search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Spelling.
[heimdal.git] / lib / kafs / common.c
blob855bed536a0182e34cee766fac17dbfc836acb4f
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kafs_locl.h"
35
36 RCSID("$Id$");
37
38 #define AUTH_SUPERUSER "afs"
39
40 /*
41 * Here only ASCII characters are relevant.
42 */
43
44 #define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
45
46 #define ToAsciiUpper(c) ((c) - 'a' + 'A')
47
48 static void (*kafs_verbose)(void *, const char *);
49 static void *kafs_verbose_ctx;
50
51 void
52 _kafs_foldup(char *a, const char *b)
53 {
54 for (; *b; a++, b++)
55 if (IsAsciiLower(*b))
56 *a = ToAsciiUpper(*b);
57 else
58 *a = *b;
59 *a = '\0';
60 }
61
62 void
63 kafs_set_verbose(void (*f)(void *, const char *), void *ctx)
64 {
65 if (f) {
66 kafs_verbose = f;
67 kafs_verbose_ctx = ctx;
68 }
69 }
70
71 int
72 kafs_settoken_rxkad(const char *cell, struct ClearToken *ct,
73 void *ticket, size_t ticket_len)
74 {
75 struct ViceIoctl parms;
76 char buf[2048], *t;
77 int32_t sizeof_x;
78
79 t = buf;
80 /*
81 * length of secret token followed by secret token
82 */
83 sizeof_x = ticket_len;
84 memcpy(t, &sizeof_x, sizeof(sizeof_x));
85 t += sizeof(sizeof_x);
86 memcpy(t, ticket, sizeof_x);
87 t += sizeof_x;
88 /*
89 * length of clear token followed by clear token
90 */
91 sizeof_x = sizeof(*ct);
92 memcpy(t, &sizeof_x, sizeof(sizeof_x));
93 t += sizeof(sizeof_x);
94 memcpy(t, ct, sizeof_x);
95 t += sizeof_x;
96
97 /*
98 * do *not* mark as primary cell
99 */
100 sizeof_x = 0;
101 memcpy(t, &sizeof_x, sizeof(sizeof_x));
102 t += sizeof(sizeof_x);
103 /*
104 * follow with cell name
105 */
106 sizeof_x = strlen(cell) + 1;
107 memcpy(t, cell, sizeof_x);
108 t += sizeof_x;
109
110 /*
111 * Build argument block
112 */
113 parms.in = buf;
114 parms.in_size = t - buf;
115 parms.out = 0;
116 parms.out_size = 0;
117
118 return k_pioctl(0, VIOCSETTOK, &parms, 0);
119 }
120
121 void
122 _kafs_fixup_viceid(struct ClearToken *ct, uid_t uid)
123 {
124 #define ODD(x) ((x) & 1)
125 /* According to Transarc conventions ViceId is valid iff
126 * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
127 * the transformations:
128 *
129 * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
130 * preserves the original values.
131 */
132 if (uid != 0) /* valid ViceId */
133 {
134 if (!ODD(ct->EndTimestamp - ct->BeginTimestamp))
135 ct->EndTimestamp--;
136 }
137 else /* not valid ViceId */
138 {
139 if (ODD(ct->EndTimestamp - ct->BeginTimestamp))
140 ct->EndTimestamp--;
141 }
142 }
143
144
145 int
146 _kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt)
147 {
148 kt->ticket = NULL;
149
150 if (c->ticket_st.length > MAX_KTXT_LEN)
151 return EINVAL;
152
153 kt->ticket = malloc(c->ticket_st.length);
154 if (kt->ticket == NULL)
155 return ENOMEM;
156 kt->ticket_len = c->ticket_st.length;
157 memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len);
158
159 /*
160 * Build a struct ClearToken
161 */
162 kt->ct.AuthHandle = c->kvno;
163 memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session));
164 kt->ct.ViceId = uid;
165 kt->ct.BeginTimestamp = c->issue_date;
166 kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
167
168 _kafs_fixup_viceid(&kt->ct, uid);
169
170 return 0;
171 }
172
173 /* Try to get a db-server for an AFS cell from a AFSDB record */
174
175 static int
176 dns_find_cell(const char *cell, char *dbserver, size_t len)
177 {
178 struct dns_reply *r;
179 int ok = -1;
180 r = dns_lookup(cell, "afsdb");
181 if(r){
182 struct resource_record *rr = r->head;
183 while(rr){
184 if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){
185 strlcpy(dbserver,
186 rr->u.afsdb->domain,
187 len);
188 ok = 0;
189 break;
190 }
191 rr = rr->next;
192 }
193 dns_free_data(r);
194 }
195 return ok;
196 }
197
198
199 /*
200 * Try to find the cells we should try to klog to in "file".
201 */
202 static void
203 find_cells(const char *file, char ***cells, int *idx)
204 {
205 FILE *f;
206 char cell[64];
207 int i;
208 int ind = *idx;
209
210 f = fopen(file, "r");
211 if (f == NULL)
212 return;
213 while (fgets(cell, sizeof(cell), f)) {
214 char *t;
215 t = cell + strlen(cell);
216 for (; t >= cell; t--)
217 if (*t == '\n' || *t == '\t' || *t == ' ')
218 *t = 0;
219 if (cell[0] == '\0' || cell[0] == '#')
220 continue;
221 for(i = 0; i < ind; i++)
222 if(strcmp((*cells)[i], cell) == 0)
223 break;
224 if(i == ind){
225 char **tmp;
226
227 tmp = realloc(*cells, (ind + 1) * sizeof(**cells));
228 if (tmp == NULL)
229 break;
230 *cells = tmp;
231 (*cells)[ind] = strdup(cell);
232 if ((*cells)[ind] == NULL)
233 break;
234 ++ind;
235 }
236 }
237 fclose(f);
238 *idx = ind;
239 }
240
241 /*
242 * Get tokens for all cells[]
243 */
244 static int
245 afslog_cells(struct kafs_data *data, char **cells, int max, uid_t uid,
246 const char *homedir)
247 {
248 int ret = 0;
249 int i;
250 for (i = 0; i < max; i++) {
251 int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
252 if (er)
253 ret = er;
254 }
255 return ret;
256 }
257
258 int
259 _kafs_afslog_all_local_cells(struct kafs_data *data,
260 uid_t uid, const char *homedir)
261 {
262 int ret;
263 char **cells = NULL;
264 int idx = 0;
265
266 if (homedir == NULL)
267 homedir = getenv("HOME");
268 if (homedir != NULL) {
269 char home[MaxPathLen];
270 snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
271 find_cells(home, &cells, &idx);
272 }
273 find_cells(_PATH_THESECELLS, &cells, &idx);
274 find_cells(_PATH_THISCELL, &cells, &idx);
275 find_cells(_PATH_ARLA_THESECELLS, &cells, &idx);
276 find_cells(_PATH_ARLA_THISCELL, &cells, &idx);
277 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &idx);
278 find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &idx);
279 find_cells(_PATH_OPENAFS_MACOSX_THESECELLS, &cells, &idx);
280 find_cells(_PATH_OPENAFS_MACOSX_THISCELL, &cells, &idx);
281 find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &idx);
282 find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &idx);
283 find_cells(_PATH_ARLA_OPENBSD_THESECELLS, &cells, &idx);
284 find_cells(_PATH_ARLA_OPENBSD_THISCELL, &cells, &idx);
285
286 ret = afslog_cells(data, cells, idx, uid, homedir);
287 while(idx > 0)
288 free(cells[--idx]);
289 free(cells);
290 return ret;
291 }
292
293
294 static int
295 file_find_cell(struct kafs_data *data,
296 const char *cell, char **realm, int exact)
297 {
298 FILE *F;
299 char buf[1024];
300 char *p;
301 int ret = -1;
302
303 if ((F = fopen(_PATH_CELLSERVDB, "r"))
304 || (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))
305 || (F = fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB, "r"))
306 || (F = fopen(_PATH_OPENAFS_MACOSX_CELLSERVDB, "r"))
307 || (F = fopen(_PATH_ARLA_DEBIAN_CELLSERVDB, "r"))) {
308 while (fgets(buf, sizeof(buf), F)) {
309 int cmp;
310
311 if (buf[0] != '>')
312 continue; /* Not a cell name line, try next line */
313 p = buf;
314 strsep(&p, " \t\n#");
315
316 if (exact)
317 cmp = strcmp(buf + 1, cell);
318 else
319 cmp = strncmp(buf + 1, cell, strlen(cell));
320
321 if (cmp == 0) {
322 /*
323 * We found the cell name we're looking for.
324 * Read next line on the form ip-address '#' hostname
325 */
326 if (fgets(buf, sizeof(buf), F) == NULL)
327 break; /* Read failed, give up */
328 p = strchr(buf, '#');
329 if (p == NULL)
330 break; /* No '#', give up */
331 p++;
332 if (buf[strlen(buf) - 1] == '\n')
333 buf[strlen(buf) - 1] = '\0';
334 *realm = (*data->get_realm)(data, p);
335 if (*realm && **realm != '\0')
336 ret = 0;
337 break; /* Won't try any more */
338 }
339 }
340 fclose(F);
341 }
342 return ret;
343 }
344
345 /* Find the realm associated with cell. Do this by opening CellServDB
346 file and getting the realm-of-host for the first VL-server for the
347 cell.
348
349 This does not work when the VL-server is living in one realm, but
350 the cell it is serving is living in another realm.
351
352 Return 0 on success, -1 otherwise.
353 */
354
355 int
356 _kafs_realm_of_cell(struct kafs_data *data,
357 const char *cell, char **realm)
358 {
359 char buf[1024];
360 int ret;
361
362 ret = file_find_cell(data, cell, realm, 1);
363 if (ret == 0)
364 return ret;
365 if (dns_find_cell(cell, buf, sizeof(buf)) == 0) {
366 *realm = (*data->get_realm)(data, buf);
367 if(*realm != NULL)
368 return 0;
369 }
370 return file_find_cell(data, cell, realm, 0);
371 }
372
373 static int
374 _kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell,
375 const char *realm, uid_t uid, struct kafs_token *kt)
376 {
377 int ret;
378
379 ret = (*data->get_cred)(data, user, cell, realm, uid, kt);
380 if (kafs_verbose) {
381 char *str;
382 asprintf(&str, "%s tried afs%s%s@%s -> %d",
383 data->name, cell[0] == '\0' ? "" : "/",
384 cell, realm, ret);
385 (*kafs_verbose)(kafs_verbose_ctx, str);
386 free(str);
387 }
388
389 return ret;
390 }
391
392
393 int
394 _kafs_get_cred(struct kafs_data *data,
395 const char *cell,
396 const char *realm_hint,
397 const char *realm,
398 uid_t uid,
399 struct kafs_token *kt)
400 {
401 int ret = -1;
402 char *vl_realm;
403 char CELL[64];
404
405 /* We're about to find the realm that holds the key for afs in
406 * the specified cell. The problem is that null-instance
407 * afs-principals are common and that hitting the wrong realm might
408 * yield the wrong afs key. The following assumptions were made.
409 *
410 * Any realm passed to us is preferred.
411 *
412 * If there is a realm with the same name as the cell, it is most
413 * likely the correct realm to talk to.
414 *
415 * In most (maybe even all) cases the database servers of the cell
416 * will live in the realm we are looking for.
417 *
418 * Try the local realm, but if the previous cases fail, this is
419 * really a long shot.
420 *
421 */
422
423 /* comments on the ordering of these tests */
424
425 /* If the user passes a realm, she probably knows something we don't
426 * know and we should try afs@realm_hint.
427 */
428
429 if (realm_hint) {
430 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
431 cell, realm_hint, uid, kt);
432 if (ret == 0) return 0;
433 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
434 "", realm_hint, uid, kt);
435 if (ret == 0) return 0;
436 }
437
438 _kafs_foldup(CELL, cell);
439
440 /*
441 * If cell == realm we don't need no cross-cell authentication.
442 * Try afs@REALM.
443 */
444 if (strcmp(CELL, realm) == 0) {
445 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
446 "", realm, uid, kt);
447 if (ret == 0) return 0;
448 /* Try afs.cell@REALM below. */
449 }
450
451 /*
452 * If the AFS servers have a file /usr/afs/etc/krb.conf containing
453 * REALM we still don't have to resort to cross-cell authentication.
454 * Try afs.cell@REALM.
455 */
456 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
457 cell, realm, uid, kt);
458 if (ret == 0) return 0;
459
460 /*
461 * We failed to get ``first class tickets'' for afs,
462 * fall back to cross-cell authentication.
463 * Try afs@CELL.
464 * Try afs.cell@CELL.
465 */
466 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
467 "", CELL, uid, kt);
468 if (ret == 0) return 0;
469 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
470 cell, CELL, uid, kt);
471 if (ret == 0) return 0;
472
473 /*
474 * Perhaps the cell doesn't correspond to any realm?
475 * Use realm of first volume location DB server.
476 * Try afs.cell@VL_REALM.
477 * Try afs@VL_REALM???
478 */
479 if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
480 && strcmp(vl_realm, realm) != 0
481 && strcmp(vl_realm, CELL) != 0) {
482 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
483 cell, vl_realm, uid, kt);
484 if (ret)
485 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
486 "", vl_realm, uid, kt);
487 free(vl_realm);
488 if (ret == 0) return 0;
489 }
490
491 return ret;
492 }
Heimdal