2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
15 #include <afs/param.h>
18 # include "afsincludes.h"
22 #include <sys/types.h>
24 #include <afs/pthread_glock.h>
28 #include <sys/socket.h>
29 #include <netinet/in.h>
32 /* netinet/in.h and cellconfig.h are needed together */
33 #include <afs/cellconfig.h>
34 /* these are needed together */
44 ka_GetAuthToken(char *name, char *instance, char *cell,
45 struct ktc_encryptionKey * key, afs_int32 lifetime,
46 afs_int32 * pwexpires)
49 struct ubik_client *conn;
50 afs_int32 now = time(0);
51 struct ktc_token token;
52 char cellname[MAXKTCREALMLEN];
53 char realm[MAXKTCREALMLEN];
54 struct ktc_principal client, server;
57 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
64 /* get an unauthenticated connection to desired cell */
65 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
71 ka_Authenticate(name, instance, cell, conn,
72 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
78 code = ubik_ClientDestroy(conn);
84 code = ka_CellToRealm(cell, realm, 0 /*local */ );
89 strcpy(client.name, name);
90 strcpy(client.instance, instance);
91 strncpy(client.cell, cell, sizeof(client.cell));
92 strcpy(server.name, KA_TGS_NAME);
93 strcpy(server.instance, realm);
94 strcpy(server.cell, cell);
95 code = ktc_SetToken(&server, &token, &client, 0);
101 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
102 struct ktc_token * token, int new, int dosetpag)
105 struct ubik_client *conn;
106 afs_int32 now = time(0);
107 struct ktc_token auth_token;
108 struct ktc_token cell_token;
109 struct ktc_principal server, auth_server, client;
110 char *localCell = ka_LocalCell();
111 char cellname[MAXKTCREALMLEN];
112 char realm[MAXKTCREALMLEN];
113 char authDomain[MAXKTCREALMLEN];
117 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
124 strcpy(server.name, name);
125 strcpy(server.instance, instance);
126 lcstring(server.cell, cell, sizeof(server.cell));
129 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
136 code = ka_CellToRealm(cell, realm, &local);
142 /* get TGS ticket for proper realm */
143 strcpy(auth_server.name, KA_TGS_NAME);
144 strcpy(auth_server.instance, realm);
145 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
146 strcpy(authDomain, realm);
148 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
149 if (code && !local) { /* try for remotely authenticated ticket */
150 strcpy(auth_server.cell, localCell);
151 strcpy(authDomain, "");
153 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
161 /* here we invoke the inter-cell mechanism */
163 /* get local auth ticket */
164 ucstring(auth_server.instance, localCell,
165 sizeof(auth_server.instance));
166 strcpy(auth_server.cell, localCell);
168 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
174 /* get a connection to the local cell */
176 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
181 /* get foreign auth ticket */
183 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
184 client.instance, conn, now, now + lifetime,
185 &cell_token, "" /* local auth domain */ ,
190 code = ubik_ClientDestroy(conn);
197 /* save foreign auth ticket */
198 strcpy(auth_server.instance, realm);
199 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
200 ucstring(authDomain, localCell, sizeof(authDomain));
201 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
208 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
213 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
214 now, now + lifetime, &auth_token, authDomain, token))) {
218 code = ubik_ClientDestroy(conn);
225 ktc_SetToken(&server, token, &client,
226 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
235 ka_GetAdminToken(char *name, char *instance, char *cell,
236 struct ktc_encryptionKey * key, afs_int32 lifetime,
237 struct ktc_token * token, int new)
240 struct ubik_client *conn;
241 afs_int32 now = time(0);
242 struct ktc_principal server, client;
243 struct ktc_token localToken;
244 char cellname[MAXKTCREALMLEN];
247 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
255 token = &localToken; /* in case caller doesn't want token */
257 strcpy(server.name, KA_ADMIN_NAME);
258 strcpy(server.instance, KA_ADMIN_INST);
259 strncpy(server.cell, cell, sizeof(server.cell));
262 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
269 if ((name == 0) || (key == 0)) {
270 /* just lookup in cache don't get new one */
275 /* get an unauthenticated connection to desired cell */
276 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
282 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
283 key, now, now + lifetime, token, 0);
284 (void)ubik_ClientDestroy(conn);
290 strcpy(client.name, name);
291 strcpy(client.instance, instance);
292 strncpy(client.cell, cell, sizeof(client.cell));
293 code = ktc_SetToken(&server, token, &client, 0);
300 ka_VerifyUserToken(char *name, char *instance, char *cell,
301 struct ktc_encryptionKey * key)
304 struct ubik_client *conn;
305 afs_int32 now = time(0);
306 struct ktc_token token;
307 char cellname[MAXKTCREALMLEN];
311 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
319 /* get an unauthenticated connection to desired cell */
320 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
327 ka_Authenticate(name, instance, cell, conn,
328 KA_TICKET_GRANTING_SERVICE, key, now,
329 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
334 code = ubik_ClientDestroy(conn);