2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
16 #include "afs/param.h"
18 #include <afs/param.h>
24 #include "afs/sysincludes.h"
25 #include "afsincludes.h"
28 #include "afs/pthread_glock.h"
31 #include "afs/kauth.h"
32 #include "afs/kautils.h"
34 #include "afs/pthread_glock.h"
35 #else /* defined(UKERNEL) */
37 #include <sys/types.h>
39 #include <afs/pthread_glock.h>
43 #include <sys/socket.h>
44 #include <netinet/in.h>
53 /* netinet/in.h and cellconfig.h are needed together */
54 #include <afs/cellconfig.h>
55 /* these are needed together */
62 #endif /* defined(UKERNEL) */
65 afs_int32 ka_GetAuthToken (
69 struct ktc_encryptionKey *key,
74 struct ubik_client *conn;
75 afs_int32 now = time(0);
76 struct ktc_token token;
77 char cellname[MAXKTCREALMLEN];
78 char realm[MAXKTCREALMLEN];
79 struct ktc_principal client, server;
82 code = ka_ExpandCell (cell, cellname, 0/*local*/);
89 /* get an unauthenticated connection to desired cell */
90 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
95 code = ka_Authenticate (name, instance, cell, conn,
96 KA_TICKET_GRANTING_SERVICE,
97 key, now, now+lifetime, &token, pwexpires);
102 code = ubik_ClientDestroy (conn);
108 code = ka_CellToRealm (cell, realm, 0/*local*/);
113 strcpy (client.name, name);
114 strcpy (client.instance, instance);
115 strncpy (client.cell, cell, sizeof(client.cell));
116 strcpy (server.name, KA_TGS_NAME);
117 strcpy (server.instance, realm);
118 strcpy (server.cell, cell);
119 code = ktc_SetToken (&server, &token, &client, 0);
124 afs_int32 ka_GetServerToken (
129 struct ktc_token *token,
134 struct ubik_client *conn;
135 afs_int32 now = time(0);
136 struct ktc_token auth_token;
137 struct ktc_token cell_token;
138 struct ktc_principal server, auth_server, client;
139 char *localCell = ka_LocalCell();
140 char cellname[MAXKTCREALMLEN];
141 char realm[MAXKTCREALMLEN];
142 char authDomain[MAXKTCREALMLEN];
146 code = ka_ExpandCell (cell, cellname, 0/*local*/);
153 strcpy (server.name, name);
154 strcpy (server.instance, instance);
155 lcstring (server.cell, cell, sizeof(server.cell));
157 code = ktc_GetToken (&server, token, sizeof(struct ktc_token), &client);
164 code = ka_CellToRealm (cell, realm, &local);
170 /* get TGS ticket for proper realm */
171 strcpy (auth_server.name, KA_TGS_NAME);
172 strcpy (auth_server.instance, realm);
173 lcstring (auth_server.cell, realm, sizeof(auth_server.cell));
174 strcpy (authDomain, realm);
175 code = ktc_GetToken (&auth_server, &auth_token, sizeof(auth_token), &client);
176 if (code && !local) { /* try for remotely authenticated ticket */
177 strcpy (auth_server.cell, localCell);
178 strcpy (authDomain, "");
179 code = ktc_GetToken (&auth_server, &auth_token, sizeof(auth_token), &client);
187 /* here we invoke the inter-cell mechanism */
189 /* get local auth ticket */
190 ucstring (auth_server.instance, localCell, sizeof(auth_server.instance));
191 strcpy (auth_server.cell, localCell);
192 code = ktc_GetToken (&auth_server, &cell_token, sizeof(cell_token), &client);
197 /* get a connection to the local cell */
198 if ((code = ka_AuthServerConn (localCell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
202 /* get foreign auth ticket */
203 if ((code = ka_GetToken (KA_TGS_NAME, realm, localCell, client.name,
204 client.instance, conn, now, now+lifetime,
205 &cell_token, "" /* local auth domain */,
210 code = ubik_ClientDestroy (conn);
217 /* save foreign auth ticket */
218 strcpy (auth_server.instance, realm);
219 lcstring (auth_server.cell, localCell, sizeof(auth_server.cell));
220 ucstring (authDomain, localCell, sizeof(authDomain));
221 if ((code = ktc_SetToken (&auth_server, &auth_token, &client, 0))) {
227 if ((code = ka_AuthServerConn (cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
231 if ((code = ka_GetToken (name, instance, cell, client.name,
232 client.instance, conn, now, now+lifetime,
233 &auth_token, authDomain, token))) {
237 code = ubik_ClientDestroy (conn);
243 if ((code = ktc_SetToken (&server, token, &client,
244 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
252 afs_int32 ka_GetAdminToken (
256 struct ktc_encryptionKey *key,
258 struct ktc_token *token,
262 struct ubik_client *conn;
263 afs_int32 now = time(0);
264 struct ktc_principal server, client;
265 struct ktc_token localToken;
266 char cellname[MAXKTCREALMLEN];
269 code = ka_ExpandCell (cell, cellname, 0/*local*/);
276 if (token == 0) token = &localToken; /* in case caller doesn't want token */
278 strcpy (server.name, KA_ADMIN_NAME);
279 strcpy (server.instance, KA_ADMIN_INST);
280 strncpy (server.cell, cell, sizeof(server.cell));
282 code = ktc_GetToken (&server,
283 token, sizeof(struct ktc_token), &client);
290 if ((name == 0) || (key == 0)) {
291 /* just lookup in cache don't get new one */
296 /* get an unauthenticated connection to desired cell */
297 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
302 code = ka_Authenticate (name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
303 key, now, now+lifetime, token, 0);
304 (void) ubik_ClientDestroy (conn);
310 strcpy (client.name, name);
311 strcpy (client.instance, instance);
312 strncpy (client.cell, cell, sizeof(client.cell));
313 code = ktc_SetToken (&server, token, &client, 0);
319 afs_int32 ka_VerifyUserToken(
323 struct ktc_encryptionKey *key)
326 struct ubik_client *conn;
327 afs_int32 now = time(0);
328 struct ktc_token token;
329 char cellname[MAXKTCREALMLEN];
333 code = ka_ExpandCell (cell, cellname, 0/*local*/);
341 /* get an unauthenticated connection to desired cell */
342 code = ka_AuthServerConn (cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
348 code = ka_Authenticate (name, instance, cell, conn,
349 KA_TICKET_GRANTING_SERVICE,
350 key, now, now+MAXKTCTICKETLIFETIME, &token, &pwexpires);
355 code = ubik_ClientDestroy (conn);