search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / kafs / common.c
blob2f9bb24f67d8d625979bab066b204aab3f25e9ea
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kafs_locl.h"
35
36 __RCSID("$Heimdal: common.c 15461 2005-06-16 22:52:33Z lha $"
37 "$NetBSD$");
38
39 #define AUTH_SUPERUSER "afs"
40
41 /*
42 * Here only ASCII characters are relevant.
43 */
44
45 #define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
46
47 #define ToAsciiUpper(c) ((c) - 'a' + 'A')
48
49 static void (*kafs_verbose)(void *, const char *);
50 static void *kafs_verbose_ctx;
51
52 void
53 _kafs_foldup(char *a, const char *b)
54 {
55 for (; *b; a++, b++)
56 if (IsAsciiLower(*b))
57 *a = ToAsciiUpper(*b);
58 else
59 *a = *b;
60 *a = '\0';
61 }
62
63 void
64 kafs_set_verbose(void (*f)(void *, const char *), void *ctx)
65 {
66 if (f) {
67 kafs_verbose = f;
68 kafs_verbose_ctx = ctx;
69 }
70 }
71
72 int
73 kafs_settoken_rxkad(const char *cell, struct ClearToken *ct,
74 void *ticket, size_t ticket_len)
75 {
76 struct ViceIoctl parms;
77 char buf[2048], *t;
78 int32_t sizeof_x;
79
80 t = buf;
81 /*
82 * length of secret token followed by secret token
83 */
84 sizeof_x = ticket_len;
85 memcpy(t, &sizeof_x, sizeof(sizeof_x));
86 t += sizeof(sizeof_x);
87 memcpy(t, ticket, sizeof_x);
88 t += sizeof_x;
89 /*
90 * length of clear token followed by clear token
91 */
92 sizeof_x = sizeof(*ct);
93 memcpy(t, &sizeof_x, sizeof(sizeof_x));
94 t += sizeof(sizeof_x);
95 memcpy(t, ct, sizeof_x);
96 t += sizeof_x;
97
98 /*
99 * do *not* mark as primary cell
100 */
101 sizeof_x = 0;
102 memcpy(t, &sizeof_x, sizeof(sizeof_x));
103 t += sizeof(sizeof_x);
104 /*
105 * follow with cell name
106 */
107 sizeof_x = strlen(cell) + 1;
108 memcpy(t, cell, sizeof_x);
109 t += sizeof_x;
110
111 /*
112 * Build argument block
113 */
114 parms.in = buf;
115 parms.in_size = t - buf;
116 parms.out = 0;
117 parms.out_size = 0;
118
119 return k_pioctl(0, VIOCSETTOK, &parms, 0);
120 }
121
122 void
123 _kafs_fixup_viceid(struct ClearToken *ct, uid_t uid)
124 {
125 #define ODD(x) ((x) & 1)
126 /* According to Transarc conventions ViceId is valid iff
127 * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
128 * the transformations:
129 *
130 * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
131 * preserves the original values.
132 */
133 if (uid != 0) /* valid ViceId */
134 {
135 if (!ODD(ct->EndTimestamp - ct->BeginTimestamp))
136 ct->EndTimestamp--;
137 }
138 else /* not valid ViceId */
139 {
140 if (ODD(ct->EndTimestamp - ct->BeginTimestamp))
141 ct->EndTimestamp--;
142 }
143 }
144
145
146 int
147 _kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt)
148 {
149 kt->ticket = NULL;
150
151 if (c->ticket_st.length > MAX_KTXT_LEN)
152 return EINVAL;
153
154 kt->ticket = malloc(c->ticket_st.length);
155 if (kt->ticket == NULL)
156 return ENOMEM;
157 kt->ticket_len = c->ticket_st.length;
158 memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len);
159
160 /*
161 * Build a struct ClearToken
162 */
163 kt->ct.AuthHandle = c->kvno;
164 memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session));
165 kt->ct.ViceId = uid;
166 kt->ct.BeginTimestamp = c->issue_date;
167 kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
168
169 _kafs_fixup_viceid(&kt->ct, uid);
170
171 return 0;
172 }
173
174 /* Try to get a db-server for an AFS cell from a AFSDB record */
175
176 static int
177 dns_find_cell(const char *cell, char *dbserver, size_t len)
178 {
179 struct dns_reply *r;
180 int ok = -1;
181 r = dns_lookup(cell, "afsdb");
182 if(r){
183 struct resource_record *rr = r->head;
184 while(rr){
185 if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){
186 strlcpy(dbserver,
187 rr->u.afsdb->domain,
188 len);
189 ok = 0;
190 break;
191 }
192 rr = rr->next;
193 }
194 dns_free_data(r);
195 }
196 return ok;
197 }
198
199
200 /*
201 * Try to find the cells we should try to klog to in "file".
202 */
203 static void
204 find_cells(const char *file, char ***cells, int *idx)
205 {
206 FILE *f;
207 char cell[64];
208 int i;
209 int ind = *idx;
210
211 f = fopen(file, "r");
212 if (f == NULL)
213 return;
214 while (fgets(cell, sizeof(cell), f)) {
215 char *t;
216 t = cell + strlen(cell);
217 for (; t >= cell; t--)
218 if (*t == '\n' || *t == '\t' || *t == ' ')
219 *t = 0;
220 if (cell[0] == '\0' || cell[0] == '#')
221 continue;
222 for(i = 0; i < ind; i++)
223 if(strcmp((*cells)[i], cell) == 0)
224 break;
225 if(i == ind){
226 char **tmp;
227
228 tmp = realloc(*cells, (ind + 1) * sizeof(**cells));
229 if (tmp == NULL)
230 break;
231 *cells = tmp;
232 (*cells)[ind] = strdup(cell);
233 if ((*cells)[ind] == NULL)
234 break;
235 ++ind;
236 }
237 }
238 fclose(f);
239 *idx = ind;
240 }
241
242 /*
243 * Get tokens for all cells[]
244 */
245 static int
246 afslog_cells(struct kafs_data *data, char **cells, int max, uid_t uid,
247 const char *homedir)
248 {
249 int ret = 0;
250 int i;
251 for (i = 0; i < max; i++) {
252 int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
253 if (er)
254 ret = er;
255 }
256 return ret;
257 }
258
259 int
260 _kafs_afslog_all_local_cells(struct kafs_data *data,
261 uid_t uid, const char *homedir)
262 {
263 int ret;
264 char **cells = NULL;
265 int idx = 0;
266
267 if (homedir == NULL)
268 homedir = getenv("HOME");
269 if (homedir != NULL) {
270 char home[MaxPathLen];
271 snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
272 find_cells(home, &cells, &idx);
273 }
274 find_cells(_PATH_THESECELLS, &cells, &idx);
275 find_cells(_PATH_THISCELL, &cells, &idx);
276 find_cells(_PATH_ARLA_THESECELLS, &cells, &idx);
277 find_cells(_PATH_ARLA_THISCELL, &cells, &idx);
278 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &idx);
279 find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &idx);
280 find_cells(_PATH_OPENAFS_MACOSX_THESECELLS, &cells, &idx);
281 find_cells(_PATH_OPENAFS_MACOSX_THISCELL, &cells, &idx);
282 find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &idx);
283 find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &idx);
284 find_cells(_PATH_ARLA_OPENBSD_THESECELLS, &cells, &idx);
285 find_cells(_PATH_ARLA_OPENBSD_THISCELL, &cells, &idx);
286
287 ret = afslog_cells(data, cells, idx, uid, homedir);
288 while(idx > 0)
289 free(cells[--idx]);
290 free(cells);
291 return ret;
292 }
293
294
295 static int
296 file_find_cell(struct kafs_data *data,
297 const char *cell, char **realm, int exact)
298 {
299 FILE *F;
300 char buf[1024];
301 char *p;
302 int ret = -1;
303
304 if ((F = fopen(_PATH_CELLSERVDB, "r"))
305 || (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))
306 || (F = fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB, "r"))
307 || (F = fopen(_PATH_OPENAFS_MACOSX_CELLSERVDB, "r"))
308 || (F = fopen(_PATH_ARLA_DEBIAN_CELLSERVDB, "r"))) {
309 while (fgets(buf, sizeof(buf), F)) {
310 int cmp;
311
312 if (buf[0] != '>')
313 continue; /* Not a cell name line, try next line */
314 p = buf;
315 strsep(&p, " \t\n#");
316
317 if (exact)
318 cmp = strcmp(buf + 1, cell);
319 else
320 cmp = strncmp(buf + 1, cell, strlen(cell));
321
322 if (cmp == 0) {
323 /*
324 * We found the cell name we're looking for.
325 * Read next line on the form ip-address '#' hostname
326 */
327 if (fgets(buf, sizeof(buf), F) == NULL)
328 break; /* Read failed, give up */
329 p = strchr(buf, '#');
330 if (p == NULL)
331 break; /* No '#', give up */
332 p++;
333 if (buf[strlen(buf) - 1] == '\n')
334 buf[strlen(buf) - 1] = '\0';
335 *realm = (*data->get_realm)(data, p);
336 if (*realm && **realm != '\0')
337 ret = 0;
338 break; /* Won't try any more */
339 }
340 }
341 fclose(F);
342 }
343 return ret;
344 }
345
346 /* Find the realm associated with cell. Do this by opening CellServDB
347 file and getting the realm-of-host for the first VL-server for the
348 cell.
349
350 This does not work when the VL-server is living in one realm, but
351 the cell it is serving is living in another realm.
352
353 Return 0 on success, -1 otherwise.
354 */
355
356 int
357 _kafs_realm_of_cell(struct kafs_data *data,
358 const char *cell, char **realm)
359 {
360 char buf[1024];
361 int ret;
362
363 ret = file_find_cell(data, cell, realm, 1);
364 if (ret == 0)
365 return ret;
366 if (dns_find_cell(cell, buf, sizeof(buf)) == 0) {
367 *realm = (*data->get_realm)(data, buf);
368 if(*realm != NULL)
369 return 0;
370 }
371 return file_find_cell(data, cell, realm, 0);
372 }
373
374 static int
375 _kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell,
376 const char *realm, uid_t uid, struct kafs_token *kt)
377 {
378 int ret;
379
380 ret = (*data->get_cred)(data, user, cell, realm, uid, kt);
381 if (kafs_verbose) {
382 char *str;
383 asprintf(&str, "%s tried afs%s%s@%s -> %d",
384 data->name, cell[0] == '\0' ? "" : "/",
385 cell, realm, ret);
386 (*kafs_verbose)(kafs_verbose_ctx, str);
387 free(str);
388 }
389
390 return ret;
391 }
392
393
394 int
395 _kafs_get_cred(struct kafs_data *data,
396 const char *cell,
397 const char *realm_hint,
398 const char *realm,
399 uid_t uid,
400 struct kafs_token *kt)
401 {
402 int ret = -1;
403 char *vl_realm;
404 char CELL[64];
405
406 /* We're about to find the realm that holds the key for afs in
407 * the specified cell. The problem is that null-instance
408 * afs-principals are common and that hitting the wrong realm might
409 * yield the wrong afs key. The following assumptions were made.
410 *
411 * Any realm passed to us is preferred.
412 *
413 * If there is a realm with the same name as the cell, it is most
414 * likely the correct realm to talk to.
415 *
416 * In most (maybe even all) cases the database servers of the cell
417 * will live in the realm we are looking for.
418 *
419 * Try the local realm, but if the previous cases fail, this is
420 * really a long shot.
421 *
422 */
423
424 /* comments on the ordering of these tests */
425
426 /* If the user passes a realm, she probably knows something we don't
427 * know and we should try afs@realm_hint.
428 */
429
430 if (realm_hint) {
431 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
432 cell, realm_hint, uid, kt);
433 if (ret == 0) return 0;
434 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
435 "", realm_hint, uid, kt);
436 if (ret == 0) return 0;
437 }
438
439 _kafs_foldup(CELL, cell);
440
441 /*
442 * If cell == realm we don't need no cross-cell authentication.
443 * Try afs@REALM.
444 */
445 if (strcmp(CELL, realm) == 0) {
446 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
447 "", realm, uid, kt);
448 if (ret == 0) return 0;
449 /* Try afs.cell@REALM below. */
450 }
451
452 /*
453 * If the AFS servers have a file /usr/afs/etc/krb.conf containing
454 * REALM we still don't have to resort to cross-cell authentication.
455 * Try afs.cell@REALM.
456 */
457 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
458 cell, realm, uid, kt);
459 if (ret == 0) return 0;
460
461 /*
462 * We failed to get ``first class tickets'' for afs,
463 * fall back to cross-cell authentication.
464 * Try afs@CELL.
465 * Try afs.cell@CELL.
466 */
467 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
468 "", CELL, uid, kt);
469 if (ret == 0) return 0;
470 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
471 cell, CELL, uid, kt);
472 if (ret == 0) return 0;
473
474 /*
475 * Perhaps the cell doesn't correspond to any realm?
476 * Use realm of first volume location DB server.
477 * Try afs.cell@VL_REALM.
478 * Try afs@VL_REALM???
479 */
480 if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
481 && strcmp(vl_realm, realm) != 0
482 && strcmp(vl_realm, CELL) != 0) {
483 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
484 cell, vl_realm, uid, kt);
485 if (ret)
486 ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
487 "", vl_realm, uid, kt);
488 free(vl_realm);
489 if (ret == 0) return 0;
490 }
491
492 return ret;
493 }
NetBSD on the FriendlyARM MINI2440