2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
15 #include <afs/param.h>
20 # include "afsincludes.h"
24 #include <sys/types.h>
26 #include <afs/pthread_glock.h>
30 #include <sys/socket.h>
31 #include <netinet/in.h>
34 /* netinet/in.h and cellconfig.h are needed together */
35 #include <afs/cellconfig.h>
36 /* these are needed together */
46 ka_GetAuthToken(char *name, char *instance, char *cell,
47 struct ktc_encryptionKey * key, afs_int32 lifetime,
48 afs_int32 * pwexpires)
51 struct ubik_client *conn;
52 afs_int32 now = time(0);
53 struct ktc_token token;
54 char cellname[MAXKTCREALMLEN];
55 char realm[MAXKTCREALMLEN];
56 struct ktc_principal client, server;
59 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
66 /* get an unauthenticated connection to desired cell */
67 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
73 ka_Authenticate(name, instance, cell, conn,
74 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
80 code = ubik_ClientDestroy(conn);
86 code = ka_CellToRealm(cell, realm, 0 /*local */ );
91 strcpy(client.name, name);
92 strcpy(client.instance, instance);
93 strncpy(client.cell, cell, sizeof(client.cell));
94 strcpy(server.name, KA_TGS_NAME);
95 strcpy(server.instance, realm);
96 strcpy(server.cell, cell);
97 code = ktc_SetToken(&server, &token, &client, 0);
103 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
104 struct ktc_token * token, int new, int dosetpag)
107 struct ubik_client *conn;
108 afs_int32 now = time(0);
109 struct ktc_token auth_token;
110 struct ktc_token cell_token;
111 struct ktc_principal server, auth_server, client;
112 char *localCell = ka_LocalCell();
113 char cellname[MAXKTCREALMLEN];
114 char realm[MAXKTCREALMLEN];
115 char authDomain[MAXKTCREALMLEN];
119 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
126 strcpy(server.name, name);
127 strcpy(server.instance, instance);
128 lcstring(server.cell, cell, sizeof(server.cell));
131 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
138 code = ka_CellToRealm(cell, realm, &local);
144 /* get TGS ticket for proper realm */
145 strcpy(auth_server.name, KA_TGS_NAME);
146 strcpy(auth_server.instance, realm);
147 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
148 strcpy(authDomain, realm);
150 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
151 if (code && !local) { /* try for remotely authenticated ticket */
152 strcpy(auth_server.cell, localCell);
153 strcpy(authDomain, "");
155 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
163 /* here we invoke the inter-cell mechanism */
165 /* get local auth ticket */
166 ucstring(auth_server.instance, localCell,
167 sizeof(auth_server.instance));
168 strcpy(auth_server.cell, localCell);
170 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
176 /* get a connection to the local cell */
178 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
183 /* get foreign auth ticket */
185 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
186 client.instance, conn, now, now + lifetime,
187 &cell_token, "" /* local auth domain */ ,
192 code = ubik_ClientDestroy(conn);
199 /* save foreign auth ticket */
200 strcpy(auth_server.instance, realm);
201 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
202 ucstring(authDomain, localCell, sizeof(authDomain));
203 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
210 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
215 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
216 now, now + lifetime, &auth_token, authDomain, token))) {
220 code = ubik_ClientDestroy(conn);
227 ktc_SetToken(&server, token, &client,
228 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
237 ka_GetAdminToken(char *name, char *instance, char *cell,
238 struct ktc_encryptionKey * key, afs_int32 lifetime,
239 struct ktc_token * token, int new)
242 struct ubik_client *conn;
243 afs_int32 now = time(0);
244 struct ktc_principal server, client;
245 struct ktc_token localToken;
246 char cellname[MAXKTCREALMLEN];
249 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
257 token = &localToken; /* in case caller doesn't want token */
259 strcpy(server.name, KA_ADMIN_NAME);
260 strcpy(server.instance, KA_ADMIN_INST);
261 strncpy(server.cell, cell, sizeof(server.cell));
264 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
271 if ((name == 0) || (key == 0)) {
272 /* just lookup in cache don't get new one */
277 /* get an unauthenticated connection to desired cell */
278 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
284 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
285 key, now, now + lifetime, token, 0);
286 (void)ubik_ClientDestroy(conn);
292 strcpy(client.name, name);
293 strcpy(client.instance, instance);
294 strncpy(client.cell, cell, sizeof(client.cell));
295 code = ktc_SetToken(&server, token, &client, 0);
302 ka_VerifyUserToken(char *name, char *instance, char *cell,
303 struct ktc_encryptionKey * key)
306 struct ubik_client *conn;
307 afs_int32 now = time(0);
308 struct ktc_token token;
309 char cellname[MAXKTCREALMLEN];
313 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
321 /* get an unauthenticated connection to desired cell */
322 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
329 ka_Authenticate(name, instance, cell, conn,
330 KA_TICKET_GRANTING_SERVICE, key, now,
331 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
336 code = ubik_ClientDestroy(conn);