2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kafs_locl.h"
36 RCSID("$Id: common.c,v 1.26.2.1 2003/04/23 18:03:20 lha Exp $");
38 #define AUTH_SUPERUSER "afs"
41 * Here only ASCII characters are relevant.
44 #define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
46 #define ToAsciiUpper(c) ((c) - 'a' + 'A')
48 static void (*kafs_verbose
)(void *, const char *);
49 static void *kafs_verbose_ctx
;
52 _kafs_foldup(char *a
, const char *b
)
56 *a
= ToAsciiUpper(*b
);
63 kafs_set_verbose(void (*f
)(void *, const char *), void *ctx
)
67 kafs_verbose_ctx
= ctx
;
72 kafs_settoken_rxkad(const char *cell
, struct ClearToken
*ct
,
73 void *ticket
, size_t ticket_len
)
75 struct ViceIoctl parms
;
81 * length of secret token followed by secret token
83 sizeof_x
= ticket_len
;
84 memcpy(t
, &sizeof_x
, sizeof(sizeof_x
));
85 t
+= sizeof(sizeof_x
);
86 memcpy(t
, ticket
, sizeof_x
);
89 * length of clear token followed by clear token
91 sizeof_x
= sizeof(*ct
);
92 memcpy(t
, &sizeof_x
, sizeof(sizeof_x
));
93 t
+= sizeof(sizeof_x
);
94 memcpy(t
, ct
, sizeof_x
);
98 * do *not* mark as primary cell
101 memcpy(t
, &sizeof_x
, sizeof(sizeof_x
));
102 t
+= sizeof(sizeof_x
);
104 * follow with cell name
106 sizeof_x
= strlen(cell
) + 1;
107 memcpy(t
, cell
, sizeof_x
);
111 * Build argument block
114 parms
.in_size
= t
- buf
;
118 return k_pioctl(0, VIOCSETTOK
, &parms
, 0);
122 _kafs_fixup_viceid(struct ClearToken
*ct
, uid_t uid
)
124 #define ODD(x) ((x) & 1)
125 /* According to Transarc conventions ViceId is valid iff
126 * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
127 * the transformations:
129 * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
130 * preserves the original values.
132 if (uid
!= 0) /* valid ViceId */
134 if (!ODD(ct
->EndTimestamp
- ct
->BeginTimestamp
))
137 else /* not valid ViceId */
139 if (ODD(ct
->EndTimestamp
- ct
->BeginTimestamp
))
146 _kafs_v4_to_kt(CREDENTIALS
*c
, uid_t uid
, struct kafs_token
*kt
)
150 if (c
->ticket_st
.length
> MAX_KTXT_LEN
)
153 kt
->ticket
= malloc(c
->ticket_st
.length
);
154 if (kt
->ticket
== NULL
)
156 kt
->ticket_len
= c
->ticket_st
.length
;
157 memcpy(kt
->ticket
, c
->ticket_st
.dat
, kt
->ticket_len
);
160 * Build a struct ClearToken
162 kt
->ct
.AuthHandle
= c
->kvno
;
163 memcpy (kt
->ct
.HandShakeKey
, c
->session
, sizeof(c
->session
));
165 kt
->ct
.BeginTimestamp
= c
->issue_date
;
166 kt
->ct
.EndTimestamp
= krb_life_to_time(c
->issue_date
, c
->lifetime
);
168 _kafs_fixup_viceid(&kt
->ct
, uid
);
173 /* Try to get a db-server for an AFS cell from a AFSDB record */
176 dns_find_cell(const char *cell
, char *dbserver
, size_t len
)
180 r
= dns_lookup(cell
, "afsdb");
182 struct resource_record
*rr
= r
->head
;
184 if(rr
->type
== T_AFSDB
&& rr
->u
.afsdb
->preference
== 1){
200 * Try to find the cells we should try to klog to in "file".
203 find_cells(const char *file
, char ***cells
, int *index
)
210 f
= fopen(file
, "r");
213 while (fgets(cell
, sizeof(cell
), f
)) {
215 t
= cell
+ strlen(cell
);
216 for (; t
>= cell
; t
--)
217 if (*t
== '\n' || *t
== '\t' || *t
== ' ')
219 if (cell
[0] == '\0' || cell
[0] == '#')
221 for(i
= 0; i
< ind
; i
++)
222 if(strcmp((*cells
)[i
], cell
) == 0)
227 tmp
= realloc(*cells
, (ind
+ 1) * sizeof(**cells
));
231 (*cells
)[ind
] = strdup(cell
);
232 if ((*cells
)[ind
] == NULL
)
242 * Get tokens for all cells[]
245 afslog_cells(kafs_data
*data
, char **cells
, int max
, uid_t uid
,
250 for (i
= 0; i
< max
; i
++) {
251 int er
= (*data
->afslog_uid
)(data
, cells
[i
], 0, uid
, homedir
);
259 _kafs_afslog_all_local_cells(kafs_data
*data
, uid_t uid
, const char *homedir
)
266 homedir
= getenv("HOME");
267 if (homedir
!= NULL
) {
268 char home
[MaxPathLen
];
269 snprintf(home
, sizeof(home
), "%s/.TheseCells", homedir
);
270 find_cells(home
, &cells
, &index
);
272 find_cells(_PATH_THESECELLS
, &cells
, &index
);
273 find_cells(_PATH_THISCELL
, &cells
, &index
);
274 find_cells(_PATH_ARLA_THESECELLS
, &cells
, &index
);
275 find_cells(_PATH_ARLA_THISCELL
, &cells
, &index
);
276 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS
, &cells
, &index
);
277 find_cells(_PATH_OPENAFS_DEBIAN_THISCELL
, &cells
, &index
);
278 find_cells(_PATH_ARLA_DEBIAN_THESECELLS
, &cells
, &index
);
279 find_cells(_PATH_ARLA_DEBIAN_THISCELL
, &cells
, &index
);
281 ret
= afslog_cells(data
, cells
, index
, uid
, homedir
);
283 free(cells
[--index
]);
290 file_find_cell(kafs_data
*data
, const char *cell
, char **realm
, int exact
)
297 if ((F
= fopen(_PATH_CELLSERVDB
, "r"))
298 || (F
= fopen(_PATH_ARLA_CELLSERVDB
, "r"))
299 || (F
= fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB
, "r"))
300 || (F
= fopen(_PATH_ARLA_DEBIAN_CELLSERVDB
, "r"))) {
301 while (fgets(buf
, sizeof(buf
), F
)) {
305 continue; /* Not a cell name line, try next line */
307 strsep(&p
, " \t\n#");
310 cmp
= strcmp(buf
+ 1, cell
);
312 cmp
= strncmp(buf
+ 1, cell
, strlen(cell
));
316 * We found the cell name we're looking for.
317 * Read next line on the form ip-address '#' hostname
319 if (fgets(buf
, sizeof(buf
), F
) == NULL
)
320 break; /* Read failed, give up */
321 p
= strchr(buf
, '#');
323 break; /* No '#', give up */
325 if (buf
[strlen(buf
) - 1] == '\n')
326 buf
[strlen(buf
) - 1] = '\0';
327 *realm
= (*data
->get_realm
)(data
, p
);
328 if (*realm
&& **realm
!= '\0')
330 break; /* Won't try any more */
338 /* Find the realm associated with cell. Do this by opening
339 /usr/vice/etc/CellServDB and getting the realm-of-host for the
340 first VL-server for the cell.
342 This does not work when the VL-server is living in one realm, but
343 the cell it is serving is living in another realm.
345 Return 0 on success, -1 otherwise.
349 _kafs_realm_of_cell(kafs_data
*data
, const char *cell
, char **realm
)
354 ret
= file_find_cell(data
, cell
, realm
, 1);
357 if (dns_find_cell(cell
, buf
, sizeof(buf
)) == 0) {
358 *realm
= (*data
->get_realm
)(data
, buf
);
362 return file_find_cell(data
, cell
, realm
, 0);
366 _kafs_try_get_cred(kafs_data
*data
, const char *user
, const char *cell
,
367 const char *realm
, uid_t uid
, struct kafs_token
*kt
)
371 ret
= (*data
->get_cred
)(data
, user
, cell
, realm
, uid
, kt
);
374 asprintf(&str
, "%s tried afs%s%s@%s -> %d",
375 data
->name
, cell
[0] == '\0' ? "" : "/",
377 (*kafs_verbose
)(kafs_verbose_ctx
, str
);
386 _kafs_get_cred(kafs_data
*data
,
388 const char *realm_hint
,
391 struct kafs_token
*kt
)
397 /* We're about to find the the realm that holds the key for afs in
398 * the specified cell. The problem is that null-instance
399 * afs-principals are common and that hitting the wrong realm might
400 * yield the wrong afs key. The following assumptions were made.
402 * Any realm passed to us is preferred.
404 * If there is a realm with the same name as the cell, it is most
405 * likely the correct realm to talk to.
407 * In most (maybe even all) cases the database servers of the cell
408 * will live in the realm we are looking for.
410 * Try the local realm, but if the previous cases fail, this is
411 * really a long shot.
415 /* comments on the ordering of these tests */
417 /* If the user passes a realm, she probably knows something we don't
418 * know and we should try afs@realm_hint.
422 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
423 cell
, realm_hint
, uid
, kt
);
424 if (ret
== 0) return 0;
425 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
426 "", realm_hint
, uid
, kt
);
427 if (ret
== 0) return 0;
430 _kafs_foldup(CELL
, cell
);
433 * If cell == realm we don't need no cross-cell authentication.
436 if (strcmp(CELL
, realm
) == 0) {
437 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
439 if (ret
== 0) return 0;
440 /* Try afs.cell@REALM below. */
444 * If the AFS servers have a file /usr/afs/etc/krb.conf containing
445 * REALM we still don't have to resort to cross-cell authentication.
446 * Try afs.cell@REALM.
448 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
449 cell
, realm
, uid
, kt
);
450 if (ret
== 0) return 0;
453 * We failed to get ``first class tickets'' for afs,
454 * fall back to cross-cell authentication.
458 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
460 if (ret
== 0) return 0;
461 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
462 cell
, CELL
, uid
, kt
);
463 if (ret
== 0) return 0;
466 * Perhaps the cell doesn't correspond to any realm?
467 * Use realm of first volume location DB server.
468 * Try afs.cell@VL_REALM.
469 * Try afs@VL_REALM???
471 if (_kafs_realm_of_cell(data
, cell
, &vl_realm
) == 0
472 && strcmp(vl_realm
, realm
) != 0
473 && strcmp(vl_realm
, CELL
) != 0) {
474 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
475 cell
, vl_realm
, uid
, kt
);
477 ret
= _kafs_try_get_cred(data
, AUTH_SUPERUSER
,
478 "", vl_realm
, uid
, kt
);
480 if (ret
== 0) return 0;