lib/kafs/afskrb5.c

   1 /*
   2  * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kafs_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 struct krb5_kafs_data {
  39     krb5_context context;
  40     krb5_ccache id;
  41     krb5_const_realm realm;
  42 };
  43
  44 enum {
  45     KAFS_RXKAD_2B_KVNO = 213,
  46     KAFS_RXKAD_K5_KVNO = 256
  47 };
  48
  49 static int
  50 v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524)
  51 {
  52     int kvno, ret;
  53
  54     kt->ticket = NULL;
  55
  56     /* check if des key */
  57     if (cred->session.keyvalue.length != 8)
  58         return EINVAL;
  59
  60     if (local524) {
  61         Ticket t;
  62         unsigned char *buf;
  63         size_t buf_len;
  64         size_t len;
  65
  66         kvno = KAFS_RXKAD_2B_KVNO;
  67
  68         ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
  69         if (ret)
  70             return ret;
  71         if (t.tkt_vno != 5)
  72             return -1;
  73
  74         ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part,
  75                            &len, ret);
  76         free_Ticket(&t);
  77         if (ret)
  78             return ret;
  79         if(buf_len != len) {
  80             free(buf);
  81             return KRB5KRB_ERR_GENERIC;
  82         }
  83
  84         kt->ticket = buf;
  85         kt->ticket_len = buf_len;
  86
  87     } else {
  88         kvno = KAFS_RXKAD_K5_KVNO;
  89         kt->ticket = malloc(cred->ticket.length);
  90         if (kt->ticket == NULL)
  91             return ENOMEM;
  92         kt->ticket_len = cred->ticket.length;
  93         memcpy(kt->ticket, cred->ticket.data, kt->ticket_len);
  94
  95         ret = 0;
  96     }
  97
  98
  99     /*
 100      * Build a struct ClearToken
 101      */
 102
 103     kt->ct.AuthHandle = kvno;
 104     memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8);
 105     kt->ct.ViceId = uid;
 106     kt->ct.BeginTimestamp = cred->times.starttime;
 107     kt->ct.EndTimestamp = cred->times.endtime;
 108
 109     _kafs_fixup_viceid(&kt->ct, uid);
 110
 111     return 0;
 112 }
 113
 114 static krb5_error_code
 115 v5_convert(krb5_context context, krb5_ccache id,
 116            krb5_creds *cred, uid_t uid,
 117            const char *cell,
 118            struct kafs_token *kt)
 119 {
 120     krb5_error_code ret;
 121     char *c, *val;
 122
 123     c = strdup(cell);
 124     if (c == NULL)
 125         return ENOMEM;
 126     _kafs_foldup(c, c);
 127     krb5_appdefault_string (context, "libkafs",
 128                             c,
 129                             "afs-use-524", "2b", &val);
 130     free(c);
 131
 132     if (strcasecmp(val, "local") == 0 ||
 133         strcasecmp(val, "2b") == 0)
 134         ret = v5_to_kt(cred, uid, kt, 1);
 135     else if(strcasecmp(val, "yes") == 0 ||
 136             strcasecmp(val, "true") == 0 ||
 137             atoi(val)) {
 138         struct credentials cred4;
 139
 140         if (id == NULL)
 141             ret = krb524_convert_creds_kdc(context, cred, &cred4);
 142         else
 143             ret = krb524_convert_creds_kdc_ccache(context, id, cred, &cred4);
 144         if (ret)
 145             goto out;
 146
 147         ret = _kafs_v4_to_kt(&cred4, uid, kt);
 148     } else
 149         ret = v5_to_kt(cred, uid, kt, 0);
 150
 151  out:
 152     free(val);
 153     return ret;
 154 }
 155
 156
 157 /*
 158  *
 159  */
 160
 161 static int
 162 get_cred(struct kafs_data *data, const char *name, const char *inst,
 163          const char *realm, uid_t uid, struct kafs_token *kt)
 164 {
 165     krb5_error_code ret;
 166     krb5_creds in_creds, *out_creds;
 167     struct krb5_kafs_data *d = data->data;
 168
 169     memset(&in_creds, 0, sizeof(in_creds));
 170     ret = krb5_425_conv_principal(d->context, name, inst, realm,
 171                                   &in_creds.server);
 172     if(ret)
 173         return ret;
 174     ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
 175     if(ret){
 176         krb5_free_principal(d->context, in_creds.server);
 177         return ret;
 178     }
 179     in_creds.session.keytype = ETYPE_DES_CBC_CRC;
 180     ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
 181     krb5_free_principal(d->context, in_creds.server);
 182     krb5_free_principal(d->context, in_creds.client);
 183     if(ret)
 184         return ret;
 185
 186     ret = v5_convert(d->context, d->id, out_creds, uid,
 187                      (inst != NULL && inst[0] != '\0') ? inst : realm, kt);
 188     krb5_free_creds(d->context, out_creds);
 189
 190     return ret;
 191 }
 192
 193 static krb5_error_code
 194 afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh,
 195                uid_t uid, const char *homedir)
 196 {
 197     krb5_error_code ret;
 198     struct kafs_token kt;
 199     krb5_principal princ;
 200     const char *trealm; /* ticket realm */
 201     struct krb5_kafs_data *d = data->data;
 202
 203     if (cell == 0 || cell[0] == 0)
 204         return _kafs_afslog_all_local_cells (data, uid, homedir);
 205
 206     ret = krb5_cc_get_principal (d->context, d->id, &princ);
 207     if (ret)
 208         return ret;
 209
 210     trealm = krb5_principal_get_realm (d->context, princ);
 211
 212     kt.ticket = NULL;
 213     ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt);
 214     krb5_free_principal (d->context, princ);
 215
 216     if(ret == 0) {
 217         ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
 218         free(kt.ticket);
 219     }
 220     return ret;
 221 }
 222
 223 static char *
 224 get_realm(struct kafs_data *data, const char *host)
 225 {
 226     struct krb5_kafs_data *d = data->data;
 227     krb5_realm *realms;
 228     char *r;
 229     if(krb5_get_host_realm(d->context, host, &realms))
 230         return NULL;
 231     r = strdup(realms[0]);
 232     krb5_free_host_realm(d->context, realms);
 233     return r;
 234 }
 235
 236 krb5_error_code
 237 krb5_afslog_uid_home(krb5_context context,
 238                      krb5_ccache id,
 239                      const char *cell,
 240                      krb5_const_realm realm,
 241                      uid_t uid,
 242                      const char *homedir)
 243 {
 244     struct kafs_data kd;
 245     struct krb5_kafs_data d;
 246     krb5_error_code ret;
 247
 248     kd.name = "krb5";
 249     kd.afslog_uid = afslog_uid_int;
 250     kd.get_cred = get_cred;
 251     kd.get_realm = get_realm;
 252     kd.data = &d;
 253     if (context == NULL) {
 254         ret = krb5_init_context(&d.context);
 255         if (ret)
 256             return ret;
 257     } else
 258         d.context = context;
 259     if (id == NULL) {
 260         ret = krb5_cc_default(d.context, &d.id);
 261         if (ret)
 262             goto out;
 263     } else
 264         d.id = id;
 265     d.realm = realm;
 266     ret = afslog_uid_int(&kd, cell, 0, uid, homedir);
 267     if (id == NULL)
 268         krb5_cc_close(context, d.id);
 269  out:
 270     if (context == NULL)
 271         krb5_free_context(d.context);
 272     return ret;
 273 }
 274
 275 krb5_error_code
 276 krb5_afslog_uid(krb5_context context,
 277                 krb5_ccache id,
 278                 const char *cell,
 279                 krb5_const_realm realm,
 280                 uid_t uid)
 281 {
 282     return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
 283 }
 284
 285 krb5_error_code
 286 krb5_afslog(krb5_context context,
 287             krb5_ccache id,
 288             const char *cell,
 289             krb5_const_realm realm)
 290 {
 291     return krb5_afslog_uid (context, id, cell, realm, getuid());
 292 }
 293
 294 krb5_error_code
 295 krb5_afslog_home(krb5_context context,
 296                  krb5_ccache id,
 297                  const char *cell,
 298                  krb5_const_realm realm,
 299                  const char *homedir)
 300 {
 301     return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
 302 }
 303
 304 /*
 305  *
 306  */
 307
 308 krb5_error_code
 309 krb5_realm_of_cell(const char *cell, char **realm)
 310 {
 311     struct kafs_data kd;
 312
 313     kd.name = "krb5";
 314     kd.get_realm = get_realm;
 315     return _kafs_realm_of_cell(&kd, cell, realm);
 316 }
 317
 318 /*
 319  *
 320  */
 321
 322 int
 323 kafs_settoken5(krb5_context context, const char *cell, uid_t uid,
 324                krb5_creds *cred)
 325 {
 326     struct kafs_token kt;
 327     int ret;
 328
 329     ret = v5_convert(context, NULL, cred, uid, cell, &kt);
 330     if (ret)
 331         return ret;
 332
 333     ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
 334
 335     free(kt.ticket);
 336
 337     return ret;
 338 }