#include <pwd.h>
#include <afs/stds.h>
+#include <afs/ktc.h>
+#include <afs/token.h>
+
#include <krb5.h>
#if defined(HAVE_ET_COM_ERR_H)
#include <et/com_err.h>
#include <sys/ioccom.h>
#endif
-/* Prevent inclusion of des.h to avoid conflicts with des types */
-#define NO_DES_H_INCLUDE
-
#include <afs/auth.h>
#include <afs/cellconfig.h>
#include <afs/vice.h>
if (strncmp(str, "unknown", strlen("unknown")) == 0) {
#ifdef HAVE_KRB5_SVC_GET_MSG
krb5_svc_get_msg(code,&str);
-#else
+#elif defined(HAVE_ERROR_MESSAGE)
str = error_message(code);
+#else
+ ; /* IRIX apparently has neither: use the string we have */
#endif
}
fputs(str, stderr);
fprintf(stderr, "%s: Couldn't get %s AFS tickets:\n",
progname, cell->name);
afs_com_err(progname, status, "while getting AFS tickets");
+#ifdef KRB5_CC_NOT_KTYPE
+ if (status == KRB5_CC_NOT_KTYPE) {
+ fprintf(stderr, "allow_weak_enctypes may be required in the Kerberos configuration\n");
+ }
+#endif
status = AKLOG_KERBEROS;
goto out;
}
*/
static int
rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
- struct ktc_token **tokenPtr, char **userPtr) {
+ struct ktc_tokenUnion **tokenPtr, char **userPtr) {
char username[BUFSIZ];
- struct ktc_token *token;
+ struct ktc_tokenUnion *token;
+ struct token_rxkad *rxkadToken;
#ifdef HAVE_NO_KRB5_524
char *p;
int len;
}
#endif
- token = malloc(sizeof(struct ktc_token));
+ token = malloc(sizeof(struct ktc_tokenUnion));
if (token == NULL)
return ENOMEM;
- memset(token, 0, sizeof(struct ktc_token));
+ memset(token, 0, sizeof(struct ktc_tokenUnion));
- token->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
- token->startTime = v5cred->times.starttime;;
- token->endTime = v5cred->times.endtime;
- memcpy(&token->sessionKey, get_cred_keydata(v5cred),
+ token->at_type = AFSTOKEN_UNION_KAD;
+ rxkadToken = &token->ktc_tokenUnion_u.at_kad;
+
+ rxkadToken->rk_kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
+ rxkadToken->rk_begintime = v5cred->times.starttime;;
+ rxkadToken->rk_endtime = v5cred->times.endtime;
+ memcpy(&rxkadToken->rk_key, get_cred_keydata(v5cred),
get_cred_keylen(v5cred));
- token->ticketLen = v5cred->ticket.length;
- memcpy(token->ticket, v5cred->ticket.data, token->ticketLen);
+ rxkadToken->rk_ticket.rk_ticket_len = v5cred->ticket.length;
+ rxkadToken->rk_ticket.rk_ticket_val = malloc(v5cred->ticket.length);
+ if (rxkadToken->rk_ticket.rk_ticket_val == NULL) {
+ free(token);
+ return ENOMEM;
+ }
+ memcpy(rxkadToken->rk_ticket.rk_ticket_val, v5cred->ticket.data,
+ rxkadToken->rk_ticket.rk_ticket_len);
*tokenPtr = token;
*userPtr = strdup(username);
#ifdef HAVE_NO_KRB5_524
static int
rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
- struct ktc_token **tokenPtr, char **userPtr) {
+ struct ktc_tokenUnion **tokenPtr, char **userPtr) {
*tokenPtr = NULL;
*userPtr = NULL;
#else
static int
rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
- struct ktc_token **tokenPtr, char **userPtr) {
+ struct ktc_tokenUnion **tokenPtr, char **userPtr) {
CREDENTIALS cred;
char username[BUFSIZ];
- struct ktc_token *token;
+ struct ktc_tokenUnion *token;
+ struct token_rxkad *rxkadToken;
int status;
*tokenPtr = NULL;
strcat (username, cred.pinst);
}
- token = malloc(sizeof(struct ktc_token));
- memset(token, 0, sizeof(struct ktc_token));
+ token = malloc(sizeof(struct ktc_tokenUnion));
+ if (token == NULL)
+ return ENOMEM;
+ memset(token, 0, sizeof(struct ktc_tokenUnion));
+
+ token->at_type = AFSTOKEN_UNION_KAD;
- token->kvno = cred.kvno;
- token->startTime = cred.issue_date;
+ rxkadToken = &token->ktc_tokenUnion_u.at_kad;
+ rxkadToken->rk_kvno = cred.kvno;
+ rxkadToken->rk_begintime = cred.issue_date;
/*
* It seems silly to go through a bunch of contortions to
* extract the expiration time, when the v5 credentials already
* Note that this isn't a security hole, as the expiration time
* is also contained in the encrypted token
*/
- token->endTime = v5cred->times.endtime;
- memcpy(&token->sessionKey, cred.session, 8);
- token->ticketLen = cred.ticket_st.length;
- memcpy(token->ticket, cred.ticket_st.dat, token->ticketLen);
+ rxkadToken->rk_endtime = v5cred->times.endtime;
+ memcpy(&rxkadToken->rk_key, cred.session, 8);
+ rxkadToken->rk_ticket.rk_ticket_len = cred.ticket_st.length;
+ rxkadToken->rk_ticket.rk_ticket_val = malloc(cred.ticket_st.length);
+ if (rxkadToken->rk_ticket.rk_ticket_val == NULL) {
+ free(token);
+ return ENOMEM;
+ }
+ memcpy(rxkadToken->rk_ticket.rk_ticket_val, cred.ticket_st.dat,
+ rxkadToken->rk_ticket.rk_ticket_len);
+
+ *tokenPtr = token;
+ *userPtr = strdup(username);
return 0;
}
*/
static int
rxkad_get_token(krb5_context context, struct afsconf_cell *cell, char *realm,
- struct ktc_token **token, char **authuser, int *foreign) {
+ struct ktc_tokenUnion **token, char **authuser, int *foreign) {
krb5_creds *v5cred;
char *realmUsed = NULL;
char *username = NULL;
return status;
}
-static int
-get_kernel_token(struct afsconf_cell *cell, struct ktc_token **tokenPtr) {
- struct ktc_principal client, server;
- struct ktc_token *token;
- int ret;
-
- *tokenPtr = NULL;
-
- strncpy(server.name, AFSKEY, MAXKTCNAMELEN - 1);
- strncpy(server.instance, AFSINST, MAXKTCNAMELEN - 1);
- strncpy(server.cell, cell->name, MAXKTCREALMLEN - 1);
-
- token = malloc(sizeof(struct ktc_token));
- if (token == NULL)
- return ENOMEM;
-
- memset(token, 0, sizeof(struct ktc_token));
-
- ret = ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
- if (ret) {
- free(token);
- return ret;
- }
-
- *tokenPtr = token;
- return 0;
-}
-
-static int
-set_kernel_token(struct afsconf_cell *cell, char *username,
- struct ktc_token *token, int setpag)
-{
- struct ktc_principal client, server;
-
- strncpy(client.name, username, MAXKTCNAMELEN - 1);
- strcpy(client.instance, "");
- strncpy(client.cell, cell->name, MAXKTCREALMLEN - 1);
-
- strncpy(server.name, AFSKEY, MAXKTCNAMELEN - 1);
- strncpy(server.instance, AFSINST, MAXKTCNAMELEN - 1);
- strncpy(server.cell, cell->name, MAXKTCREALMLEN - 1);
-
- return ktc_SetToken(&server, token, &client, setpag);
-}
-
-static int
-tokens_equal(struct ktc_token *tokenA, struct ktc_token *tokenB) {
- return (tokenA != NULL && tokenB != NULL &&
- tokenA->kvno == tokenB->kvno &&
- tokenA->ticketLen == tokenB->ticketLen &&
- !memcmp(&tokenA->sessionKey, &tokenB->sessionKey,
- sizeof(tokenA->sessionKey)) &&
- !memcmp(tokenA->ticket, tokenB->ticket, tokenA->ticketLen));
-}
-
-/*
+/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to.
afs_int32 viceId; /* AFS uid of user */
char *local_cell = NULL;
- struct ktc_token *token;
- struct ktc_token *btoken;
+ struct ktc_tokenUnion *rxkadToken = NULL;
+ struct ktc_setTokenData *token;
+ struct ktc_setTokenData *btoken = NULL;
struct afsconf_cell cellconf;
/* NULL or empty cell returns information on local cell */
afs_dprintf("Authenticating to cell %s (server %s).\n", cellconf.name,
cellconf.hostName[0]);
- status = rxkad_get_token(context, &cellconf, realm, &token,
+ token = token_buildTokenJar(cellconf.name);
+ if (token == NULL) {
+ status = ENOMEM;
+ goto out;
+ }
+
+ status = rxkad_get_token(context, &cellconf, realm, &rxkadToken,
&username, &isForeign);
if (status)
- return status;
+ goto out;
+ /* We need to keep the token structure around so that we can stick
+ * the viceId into it (once we know it) */
+ status = token_addToken(token, rxkadToken);
+ if (status) {
+ afs_dprintf("Add Token failed with %d", status);
+ goto out;
+ }
if (!force &&
- !get_kernel_token(&cellconf, &btoken) &&
- tokens_equal(token, btoken)) {
+ ktc_GetTokenEx(cellconf.name, &btoken) == 0 &&
+ token_SetsEquivalent(token, btoken)) {
+
+ token_FreeSet(&btoken);
afs_dprintf("Identical tokens already exist; skipping.\n");
status = AKLOG_SUCCESS;
goto out;
}
+ if (btoken)
+ token_FreeSet(&btoken);
+
#ifdef FORCE_NOPRDB
noprdb = 1;
#endif
username, cellconf.name);
viceId = 0;
- status = set_kernel_token(&cellconf, username, token, 0);
+ status = ktc_SetTokenEx(token);
if (status) {
afs_com_err(progname, status,
"while obtaining tokens for cell %s",
/*
* In case you're wondering, we don't need to change the
* filename here because we're still connecting to the
- * same cell -- we're just using a different authentication
+ * same cell -- we're just using a different authenticat ion
* level
*/
}
#endif /* ALLOW_REGISTER */
- /*
- * This is a crock, but it is Transarc's crock, so we have to play
- * along in order to get the functionality. The way the afs id is
- * stored is as a string in the username field of the token.
- * Contrary to what you may think by looking at the code for
- * tokens, this hack (AFS ID %d) will not work if you change %d
- * to something else.
- */
-
if ((status == 0) && (viceId != ANONYMOUSID)) {
- free(username);
- if (afs_asprintf(&username, "AFS ID %d", (int) viceId) < 0) {
- status = ENOMEM;
- username = NULL;
- goto out;
- }
+ rxkadToken->ktc_tokenUnion_u.at_kad.rk_viceid = viceId;
+ token_replaceToken(token, rxkadToken);
}
}
- afs_dprintf("Set username to %s\n", username);
-
afs_dprintf("Setting tokens. %s @ %s \n", username, cellconf.name);
#ifndef AFS_AIX51_ENV
*/
write(2,"",0); /* dummy write */
#endif
- status = set_kernel_token(&cellconf, username, token, afssetpag);
+ token_setPag(token, afssetpag);
+ status = ktc_SetTokenEx(token);
if (status) {
- afs_com_err(progname, status, "while obtaining tokens for cell %s",
+ afs_com_err(progname, status, "while setting tokens for cell %s",
cellconf.name);
status = AKLOG_TOKEN;
}
afs_dprintf("Noauth mode; not authenticating.\n");
out:
+ if (rxkadToken) {
+ free(rxkadToken->ktc_tokenUnion_u.at_kad.rk_ticket.rk_ticket_val);
+ free(rxkadToken);
+ }
+
if (local_cell)
free(local_cell);
if (username)
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
-#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
- krb5_allow_weak_crypto(context, 1);
-#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
if (i)
krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+ krb5_allow_weak_crypto(context, 1);
#endif
/* Initialize list of cells to which we have authenticated */
if(buf_len != buf_size) {
afs_com_err(progname, code,
- "%d != %d while encoding ticket (internal ASN.1 encoder error",
- buf_len, buf_size);
+ "%u != %u while encoding ticket (internal ASN.1 encoder error",
+ (unsigned int)buf_len, (unsigned int)buf_size);
goto cleanup;
}
what = "krb5_crypto_init";
git://git.openafs.org / openafs.git / blobdiff