2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
16 #include "afs/param.h"
18 #include <afs/param.h>
25 #include "afs/sysincludes.h"
26 #include "afsincludes.h"
29 #include "afs/pthread_glock.h"
32 #include "afs/kauth.h"
33 #include "afs/kautils.h"
35 #include "afs/pthread_glock.h"
36 #else /* defined(UKERNEL) */
38 #include <sys/types.h>
40 #include <afs/pthread_glock.h>
44 #include <sys/socket.h>
45 #include <netinet/in.h>
54 /* netinet/in.h and cellconfig.h are needed together */
55 #include <afs/cellconfig.h>
56 /* these are needed together */
63 #endif /* defined(UKERNEL) */
67 ka_GetAuthToken(char *name, char *instance, char *cell,
68 struct ktc_encryptionKey *key, afs_int32 lifetime,
69 afs_int32 * pwexpires)
72 struct ubik_client *conn;
73 afs_int32 now = time(0);
74 struct ktc_token token;
75 char cellname[MAXKTCREALMLEN];
76 char realm[MAXKTCREALMLEN];
77 struct ktc_principal client, server;
79 LOCK_GLOBAL_MUTEX code = ka_ExpandCell(cell, cellname, 0 /*local */ );
81 UNLOCK_GLOBAL_MUTEX return code;
85 /* get an unauthenticated connection to desired cell */
86 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
88 UNLOCK_GLOBAL_MUTEX return code;
91 ka_Authenticate(name, instance, cell, conn,
92 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
95 UNLOCK_GLOBAL_MUTEX return code;
97 code = ubik_ClientDestroy(conn);
99 UNLOCK_GLOBAL_MUTEX return code;
102 code = ka_CellToRealm(cell, realm, 0 /*local */ );
104 UNLOCK_GLOBAL_MUTEX return code;
106 strcpy(client.name, name);
107 strcpy(client.instance, instance);
108 strncpy(client.cell, cell, sizeof(client.cell));
109 strcpy(server.name, KA_TGS_NAME);
110 strcpy(server.instance, realm);
111 strcpy(server.cell, cell);
112 code = ktc_SetToken(&server, &token, &client, 0);
113 UNLOCK_GLOBAL_MUTEX return code;
117 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
118 struct ktc_token * token, int new, int dosetpag)
121 struct ubik_client *conn;
122 afs_int32 now = time(0);
123 struct ktc_token auth_token;
124 struct ktc_token cell_token;
125 struct ktc_principal server, auth_server, client;
126 char *localCell = ka_LocalCell();
127 char cellname[MAXKTCREALMLEN];
128 char realm[MAXKTCREALMLEN];
129 char authDomain[MAXKTCREALMLEN];
132 LOCK_GLOBAL_MUTEX code = ka_ExpandCell(cell, cellname, 0 /*local */ );
134 UNLOCK_GLOBAL_MUTEX return code;
138 strcpy(server.name, name);
139 strcpy(server.instance, instance);
140 lcstring(server.cell, cell, sizeof(server.cell));
143 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
145 UNLOCK_GLOBAL_MUTEX return 0;
149 code = ka_CellToRealm(cell, realm, &local);
151 UNLOCK_GLOBAL_MUTEX return code;
154 /* get TGS ticket for proper realm */
155 strcpy(auth_server.name, KA_TGS_NAME);
156 strcpy(auth_server.instance, realm);
157 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
158 strcpy(authDomain, realm);
160 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
161 if (code && !local) { /* try for remotely authenticated ticket */
162 strcpy(auth_server.cell, localCell);
163 strcpy(authDomain, "");
165 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
170 UNLOCK_GLOBAL_MUTEX return code;
172 /* here we invoke the inter-cell mechanism */
174 /* get local auth ticket */
175 ucstring(auth_server.instance, localCell,
176 sizeof(auth_server.instance));
177 strcpy(auth_server.cell, localCell);
179 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
182 UNLOCK_GLOBAL_MUTEX return code;
184 /* get a connection to the local cell */
186 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
188 UNLOCK_GLOBAL_MUTEX return code;
190 /* get foreign auth ticket */
192 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
193 client.instance, conn, now, now + lifetime,
194 &cell_token, "" /* local auth domain */ ,
196 UNLOCK_GLOBAL_MUTEX return code;
198 code = ubik_ClientDestroy(conn);
200 UNLOCK_GLOBAL_MUTEX return code;
204 /* save foreign auth ticket */
205 strcpy(auth_server.instance, realm);
206 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
207 ucstring(authDomain, localCell, sizeof(authDomain));
208 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
209 UNLOCK_GLOBAL_MUTEX return code;
214 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
215 UNLOCK_GLOBAL_MUTEX return code;
218 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
219 now, now + lifetime, &auth_token, authDomain, token))) {
220 UNLOCK_GLOBAL_MUTEX return code;
222 code = ubik_ClientDestroy(conn);
224 UNLOCK_GLOBAL_MUTEX return code;
228 ktc_SetToken(&server, token, &client,
229 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
230 UNLOCK_GLOBAL_MUTEX return code;
232 UNLOCK_GLOBAL_MUTEX return 0;
236 ka_GetAdminToken(char *name, char *instance, char *cell,
237 struct ktc_encryptionKey * key, afs_int32 lifetime,
238 struct ktc_token * token, int new)
241 struct ubik_client *conn;
242 afs_int32 now = time(0);
243 struct ktc_principal server, client;
244 struct ktc_token localToken;
245 char cellname[MAXKTCREALMLEN];
247 LOCK_GLOBAL_MUTEX code = ka_ExpandCell(cell, cellname, 0 /*local */ );
249 UNLOCK_GLOBAL_MUTEX return code;
254 token = &localToken; /* in case caller doesn't want token */
256 strcpy(server.name, KA_ADMIN_NAME);
257 strcpy(server.instance, KA_ADMIN_INST);
258 strncpy(server.cell, cell, sizeof(server.cell));
261 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
263 UNLOCK_GLOBAL_MUTEX return 0;
267 if ((name == 0) || (key == 0)) {
268 /* just lookup in cache don't get new one */
269 UNLOCK_GLOBAL_MUTEX return KANOTICKET;
272 /* get an unauthenticated connection to desired cell */
273 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
275 UNLOCK_GLOBAL_MUTEX return code;
278 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
279 key, now, now + lifetime, token, 0);
280 (void)ubik_ClientDestroy(conn);
282 UNLOCK_GLOBAL_MUTEX return code;
285 strcpy(client.name, name);
286 strcpy(client.instance, instance);
287 strncpy(client.cell, cell, sizeof(client.cell));
288 code = ktc_SetToken(&server, token, &client, 0);
289 UNLOCK_GLOBAL_MUTEX return code;
294 ka_VerifyUserToken(char *name, char *instance, char *cell,
295 struct ktc_encryptionKey * key)
298 struct ubik_client *conn;
299 afs_int32 now = time(0);
300 struct ktc_token token;
301 char cellname[MAXKTCREALMLEN];
304 LOCK_GLOBAL_MUTEX code = ka_ExpandCell(cell, cellname, 0 /*local */ );
306 UNLOCK_GLOBAL_MUTEX return code;
311 /* get an unauthenticated connection to desired cell */
312 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
314 UNLOCK_GLOBAL_MUTEX return code;
318 ka_Authenticate(name, instance, cell, conn,
319 KA_TICKET_GRANTING_SERVICE, key, now,
320 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
322 UNLOCK_GLOBAL_MUTEX return code;
324 code = ubik_ClientDestroy(conn);
325 UNLOCK_GLOBAL_MUTEX return code;