2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
16 #include "afs/param.h"
18 #include <afs/param.h>
23 #include "afs/sysincludes.h"
24 #include "afsincludes.h"
27 #include "afs/pthread_glock.h"
30 #include "afs/kauth.h"
31 #include "afs/kautils.h"
33 #include "afs/pthread_glock.h"
34 #else /* defined(UKERNEL) */
36 #include <sys/types.h>
38 #include <afs/pthread_glock.h>
42 #include <sys/socket.h>
43 #include <netinet/in.h>
46 /* netinet/in.h and cellconfig.h are needed together */
47 #include <afs/cellconfig.h>
48 /* these are needed together */
55 #endif /* defined(UKERNEL) */
59 ka_GetAuthToken(char *name, char *instance, char *cell,
60 struct ktc_encryptionKey * key, afs_int32 lifetime,
61 afs_int32 * pwexpires)
64 struct ubik_client *conn;
65 afs_int32 now = time(0);
66 struct ktc_token token;
67 char cellname[MAXKTCREALMLEN];
68 char realm[MAXKTCREALMLEN];
69 struct ktc_principal client, server;
72 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
79 /* get an unauthenticated connection to desired cell */
80 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
86 ka_Authenticate(name, instance, cell, conn,
87 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
93 code = ubik_ClientDestroy(conn);
99 code = ka_CellToRealm(cell, realm, 0 /*local */ );
104 strcpy(client.name, name);
105 strcpy(client.instance, instance);
106 strncpy(client.cell, cell, sizeof(client.cell));
107 strcpy(server.name, KA_TGS_NAME);
108 strcpy(server.instance, realm);
109 strcpy(server.cell, cell);
110 code = ktc_SetToken(&server, &token, &client, 0);
116 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
117 struct ktc_token * token, int new, int dosetpag)
120 struct ubik_client *conn;
121 afs_int32 now = time(0);
122 struct ktc_token auth_token;
123 struct ktc_token cell_token;
124 struct ktc_principal server, auth_server, client;
125 char *localCell = ka_LocalCell();
126 char cellname[MAXKTCREALMLEN];
127 char realm[MAXKTCREALMLEN];
128 char authDomain[MAXKTCREALMLEN];
132 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
139 strcpy(server.name, name);
140 strcpy(server.instance, instance);
141 lcstring(server.cell, cell, sizeof(server.cell));
144 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
151 code = ka_CellToRealm(cell, realm, &local);
157 /* get TGS ticket for proper realm */
158 strcpy(auth_server.name, KA_TGS_NAME);
159 strcpy(auth_server.instance, realm);
160 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
161 strcpy(authDomain, realm);
163 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
164 if (code && !local) { /* try for remotely authenticated ticket */
165 strcpy(auth_server.cell, localCell);
166 strcpy(authDomain, "");
168 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
176 /* here we invoke the inter-cell mechanism */
178 /* get local auth ticket */
179 ucstring(auth_server.instance, localCell,
180 sizeof(auth_server.instance));
181 strcpy(auth_server.cell, localCell);
183 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
189 /* get a connection to the local cell */
191 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
196 /* get foreign auth ticket */
198 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
199 client.instance, conn, now, now + lifetime,
200 &cell_token, "" /* local auth domain */ ,
205 code = ubik_ClientDestroy(conn);
212 /* save foreign auth ticket */
213 strcpy(auth_server.instance, realm);
214 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
215 ucstring(authDomain, localCell, sizeof(authDomain));
216 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
223 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
228 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
229 now, now + lifetime, &auth_token, authDomain, token))) {
233 code = ubik_ClientDestroy(conn);
240 ktc_SetToken(&server, token, &client,
241 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
250 ka_GetAdminToken(char *name, char *instance, char *cell,
251 struct ktc_encryptionKey * key, afs_int32 lifetime,
252 struct ktc_token * token, int new)
255 struct ubik_client *conn;
256 afs_int32 now = time(0);
257 struct ktc_principal server, client;
258 struct ktc_token localToken;
259 char cellname[MAXKTCREALMLEN];
262 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
270 token = &localToken; /* in case caller doesn't want token */
272 strcpy(server.name, KA_ADMIN_NAME);
273 strcpy(server.instance, KA_ADMIN_INST);
274 strncpy(server.cell, cell, sizeof(server.cell));
277 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
284 if ((name == 0) || (key == 0)) {
285 /* just lookup in cache don't get new one */
290 /* get an unauthenticated connection to desired cell */
291 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
297 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
298 key, now, now + lifetime, token, 0);
299 (void)ubik_ClientDestroy(conn);
305 strcpy(client.name, name);
306 strcpy(client.instance, instance);
307 strncpy(client.cell, cell, sizeof(client.cell));
308 code = ktc_SetToken(&server, token, &client, 0);
315 ka_VerifyUserToken(char *name, char *instance, char *cell,
316 struct ktc_encryptionKey * key)
319 struct ubik_client *conn;
320 afs_int32 now = time(0);
321 struct ktc_token token;
322 char cellname[MAXKTCREALMLEN];
326 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
334 /* get an unauthenticated connection to desired cell */
335 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
342 ka_Authenticate(name, instance, cell, conn,
343 KA_TICKET_GRANTING_SERVICE, key, now,
344 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
349 code = ubik_ClientDestroy(conn);