xref: /freebsd/crypto/heimdal/lib/kafs/afskrb5.c (revision e1c4c8dd8d2d10b6104f06856a77bd5b4813a801)
1 /*
2  * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kafs_locl.h"
35 
36 struct krb5_kafs_data {
37     krb5_context context;
38     krb5_ccache id;
39     krb5_const_realm realm;
40 };
41 
42 enum {
43     KAFS_RXKAD_2B_KVNO = 213,
44     KAFS_RXKAD_K5_KVNO = 256
45 };
46 
47 static int
48 v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524)
49 {
50     int kvno, ret;
51 
52     kt->ticket = NULL;
53 
54     /* check if des key */
55     if (cred->session.keyvalue.length != 8)
56 	return EINVAL;
57 
58     if (local524) {
59 	Ticket t;
60 	unsigned char *buf;
61 	size_t buf_len;
62 	size_t len;
63 
64 	kvno = KAFS_RXKAD_2B_KVNO;
65 
66 	ret = decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
67 	if (ret)
68 	    return ret;
69 	if (t.tkt_vno != 5)
70 	    return -1;
71 
72 	ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_len, &t.enc_part,
73 			   &len, ret);
74 	free_Ticket(&t);
75 	if (ret)
76 	    return ret;
77 	if(buf_len != len) {
78 	    free(buf);
79 	    return KRB5KRB_ERR_GENERIC;
80 	}
81 
82 	kt->ticket = buf;
83 	kt->ticket_len = buf_len;
84 
85     } else {
86 	kvno = KAFS_RXKAD_K5_KVNO;
87 	kt->ticket = malloc(cred->ticket.length);
88 	if (kt->ticket == NULL)
89 	    return ENOMEM;
90 	kt->ticket_len = cred->ticket.length;
91 	memcpy(kt->ticket, cred->ticket.data, kt->ticket_len);
92     }
93 
94 
95     /*
96      * Build a struct ClearToken
97      */
98 
99     kt->ct.AuthHandle = kvno;
100     memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8);
101     kt->ct.ViceId = uid;
102     kt->ct.BeginTimestamp = cred->times.starttime;
103     kt->ct.EndTimestamp = cred->times.endtime;
104 
105     _kafs_fixup_viceid(&kt->ct, uid);
106 
107     return 0;
108 }
109 
110 static krb5_error_code
111 v5_convert(krb5_context context, krb5_ccache id,
112 	   krb5_creds *cred, uid_t uid,
113 	   const char *cell,
114 	   struct kafs_token *kt)
115 {
116     krb5_error_code ret;
117     char *c, *val;
118 
119     c = strdup(cell);
120     if (c == NULL)
121 	return ENOMEM;
122     _kafs_foldup(c, c);
123     krb5_appdefault_string (context, "libkafs",
124 			    c,
125 			    "afs-use-524", "2b", &val);
126     free(c);
127 
128     if (strcasecmp(val, "local") == 0 ||
129 	strcasecmp(val, "2b") == 0)
130 	ret = v5_to_kt(cred, uid, kt, 1);
131     else
132 	ret = v5_to_kt(cred, uid, kt, 0);
133 
134     free(val);
135     return ret;
136 }
137 
138 
139 /*
140  *
141  */
142 
143 static int
144 get_cred(struct kafs_data *data, const char *name, const char *inst,
145 	 const char *realm, uid_t uid, struct kafs_token *kt)
146 {
147     krb5_error_code ret;
148     krb5_creds in_creds, *out_creds;
149     struct krb5_kafs_data *d = data->data;
150     int invalid;
151 
152     memset(&in_creds, 0, sizeof(in_creds));
153 
154     ret = krb5_make_principal(d->context, &in_creds.server,
155 			      realm, name, inst, NULL);
156     if(ret)
157 	return ret;
158     ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
159     if(ret){
160 	krb5_free_principal(d->context, in_creds.server);
161 	return ret;
162     }
163 
164     in_creds.session.keytype = ETYPE_DES_CBC_CRC;
165 
166     /* check if des is disable, and in that case enable it for afs */
167     invalid = krb5_enctype_valid(d->context, in_creds.session.keytype);
168     if (invalid)
169 	krb5_enctype_enable(d->context, in_creds.session.keytype);
170 
171     ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
172     if (ret) {
173 	in_creds.session.keytype = ETYPE_DES_CBC_MD5;
174 	ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
175     }
176 
177     if (invalid)
178 	krb5_enctype_disable(d->context, in_creds.session.keytype);
179 
180     krb5_free_principal(d->context, in_creds.server);
181     krb5_free_principal(d->context, in_creds.client);
182     if(ret)
183 	return ret;
184 
185     ret = v5_convert(d->context, d->id, out_creds, uid,
186 		     (inst != NULL && inst[0] != '\0') ? inst : realm, kt);
187     krb5_free_creds(d->context, out_creds);
188 
189     return ret;
190 }
191 
192 static const char *
193 get_error(struct kafs_data *data, int error)
194 {
195     struct krb5_kafs_data *d = data->data;
196     return krb5_get_error_message(d->context, error);
197 }
198 
199 static void
200 free_error(struct kafs_data *data, const char *str)
201 {
202     struct krb5_kafs_data *d = data->data;
203     krb5_free_error_message(d->context, str);
204 }
205 
206 static krb5_error_code
207 afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh,
208 	       uid_t uid, const char *homedir)
209 {
210     krb5_error_code ret;
211     struct kafs_token kt;
212     krb5_principal princ;
213     const char *trealm; /* ticket realm */
214     struct krb5_kafs_data *d = data->data;
215 
216     if (cell == 0 || cell[0] == 0)
217 	return _kafs_afslog_all_local_cells (data, uid, homedir);
218 
219     ret = krb5_cc_get_principal (d->context, d->id, &princ);
220     if (ret)
221 	return ret;
222 
223     trealm = krb5_principal_get_realm (d->context, princ);
224 
225     kt.ticket = NULL;
226     ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt);
227     krb5_free_principal (d->context, princ);
228 
229     if(ret == 0) {
230 	ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
231 	free(kt.ticket);
232     }
233     return ret;
234 }
235 
236 static char *
237 get_realm(struct kafs_data *data, const char *host)
238 {
239     struct krb5_kafs_data *d = data->data;
240     krb5_realm *realms;
241     char *r;
242     if(krb5_get_host_realm(d->context, host, &realms))
243 	return NULL;
244     r = strdup(realms[0]);
245     krb5_free_host_realm(d->context, realms);
246     return r;
247 }
248 
249 krb5_error_code
250 krb5_afslog_uid_home(krb5_context context,
251 		     krb5_ccache id,
252 		     const char *cell,
253 		     krb5_const_realm realm,
254 		     uid_t uid,
255 		     const char *homedir)
256 {
257     struct kafs_data kd;
258     struct krb5_kafs_data d;
259     krb5_error_code ret;
260 
261     kd.name = "krb5";
262     kd.afslog_uid = afslog_uid_int;
263     kd.get_cred = get_cred;
264     kd.get_realm = get_realm;
265     kd.get_error = get_error;
266     kd.free_error = free_error;
267     kd.data = &d;
268     if (context == NULL) {
269 	ret = krb5_init_context(&d.context);
270 	if (ret)
271 	    return ret;
272     } else
273 	d.context = context;
274     if (id == NULL) {
275 	ret = krb5_cc_default(d.context, &d.id);
276 	if (ret)
277 	    goto out;
278     } else
279 	d.id = id;
280     d.realm = realm;
281     ret = afslog_uid_int(&kd, cell, 0, uid, homedir);
282     if (id == NULL)
283 	krb5_cc_close(context, d.id);
284  out:
285     if (context == NULL)
286 	krb5_free_context(d.context);
287     return ret;
288 }
289 
290 krb5_error_code
291 krb5_afslog_uid(krb5_context context,
292 		krb5_ccache id,
293 		const char *cell,
294 		krb5_const_realm realm,
295 		uid_t uid)
296 {
297     return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
298 }
299 
300 krb5_error_code
301 krb5_afslog(krb5_context context,
302 	    krb5_ccache id,
303 	    const char *cell,
304 	    krb5_const_realm realm)
305 {
306     return krb5_afslog_uid (context, id, cell, realm, getuid());
307 }
308 
309 krb5_error_code
310 krb5_afslog_home(krb5_context context,
311 		 krb5_ccache id,
312 		 const char *cell,
313 		 krb5_const_realm realm,
314 		 const char *homedir)
315 {
316     return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
317 }
318 
319 /*
320  *
321  */
322 
323 krb5_error_code
324 krb5_realm_of_cell(const char *cell, char **realm)
325 {
326     struct kafs_data kd;
327 
328     kd.name = "krb5";
329     kd.get_realm = get_realm;
330     kd.get_error = get_error;
331     kd.free_error = free_error;
332     return _kafs_realm_of_cell(&kd, cell, realm);
333 }
334 
335 /*
336  *
337  */
338 
339 int
340 kafs_settoken5(krb5_context context, const char *cell, uid_t uid,
341 	       krb5_creds *cred)
342 {
343     struct kafs_token kt;
344     int ret;
345 
346     ret = v5_convert(context, NULL, cred, uid, cell, &kt);
347     if (ret)
348 	return ret;
349 
350     ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
351 
352     free(kt.ticket);
353 
354     return ret;
355 }
356