X-Git-Url: http://git.openafs.org/?p=openafs.git;a=blobdiff_plain;f=src%2Fauth%2Fauthcon.c;h=aa29f79f90de6efe5dd2c6b30523dc8968b3d18d;hp=8976947ba7128ae23ee4118289f19924d8c274cc;hb=d0a2889098526aa148d99e042aa8c3f7855565f7;hpb=ea4812f03d498b6a838440fa3349e085fa5ea8b5

diff --git a/src/auth/authcon.c b/src/auth/authcon.c
index 8976947..aa29f79 100644
--- a/src/auth/authcon.c
+++ b/src/auth/authcon.c
@@ -19,6 +19,7 @@
 
 #define HC_DEPRECATED
 #include <hcrypto/des.h>
+#include <hcrypto/rand.h>
 
 #include <rx/rxkad.h>
 #include <rx/rx.h>
@@ -41,7 +42,6 @@ QuickAuth(struct rx_securityClass **astr, afs_int32 *aindex)
     return 0;
 }
 
-#if !defined(UKERNEL)
 static int _afsconf_GetRxkadKrb5Key(void *arock, int kvno, int enctype, void *outkey,
 				    size_t *keylen)
 {
@@ -90,7 +90,6 @@ afsconf_ServerAuth(void *arock,
 	return 2;
     }
 }
-#endif /* !defined(UKERNEL) */
 
 static afs_int32
 GenericAuth(struct afsconf_dir *adir,
@@ -98,43 +97,74 @@ GenericAuth(struct afsconf_dir *adir,
 	    afs_int32 *aindex,
 	    rxkad_level enclevel)
 {
-    char tbuffer[256];
+    int enctype_preflist[]={18, 17, 23, 16, 0};
+    char tbuffer[512];
     struct ktc_encryptionKey key, session;
     struct rx_securityClass *tclass;
     afs_int32 kvno;
     afs_int32 ticketLen;
     afs_int32 code;
+    int use_krb5=0;
+    struct afsconf_typedKey *kobj;
+    struct rx_opaque *keymat;
+    int *et;
 
     /* first, find the right key and kvno to use */
-    code = afsconf_GetLatestKey(adir, &kvno, &key);
-    if (code) {
-	return QuickAuth(astr, aindex);
+
+    et = enctype_preflist;
+    while(*et != 0) {
+	code = afsconf_GetLatestKeyByTypes(adir, afsconf_rxkad_krb5, *et,
+					   &kobj);
+	if (code == 0) {
+	    afsconf_keyType tktype;
+	    int tenctype;
+	    afsconf_typedKey_values(kobj, &tktype, &kvno, &tenctype, &keymat);
+	    RAND_add(keymat->val, keymat->len, 0.0);
+	    use_krb5 = 1;
+	    break;
+	}
+	et++;
     }
 
-    /* next create random session key, using key for seed to good random */
-    DES_init_random_number_generator((DES_cblock *) &key);
+    if (use_krb5 == 0) {
+	code = afsconf_GetLatestKey(adir, &kvno, &key);
+	if (code) {
+	    return QuickAuth(astr, aindex);
+	}
+	/* next create random session key, using key for seed to good random */
+	DES_init_random_number_generator((DES_cblock *) &key);
+    }
     code = DES_new_random_key((DES_cblock *) &session);
     if (code) {
+	if (use_krb5)
+	    afsconf_typedKey_put(&kobj);
 	return QuickAuth(astr, aindex);
     }
 
-    /* now create the actual ticket */
-    ticketLen = sizeof(tbuffer);
-    memset(tbuffer, '\0', sizeof(tbuffer));
-    code =
-	tkt_MakeTicket(tbuffer, &ticketLen, &key, AUTH_SUPERUSER, "", "", 0,
-		       0xffffffff, &session, 0, "afs", "");
-    /* parms were buffer, ticketlen, key to seal ticket with, principal
-     * name, instance and cell, start time, end time, session key to seal
-     * in ticket, inet host, server name and server instance */
+    if (use_krb5) {
+	ticketLen = sizeof(tbuffer);
+	memset(tbuffer, '\0', sizeof(tbuffer));
+	code =
+	    tkt_MakeTicket5(tbuffer, &ticketLen, *et, &kvno, keymat->val,
+			    keymat->len, AUTH_SUPERUSER, "", "", 0, 0x7fffffff,
+			    &session, "afs", "");
+	afsconf_typedKey_put(&kobj);
+    } else {
+	/* now create the actual ticket */
+	ticketLen = sizeof(tbuffer);
+	memset(tbuffer, '\0', sizeof(tbuffer));
+	code =
+	    tkt_MakeTicket(tbuffer, &ticketLen, &key, AUTH_SUPERUSER, "", "", 0,
+			   0xffffffff, &session, 0, "afs", "");
+	/* parms were buffer, ticketlen, key to seal ticket with, principal
+	 * name, instance and cell, start time, end time, session key to seal
+	 * in ticket, inet host, server name and server instance */
+    }
     if (code) {
 	return QuickAuth(astr, aindex);
     }
 
-    /* Next, we have ticket, kvno and session key, authenticate the connection.
-     * We use a magic # instead of a constant because of basic compilation
-     * order when compiling the system from scratch (rx/rxkad.h isn't installed
-     * yet). */
+    /* Next, we have ticket, kvno and session key, authenticate the connection.*/
     tclass = (struct rx_securityClass *)
 	rxkad_NewClientSecurityObject(enclevel, &session, kvno, ticketLen,
 				      tbuffer);
@@ -263,7 +293,6 @@ afsconf_SetSecurityFlags(struct afsconf_dir *dir,
  * Build a set of security classes suitable for a server accepting
  * incoming connections
  */
-#if !defined(UKERNEL)
 void
 afsconf_BuildServerSecurityObjects(void *rock,
 			           struct rx_securityClass ***classes,
@@ -278,20 +307,17 @@ afsconf_BuildServerSecurityObjects(void *rock,
 
     *classes = calloc(*numClasses, sizeof(**classes));
 
-    (*classes)[0] = rxnull_NewServerSecurityObject();
-    (*classes)[1] = NULL;
-    (*classes)[2] = rxkad_NewKrb5ServerSecurityObject(0, dir,
-						      afsconf_GetKey,
-						      _afsconf_GetRxkadKrb5Key,
-						      NULL);
+    (*classes)[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+    (*classes)[RX_SECIDX_VAB] = NULL;
+    (*classes)[RX_SECIDX_KAD] =
+	rxkad_NewKrb5ServerSecurityObject(0, dir, afsconf_GetKey,
+					  _afsconf_GetRxkadKrb5Key, NULL);
 
     if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT)
-	(*classes)[3] = rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir,
-							  afsconf_GetKey,
-							  _afsconf_GetRxkadKrb5Key,
-							  NULL);
+	(*classes)[RX_SECIDX_KAE] =
+	    rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir, afsconf_GetKey,
+					      _afsconf_GetRxkadKrb5Key, NULL);
 }
-#endif
 
 /*!
  * Pick a security class to use for an outgoing connection