1 /* 2 * Copyright (c) 1997 - 2001 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kafs_locl.h" 35 36 RCSID("$Id: common.c,v 1.22 2001/09/10 16:08:17 assar Exp $"); 37 38 #define AUTH_SUPERUSER "afs" 39 40 /* 41 * Here only ASCII characters are relevant. 42 */ 43 44 #define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z') 45 46 #define ToAsciiUpper(c) ((c) - 'a' + 'A') 47 48 static void 49 foldup(char *a, const char *b) 50 { 51 for (; *b; a++, b++) 52 if (IsAsciiLower(*b)) 53 *a = ToAsciiUpper(*b); 54 else 55 *a = *b; 56 *a = '\0'; 57 } 58 59 int 60 kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) 61 { 62 struct ViceIoctl parms; 63 struct ClearToken ct; 64 int32_t sizeof_x; 65 char buf[2048], *t; 66 int ret; 67 68 /* 69 * Build a struct ClearToken 70 */ 71 ct.AuthHandle = c->kvno; 72 memcpy (ct.HandShakeKey, c->session, sizeof(c->session)); 73 ct.ViceId = uid; 74 ct.BeginTimestamp = c->issue_date; 75 ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); 76 if(ct.EndTimestamp < time(NULL)) 77 return 0; /* don't store tokens that has expired (and possibly 78 overwriting valid tokens)*/ 79 80 #define ODD(x) ((x) & 1) 81 /* According to Transarc conventions ViceId is valid iff 82 * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime 83 * the transformations: 84 * 85 * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) 86 * preserves the original values. 87 */ 88 if (uid != 0) /* valid ViceId */ 89 { 90 if (!ODD(ct.EndTimestamp - ct.BeginTimestamp)) 91 ct.EndTimestamp--; 92 } 93 else /* not valid ViceId */ 94 { 95 if (ODD(ct.EndTimestamp - ct.BeginTimestamp)) 96 ct.EndTimestamp--; 97 } 98 99 t = buf; 100 /* 101 * length of secret token followed by secret token 102 */ 103 sizeof_x = c->ticket_st.length; 104 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 105 t += sizeof(sizeof_x); 106 memcpy(t, c->ticket_st.dat, sizeof_x); 107 t += sizeof_x; 108 /* 109 * length of clear token followed by clear token 110 */ 111 sizeof_x = sizeof(ct); 112 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 113 t += sizeof(sizeof_x); 114 memcpy(t, &ct, sizeof_x); 115 t += sizeof_x; 116 117 /* 118 * do *not* mark as primary cell 119 */ 120 sizeof_x = 0; 121 memcpy(t, &sizeof_x, sizeof(sizeof_x)); 122 t += sizeof(sizeof_x); 123 /* 124 * follow with cell name 125 */ 126 sizeof_x = strlen(cell) + 1; 127 memcpy(t, cell, sizeof_x); 128 t += sizeof_x; 129 130 /* 131 * Build argument block 132 */ 133 parms.in = buf; 134 parms.in_size = t - buf; 135 parms.out = 0; 136 parms.out_size = 0; 137 ret = k_pioctl(0, VIOCSETTOK, &parms, 0); 138 return ret; 139 } 140 141 /* Try to get a db-server for an AFS cell from a AFSDB record */ 142 143 static int 144 dns_find_cell(const char *cell, char *dbserver, size_t len) 145 { 146 struct dns_reply *r; 147 int ok = -1; 148 r = dns_lookup(cell, "afsdb"); 149 if(r){ 150 struct resource_record *rr = r->head; 151 while(rr){ 152 if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){ 153 strlcpy(dbserver, 154 rr->u.afsdb->domain, 155 len); 156 ok = 0; 157 break; 158 } 159 rr = rr->next; 160 } 161 dns_free_data(r); 162 } 163 return ok; 164 } 165 166 167 /* 168 * Try to find the cells we should try to klog to in "file". 169 */ 170 static void 171 find_cells(char *file, char ***cells, int *index) 172 { 173 FILE *f; 174 char cell[64]; 175 int i; 176 int ind = *index; 177 178 f = fopen(file, "r"); 179 if (f == NULL) 180 return; 181 while (fgets(cell, sizeof(cell), f)) { 182 char *t; 183 t = cell + strlen(cell); 184 for (; t >= cell; t--) 185 if (*t == '\n' || *t == '\t' || *t == ' ') 186 *t = 0; 187 if (cell[0] == '\0' || cell[0] == '#') 188 continue; 189 for(i = 0; i < ind; i++) 190 if(strcmp((*cells)[i], cell) == 0) 191 break; 192 if(i == ind){ 193 char **tmp; 194 195 tmp = realloc(*cells, (ind + 1) * sizeof(**cells)); 196 if (tmp == NULL) 197 break; 198 *cells = tmp; 199 (*cells)[ind] = strdup(cell); 200 if ((*cells)[ind] == NULL) 201 break; 202 ++ind; 203 } 204 } 205 fclose(f); 206 *index = ind; 207 } 208 209 /* 210 * Get tokens for all cells[] 211 */ 212 static int 213 afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, 214 const char *homedir) 215 { 216 int ret = 0; 217 int i; 218 for (i = 0; i < max; i++) { 219 int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir); 220 if (er) 221 ret = er; 222 } 223 return ret; 224 } 225 226 int 227 _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) 228 { 229 int ret; 230 char **cells = NULL; 231 int index = 0; 232 233 if (homedir == NULL) 234 homedir = getenv("HOME"); 235 if (homedir != NULL) { 236 char home[MaxPathLen]; 237 snprintf(home, sizeof(home), "%s/.TheseCells", homedir); 238 find_cells(home, &cells, &index); 239 } 240 find_cells(_PATH_THESECELLS, &cells, &index); 241 find_cells(_PATH_THISCELL, &cells, &index); 242 find_cells(_PATH_ARLA_THESECELLS, &cells, &index); 243 find_cells(_PATH_ARLA_THISCELL, &cells, &index); 244 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &index); 245 find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &index); 246 find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &index); 247 find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &index); 248 249 ret = afslog_cells(data, cells, index, uid, homedir); 250 while(index > 0) 251 free(cells[--index]); 252 free(cells); 253 return ret; 254 } 255 256 257 static int 258 file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) 259 { 260 FILE *F; 261 char buf[1024]; 262 char *p; 263 int ret = -1; 264 265 if ((F = fopen(_PATH_CELLSERVDB, "r")) 266 || (F = fopen(_PATH_ARLA_CELLSERVDB, "r")) 267 || (F = fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB, "r")) 268 || (F = fopen(_PATH_ARLA_DEBIAN_CELLSERVDB, "r"))) { 269 while (fgets(buf, sizeof(buf), F)) { 270 int cmp; 271 272 if (buf[0] != '>') 273 continue; /* Not a cell name line, try next line */ 274 p = buf; 275 strsep(&p, " \t\n#"); 276 277 if (exact) 278 cmp = strcmp(buf + 1, cell); 279 else 280 cmp = strncmp(buf + 1, cell, strlen(cell)); 281 282 if (cmp == 0) { 283 /* 284 * We found the cell name we're looking for. 285 * Read next line on the form ip-address '#' hostname 286 */ 287 if (fgets(buf, sizeof(buf), F) == NULL) 288 break; /* Read failed, give up */ 289 p = strchr(buf, '#'); 290 if (p == NULL) 291 break; /* No '#', give up */ 292 p++; 293 if (buf[strlen(buf) - 1] == '\n') 294 buf[strlen(buf) - 1] = '\0'; 295 *realm = (*data->get_realm)(data, p); 296 if (*realm && **realm != '\0') 297 ret = 0; 298 break; /* Won't try any more */ 299 } 300 } 301 fclose(F); 302 } 303 return ret; 304 } 305 306 /* Find the realm associated with cell. Do this by opening 307 /usr/vice/etc/CellServDB and getting the realm-of-host for the 308 first VL-server for the cell. 309 310 This does not work when the VL-server is living in one realm, but 311 the cell it is serving is living in another realm. 312 313 Return 0 on success, -1 otherwise. 314 */ 315 316 int 317 _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) 318 { 319 char buf[1024]; 320 int ret; 321 322 ret = file_find_cell(data, cell, realm, 1); 323 if (ret == 0) 324 return ret; 325 if (dns_find_cell(cell, buf, sizeof(buf)) == 0) { 326 *realm = (*data->get_realm)(data, buf); 327 if(*realm != NULL) 328 return 0; 329 } 330 return file_find_cell(data, cell, realm, 0); 331 } 332 333 int 334 _kafs_get_cred(kafs_data *data, 335 const char *cell, 336 const char *realm_hint, 337 const char *realm, 338 CREDENTIALS *c) 339 { 340 int ret = -1; 341 char *vl_realm; 342 char CELL[64]; 343 344 /* We're about to find the the realm that holds the key for afs in 345 * the specified cell. The problem is that null-instance 346 * afs-principals are common and that hitting the wrong realm might 347 * yield the wrong afs key. The following assumptions were made. 348 * 349 * Any realm passed to us is preferred. 350 * 351 * If there is a realm with the same name as the cell, it is most 352 * likely the correct realm to talk to. 353 * 354 * In most (maybe even all) cases the database servers of the cell 355 * will live in the realm we are looking for. 356 * 357 * Try the local realm, but if the previous cases fail, this is 358 * really a long shot. 359 * 360 */ 361 362 /* comments on the ordering of these tests */ 363 364 /* If the user passes a realm, she probably knows something we don't 365 * know and we should try afs@realm_hint (otherwise we're talking with a 366 * blondino and she might as well have it.) 367 */ 368 369 if (realm_hint) { 370 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c); 371 if (ret == 0) return 0; 372 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c); 373 if (ret == 0) return 0; 374 } 375 376 foldup(CELL, cell); 377 378 /* 379 * If cell == realm we don't need no cross-cell authentication. 380 * Try afs@REALM. 381 */ 382 if (strcmp(CELL, realm) == 0) { 383 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c); 384 if (ret == 0) return 0; 385 /* Try afs.cell@REALM below. */ 386 } 387 388 /* 389 * If the AFS servers have a file /usr/afs/etc/krb.conf containing 390 * REALM we still don't have to resort to cross-cell authentication. 391 * Try afs.cell@REALM. 392 */ 393 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c); 394 if (ret == 0) return 0; 395 396 /* 397 * We failed to get ``first class tickets'' for afs, 398 * fall back to cross-cell authentication. 399 * Try afs@CELL. 400 * Try afs.cell@CELL. 401 */ 402 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); 403 if (ret == 0) return 0; 404 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); 405 if (ret == 0) return 0; 406 407 /* 408 * Perhaps the cell doesn't correspond to any realm? 409 * Use realm of first volume location DB server. 410 * Try afs.cell@VL_REALM. 411 * Try afs@VL_REALM??? 412 */ 413 if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 414 && strcmp(vl_realm, realm) != 0 415 && strcmp(vl_realm, CELL) != 0) { 416 ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); 417 if (ret) 418 ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); 419 free(vl_realm); 420 if (ret == 0) return 0; 421 } 422 423 return ret; 424 } 425