 8;
 126
 127         /* This is a kerberos 4 life time. The life time is expressed
 128          * in units of 5 minute intervals up to 38400 seconds, after
 129          * that a table is used up to lifetime 0xBF. Values between
 130          * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
 131          * infinite time that never expire.
 132          *
 133          * So here we cheat and use the infinite time */
 134         *p = 255;
 135         p += 1;
 136
 137         /* Ticket creation time */
 138         now = time(NULL);
 139         SIVAL(p, 0, now);
 140         ct->BeginTimestamp = now;
 141
 142         if(lp_afs_token_lifetime() == 0)
 143                 ct->EndTimestamp = NEVERDATE;
 144         else
 145                 ct->EndTimestamp = now + lp_afs_token_lifetime();
 146
 147         if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
 148                 ct->BeginTimestamp += 1; /* Lifetime must be even */
 149         }
 150         p += 4;
 151
 152         /* And here comes Bob's name and instance, in this case the
 153            AFS server. */
 154         strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
 155         p += strlen(p)+1;
 156         strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
 157         p += strlen(p)+1;
 158
 159         /* And zero-pad to a multiple of 8 bytes */
 160         len = PTR_DIFF(p, clear_ticket);
 161         if (len & 7) {
 162                 uint32 extra_space = 8-(len & 7);
 163                 memset(p, 0, extra_space);
 164                 p+=extra_space;
 165         }
 166         len = PTR_DIFF(p, clear_ticket);
 167
 168         des_key_sched((const_des_cblock *)key.key, key_schedule);
 169         des_pcbc_encrypt(clear_ticket, clear_ticket,
 170                          len, key_schedule, (C_Block *)key.key, 1);
 171
 172         ZERO_STRUCT(key);
 173
 174         *ticket = data_blob(clear_ticket, len);
 175
 176         return True;
 177 }
 178
 179 char *afs_createtoken_str(const char *username, const char *cell)
 180 {
 181         DATA_BLOB ticket;
 182         struct ClearToken ct;
 183         char *result;
 184
 185         if (!afs_createtoken(username, cell, &ticket, &ct))
 186                 return NULL;
 187
 188         result = afs_encode_token(cell, ticket, &ct);
 189
 190         data_blob_free(&ticket);
 191
 192         return result;
 193 }
 194
 195 /*
 196   This routine takes a radical approach completely bypassing the
 197   Kerberos idea of security and using AFS simply as an intelligent
 198   file backend. Samba has persuaded itself somehow that the user is
 199   actually correctly identified and then we create a ticket that the
 200   AFS server hopefully accepts using its KeyFile that the admin has
 201   kindly stored to our secrets.tdb.
 202
 203   Thanks to the book "Network Security -- PRIVATE Communication in a
 204   PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
 205   Kerberos 4 tickets are not really hard to construct.
 206
 207   For the comments "Alice" is the User to be auth'ed, and "Bob" is the
 208   AFS server.  */
 209
 210 BOOL afs_login(connection_struct *conn)
 211 {
 212         extern struct current_user current_user;
 213         DATA_BLOB ticket;
 214         pstring afs_username;
 215         char *cell;
 216         BOOL result;
 217         char *ticket_str;
 218         const DOM_SID *user_sid;
 219
 220         struct ClearToken ct;
 221
 222         pstrcpy(afs_username, lp_afs_username_map());
 223         standard_sub_conn(conn, afs_username, sizeof(afs_username));
 224
 225         user_sid = &current_user.nt_user_token->user_sids[0];
 226         pstring_sub(afs_username, "%s", sid_string_static(user_sid));
 227
 228         /* The pts command always generates completely lower-case user
 229          * names. */
 230         strlower_m(afs_username);
 231
 232         cell = strchr(afs_username, '@');
 233
 234         if (cell == NULL) {
 235                 DEBUG(1, ("AFS username doesn't contain a @, "
 236                           "could not find cell\n"));
 237                 return False;
 238         }
 239
 240         *cell = '\0';
 241         cell += 1;
 242
 243         DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
 244                    afs_username, cell));
 245
 246         if (!afs_createtoken(afs_username, cell, &ticket, &ct))
 247                 return False;
 248
 249         /* For which Unix-UID do we want to set the token? */
 250         ct.ViceId = getuid();
 251
 252         ticket_str = afs_encode_token(cell, ticket, &ct);
 253
 254         result = afs_settoken_str(ticket_str);
 255
 256         SAFE_FREE(ticket_str);
 257
 258         data_blob_free(&ticket);
 259
 260         return result;
 261 }
 262
 263 #else
 264
 265 BOOL afs_login(connection_struct *conn)
 266 {
 267         return True;
 268 }
 269
 270 char *afs_createtoken_str(const char *username, const char *cell)
 271 {
 272         return False;
 273 }
 274
 275 #endif /* WITH_FAKE_KASERVER */