1 /* 2 * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kafs_locl.h" 35 36 RCSID("$Id: common.c,v 1.19 1999/12/02 16:58:40 joda Exp $"); 37 38 #define AUTH_SUPERUSER "afs" 39 40 /* 41 * Here only ASCII characters are relevant. 42 */ 43 44 #define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z') 45 46 #define ToAsciiUpper(c) ((c) - 'a' + 'A') 47 48 static void 49 foldup(char *a, const char *b) 50 { 51 for (; *b; a++, b++) 52 if (IsAsciiLower(*b)) 53 *a = ToAsciiUpper(*b); 54 else 55 *a = *b; 56 *a = '\0'; 57 } 58 59 int 60 kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) 61 { 62 struct ViceIoctl parms; 63 struct ClearToken ct; 64 int32_t sizeof_x; 65 char buf[2048], *t; 66 int ret; 67 68 /* 69 * Build a struct ClearToken 70 */ 71 ct.AuthHandle = c->kvno; 72 memcpy (ct.HandShakeKey, c->session, sizeof(c->session)); 73 ct.ViceId = uid; 74 ct.BeginTimestamp = c->issue_date; 75 ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); 76 if(ct.EndTimestamp < time(NULL)) 77 return 0; /* don't store tokens that has expired (and possibly 78 overwriting valid tokens)*/ 79 80 #define ODD(x) ((x) & 1) 81 /* According to Transarc conventions ViceId is valid iff 82 * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime 83 * the transformations: 84 * 85 * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) 86 * preserves the original values. 87 */ 88 if (uid != 0) /* valid ViceId */ 89 { 90 if (!ODD(ct.EndTimestamp - ct.BeginTimestamp)) 91 ct.EndTimestamp--; 92 } 93 else /* not valid ViceId */ 94 { 95 if (ODD(ct.EndTimestamp - ct.BeginTimestamp)) 96 ct.EndTimestamp--; 97 } 98 99 t = buf; 100 /* 101 * length of secret token followed by secret token 102 */ 103 sizeof_x = c->ticket_st.length; 104 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 105 t += sizeof(sizeof_x); 106 memcpy(t, c->ticket_st.dat, sizeof_x); 107 t += sizeof_x; 108 /* 109 * length of clear token followed by clear token 110 */ 111 sizeof_x = sizeof(ct); 112 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 113 t += sizeof(sizeof_x); 114 memcpy(t, &ct, sizeof_x); 115 t += sizeof_x; 116 117 /* 118 * do *not* mark as primary cell 119 */ 120 sizeof_x = 0; 121 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 122 t += sizeof(sizeof_x); 123 /* 124 * follow with cell name 125 */ 126 sizeof_x = strlen(cell) + 1; 127 memcpy(t, cell, sizeof_x); 128 t += sizeof_x; 129 130 /* 131 * Build argument block 132 */ 133 parms.in = buf; 134 parms.in_size = t - buf; 135 parms.out = 0; 136 parms.out_size = 0; 137 ret = k_pioctl(0, VIOCSETTOK, &parms, 0); 138 return ret; 139 } 140 141 /* Try to get a db-server for an AFS cell from a AFSDB record */ 142 143 static int 144 dns_find_cell(const char *cell, char *dbserver, size_t len) 145 { 146 struct dns_reply *r; 147 int ok = -1; 148 r = dns_lookup(cell, "afsdb"); 149 if(r){ 150 struct resource_record *rr = r->head; 151 while(rr){ 152 if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){ 153 strlcpy(dbserver, 154 rr->u.afsdb->domain, 155 len); 156 ok = 0; 157 break; 158 } 159 rr = rr->next; 160 } 161 dns_free_data(r); 162 } 163 return ok; 164 } 165 166 167 /* 168 * Try to find the cells we should try to klog to in "file". 169 */ 170 static void 171 find_cells(char *file, char ***cells, int *index) 172 { 173 FILE *f; 174 char cell[64]; 175 int i; 176 int ind = *index; 177 178 f = fopen(file, "r"); 179 if (f == NULL) 180 return; 181 while (fgets(cell, sizeof(cell), f)) { 182 char *t; 183 t = cell + strlen(cell); 184 for (; t >= cell; t--) 185 if (*t == '\n' || *t == '\t' || *t == ' ') 186 *t = 0; 187 if (cell[0] == '\0' || cell[0] == '#') 188 continue; 189 for(i = 0; i < ind; i++) 190 if(strcmp((*cells)[i], cell) == 0) 191 break; 192 if(i == ind){ 193 char **tmp; 194 195 tmp = realloc(*cells, (ind + 1) * sizeof(**cells)); 196 if (tmp == NULL) 197 break; 198 *cells = tmp; 199 (*cells)[ind] = strdup(cell); 200 if ((*cells)[ind] == NULL) 201 break; 202 ++ind; 203 } 204 } 205 fclose(f); 206 *index = ind; 207 } 208 209 /* 210 * Get tokens for all cells[] 211 */ 212 static int 213 afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, 214 const char *homedir) 215 { 216 int ret = 0; 217 int i; 218 for (i = 0; i < max; i++) { 219 int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir); 220 if (er) 221 ret = er; 222 } 223 return ret; 224 } 225 226 int 227 _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) 228 { 229 int ret; 230 char **cells = NULL; 231 int index = 0; 232 233 if (homedir == NULL) 234 homedir = getenv("HOME"); 235 if (homedir != NULL) { 236 char home[MaxPathLen]; 237 snprintf(home, sizeof(home), "%s/.TheseCells", homedir); 238 find_cells(home, &cells, &index); 239 } 240 find_cells(_PATH_THESECELLS, &cells, &index); 241 find_cells(_PATH_THISCELL, &cells, &index); 242 find_cells(_PATH_ARLA_THESECELLS, &cells, &index); 243 find_cells(_PATH_ARLA_THISCELL, &cells, &index); 244 245 ret = afslog_cells(data, cells, index, uid, homedir); 246 while(index > 0) 247 free(cells[--index]); 248 free(cells); 249 return ret; 250 } 251 252 253 /* Find the realm associated with cell. Do this by opening 254 /usr/vice/etc/CellServDB and getting the realm-of-host for the 255 first VL-server for the cell. 256 257 This does not work when the VL-server is living in one realm, but 258 the cell it is serving is living in another realm. 259 260 Return 0 on success, -1 otherwise. 261 */ 262 263 int 264 _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) 265 { 266 FILE *F; 267 char buf[1024]; 268 char *p; 269 int ret = -1; 270 271 if ((F = fopen(_PATH_CELLSERVDB, "r")) 272 || (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))) { 273 while (fgets(buf, sizeof(buf), F)) { 274 if (buf[0] != '>') 275 continue; /* Not a cell name line, try next line */ 276 if (strncmp(buf + 1, cell, strlen(cell)) == 0) { 277 /* 278 * We found the cell name we're looking for. 279 * Read next line on the form ip-address '#' hostname 280 */ 281 if (fgets(buf, sizeof(buf), F) == NULL) 282 break; /* Read failed, give up */ 283 p = strchr(buf, '#'); 284 if (p == NULL) 285 break; /* No '#', give up */ 286 p++; 287 if (buf[strlen(buf) - 1] == '\n') 288 buf[strlen(buf) - 1] = '\0'; 289 *realm = (*data->get_realm)(data, p); 290 if (*realm && **realm != '\0') 291 ret = 0; 292 break; /* Won't try any more */ 293 } 294 } 295 fclose(F); 296 } 297 if (*realm == NULL && dns_find_cell(cell, buf, sizeof(buf)) == 0) { 298 *realm = strdup(krb_realmofhost(buf)); 299 if(*realm != NULL) 300 ret = 0; 301 } 302 return ret; 303 } 304 305 int 306 _kafs_get_cred(kafs_data *data, 307 const char *cell, 308 const char *realm_hint, 309 const char *realm, 310 CREDENTIALS *c) 311 { 312 int ret = -1; 313 char *vl_realm; 314 char CELL[64]; 315 316 /* We're about to find the the realm that holds the key for afs in 317 * the specified cell. The problem is that null-instance 318 * afs-principals are common and that hitting the wrong realm might 319 * yield the wrong afs key. The following assumptions were made. 320 * 321 * Any realm passed to us is preferred. 322 * 323 * If there is a realm with the same name as the cell, it is most 324 * likely the correct realm to talk to. 325 * 326 * In most (maybe even all) cases the database servers of the cell 327 * will live in the realm we are looking for. 328 * 329 * Try the local realm, but if the previous cases fail, this is 330 * really a long shot. 331 * 332 */ 333 334 /* comments on the ordering of these tests */ 335 336 /* If the user passes a realm, she probably knows something we don't 337 * know and we should try afs@realm_hint (otherwise we're talking with a 338 * blondino and she might as well have it.) 339 */ 340 341 if (realm_hint) { 342 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c); 343 if (ret == 0) return 0; 344 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c); 345 if (ret == 0) return 0; 346 } 347 348 foldup(CELL, cell); 349 350 /* 351 * If cell == realm we don't need no cross-cell authentication. 352 * Try afs@REALM. 353 */ 354 if (strcmp(CELL, realm) == 0) { 355 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c); 356 if (ret == 0) return 0; 357 /* Try afs.cell@REALM below. */ 358 } 359 360 /* 361 * If the AFS servers have a file /usr/afs/etc/krb.conf containing 362 * REALM we still don't have to resort to cross-cell authentication. 363 * Try afs.cell@REALM. 364 */ 365 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c); 366 if (ret == 0) return 0; 367 368 /* 369 * We failed to get ``first class tickets'' for afs, 370 * fall back to cross-cell authentication. 371 * Try afs@CELL. 372 * Try afs.cell@CELL. 373 */ 374 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); 375 if (ret == 0) return 0; 376 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); 377 if (ret == 0) return 0; 378 379 /* 380 * Perhaps the cell doesn't correspond to any realm? 381 * Use realm of first volume location DB server. 382 * Try afs.cell@VL_REALM. 383 * Try afs@VL_REALM??? 384 */ 385 if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 386 && strcmp(vl_realm, realm) != 0 387 && strcmp(vl_realm, CELL) != 0) { 388 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); 389 if (ret) 390 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); 391 free(vl_realm); 392 if (ret == 0) return 0; 393 } 394 395 return ret; 396 } 397