2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
16 #include "../afs/param.h"
18 #include <afs/param.h>
24 #include "../afs/sysincludes.h"
25 #include "../afs/afsincludes.h"
26 #include "../afs/stds.h"
27 #include "../rx/xdr.h"
28 #include "../afs/pthread_glock.h"
29 #include "../afs/lock.h"
30 #include "../afs/ubik.h"
31 #include "../afsint/kauth.h"
32 #include "../afs/kautils.h"
33 #include "../afs/auth.h"
34 #include "../afs/pthread_glock.h"
35 #else /* defined(UKERNEL) */
37 #include <sys/types.h>
39 #include <afs/pthread_glock.h>
43 #include <sys/socket.h>
44 #include <netinet/in.h>
46 /* netinet/in.h and cellconfig.h are needed together */
47 #include <afs/cellconfig.h>
48 /* these are needed together */
55 #endif /* defined(UKERNEL) */
58 afs_int32 ka_GetAuthToken (
62 struct ktc_encryptionKey *key,
67 struct ubik_client *conn;
68 afs_int32 now = time(0);
69 struct ktc_token token;
70 char cellname[MAXKTCREALMLEN];
71 char realm[MAXKTCREALMLEN];
72 struct ktc_principal client, server;
75 code = ka_ExpandCell (cell, cellname, 0/*local*/);
82 /* get an unauthenticated connection to desired cell */
83 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
88 code = ka_Authenticate (name, instance, cell, conn,
89 KA_TICKET_GRANTING_SERVICE,
90 key, now, now+lifetime, &token, pwexpires);
95 code = ubik_ClientDestroy (conn);
101 code = ka_CellToRealm (cell, realm, 0/*local*/);
106 strcpy (client.name, name);
107 strcpy (client.instance, instance);
108 strncpy (client.cell, cell, sizeof(client.cell));
109 strcpy (server.name, KA_TGS_NAME);
110 strcpy (server.instance, realm);
111 strcpy (server.cell, cell);
112 code = ktc_SetToken (&server, &token, &client, 0);
117 afs_int32 ka_GetServerToken (
122 struct ktc_token *token,
127 struct ubik_client *conn;
128 afs_int32 now = time(0);
129 struct ktc_token auth_token;
130 struct ktc_token cell_token;
131 struct ktc_principal server, auth_server, client;
132 char *localCell = ka_LocalCell();
133 char cellname[MAXKTCREALMLEN];
134 char realm[MAXKTCREALMLEN];
135 char authDomain[MAXKTCREALMLEN];
139 code = ka_ExpandCell (cell, cellname, 0/*local*/);
146 strcpy (server.name, name);
147 strcpy (server.instance, instance);
148 lcstring (server.cell, cell, sizeof(server.cell));
150 code = ktc_GetToken (&server, token, sizeof(struct ktc_token), &client);
157 code = ka_CellToRealm (cell, realm, &local);
163 /* get TGS ticket for proper realm */
164 strcpy (auth_server.name, KA_TGS_NAME);
165 strcpy (auth_server.instance, realm);
166 lcstring (auth_server.cell, realm, sizeof(auth_server.cell));
167 strcpy (authDomain, realm);
168 code = ktc_GetToken (&auth_server, &auth_token, sizeof(auth_token), &client);
169 if (code && !local) { /* try for remotely authenticated ticket */
170 strcpy (auth_server.cell, localCell);
171 strcpy (authDomain, "");
172 code = ktc_GetToken (&auth_server, &auth_token, sizeof(auth_token), &client);
180 /* here we invoke the inter-cell mechanism */
182 /* get local auth ticket */
183 ucstring (auth_server.instance, localCell, sizeof(auth_server.instance));
184 strcpy (auth_server.cell, localCell);
185 code = ktc_GetToken (&auth_server, &cell_token, sizeof(cell_token), &client);
190 /* get a connection to the local cell */
191 if (code = ka_AuthServerConn (localCell, KA_TICKET_GRANTING_SERVICE, 0, &conn)) {
195 /* get foreign auth ticket */
196 if (code = ka_GetToken (KA_TGS_NAME, realm, localCell, client.name,
197 client.instance, conn, now, now+lifetime,
198 &cell_token, "" /* local auth domain */,
203 code = ubik_ClientDestroy (conn);
210 /* save foreign auth ticket */
211 strcpy (auth_server.instance, realm);
212 lcstring (auth_server.cell, localCell, sizeof(auth_server.cell));
213 ucstring (authDomain, localCell, sizeof(authDomain));
214 if (code = ktc_SetToken (&auth_server, &auth_token, &client, 0)) {
220 if (code = ka_AuthServerConn (cell, KA_TICKET_GRANTING_SERVICE, 0, &conn)) {
224 if (code = ka_GetToken (name, instance, cell, client.name,
225 client.instance, conn, now, now+lifetime,
226 &auth_token, authDomain, token)) {
230 code = ubik_ClientDestroy (conn);
236 if (code = ktc_SetToken (&server, token, &client,
237 dosetpag ? AFS_SETTOK_SETPAG : 0)) {
245 afs_int32 ka_GetAdminToken (
249 struct ktc_encryptionKey *key,
251 struct ktc_token *token,
255 struct ubik_client *conn;
256 afs_int32 now = time(0);
257 struct ktc_principal server, client;
258 struct ktc_token localToken;
259 char cellname[MAXKTCREALMLEN];
262 code = ka_ExpandCell (cell, cellname, 0/*local*/);
269 if (token == 0) token = &localToken; /* in case caller doesn't want token */
271 strcpy (server.name, KA_ADMIN_NAME);
272 strcpy (server.instance, KA_ADMIN_INST);
273 strncpy (server.cell, cell, sizeof(server.cell));
275 code = ktc_GetToken (&server,
276 token, sizeof(struct ktc_token), &client);
283 if ((name == 0) || (key == 0)) {
284 /* just lookup in cache don't get new one */
289 /* get an unauthenticated connection to desired cell */
290 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
295 code = ka_Authenticate (name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
296 key, now, now+lifetime, token, 0);
297 (void) ubik_ClientDestroy (conn);
303 strcpy (client.name, name);
304 strcpy (client.instance, instance);
305 strncpy (client.cell, cell, sizeof(client.cell));
306 code = ktc_SetToken (&server, token, &client, 0);
312 afs_int32 ka_VerifyUserToken(
316 struct ktc_encryptionKey *key)
319 struct ubik_client *conn;
320 afs_int32 now = time(0);
321 struct ktc_token token;
322 char cellname[MAXKTCREALMLEN];
323 char realm[MAXKTCREALMLEN];
324 struct ktc_principal client, server;
328 code = ka_ExpandCell (cell, cellname, 0/*local*/);
336 /* get an unauthenticated connection to desired cell */
337 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
343 code = ka_Authenticate (name, instance, cell, conn,
344 KA_TICKET_GRANTING_SERVICE,
345 key, now, now+MAXKTCTICKETLIFETIME, &token, &pwexpires);
350 code = ubik_ClientDestroy (conn);