aklog: heimdal kvno is rapidly changing

[openafs.git] / src / aklog / aklog.c

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index 10184b6..6c5a3be 100644 (file)
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -216,7 +216,9 @@ Done:
 #error "Must have either keyblock or session member of krb5_creds"
 #endif
 
-#if !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC)
+#ifdef AFS_DARWIN110_ENV
+#define HAVE_NO_KRB5_524 /* MITKerberosShim logs but returns success */
+#elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC)
 #define krb5_524_convert_creds krb524_convert_creds_kdc
 #elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC)
 #define HAVE_NO_KRB5_524
@@ -351,7 +353,8 @@ copy_cellinfo(cellinfo_t *cellinfo)
 
 
 static int
-get_cellconfig(char *cell, struct afsconf_cell *cellconfig, char **local_cell)
+get_cellconfig(const char *config, char *cell,
+              struct afsconf_cell *cellconfig, char **local_cell)
 {
     int status = AKLOG_SUCCESS;
     struct afsconf_dir *configdir;
@@ -365,10 +368,10 @@ get_cellconfig(char *cell, struct afsconf_cell *cellconfig, char **local_cell)
        exit(AKLOG_AFS);
     }
 
-    if (!(configdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
+    if (!(configdir = afsconf_Open(config))) {
        fprintf(stderr,
                "%s: can't get afs configuration (afsconf_Open(%s))\n",
-               progname, AFSDIR_CLIENT_ETC_DIRPATH);
+               progname, config);
        exit(AKLOG_AFS);
     }
 
@@ -654,13 +657,12 @@ static int
 rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
                         struct ktc_tokenUnion **tokenPtr, char **userPtr) {
     char username[BUFSIZ];
-    struct ktc_tokenUnion *token;
-    struct token_rxkad *rxkadToken;
+    struct ktc_token token;
+    int status;
 #ifdef HAVE_NO_KRB5_524
     char *p;
     int len;
 #else
-    int status;
     char k4name[ANAME_SZ];
     char k4inst[INST_SZ];
     char k4realm[REALM_SZ];
@@ -703,30 +705,21 @@ rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
     }
 #endif
 
-    token = malloc(sizeof(struct ktc_tokenUnion));
-    if (token == NULL)
-       return ENOMEM;
-
-    memset(token, 0, sizeof(struct ktc_tokenUnion));
-
-    token->at_type = AFSTOKEN_UNION_KAD;
-    rxkadToken = &token->ktc_tokenUnion_u.at_kad;
+    memset(&token, 0, sizeof(struct ktc_token));
 
-    rxkadToken->rk_kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
-    rxkadToken->rk_begintime = v5cred->times.starttime;;
-    rxkadToken->rk_endtime = v5cred->times.endtime;
-    memcpy(&rxkadToken->rk_key, get_cred_keydata(v5cred),
+    token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
+    token.startTime = v5cred->times.starttime;;
+    token.endTime = v5cred->times.endtime;
+    memcpy(&token.sessionKey, get_cred_keydata(v5cred),
           get_cred_keylen(v5cred));
-    rxkadToken->rk_ticket.rk_ticket_len = v5cred->ticket.length;
-    rxkadToken->rk_ticket.rk_ticket_val = malloc(v5cred->ticket.length);
-    if (rxkadToken->rk_ticket.rk_ticket_val == NULL) {
-       free(token);
-       return ENOMEM;
+    token.ticketLen = v5cred->ticket.length;
+    memcpy(token.ticket, v5cred->ticket.data, token.ticketLen);
+
+    status = token_importRxkadViceId(tokenPtr, &token, 0);
+    if (status) {
+       return status;
     }
-    memcpy(rxkadToken->rk_ticket.rk_ticket_val, v5cred->ticket.data,
-          rxkadToken->rk_ticket.rk_ticket_len);
 
-    *tokenPtr = token;
     *userPtr = strdup(username);
 
     return 0;
@@ -768,8 +761,7 @@ rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
                          struct ktc_tokenUnion **tokenPtr, char **userPtr) {
     CREDENTIALS cred;
     char username[BUFSIZ];
-    struct ktc_tokenUnion *token;
-    struct token_rxkad *rxkadToken;
+    struct ktc_token token;
     int status;
 
     *tokenPtr = NULL;
@@ -791,16 +783,10 @@ rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
        strcat (username, cred.pinst);
     }
 
-    token = malloc(sizeof(struct ktc_tokenUnion));
-    if (token == NULL)
-       return ENOMEM;
-    memset(token, 0, sizeof(struct ktc_tokenUnion));
+    memset(&token, 0, sizeof(struct ktc_token));
 
-    token->at_type = AFSTOKEN_UNION_KAD;
-
-    rxkadToken = &token->ktc_tokenUnion_u.at_kad;
-    rxkadToken->rk_kvno = cred.kvno;
-    rxkadToken->rk_begintime = cred.issue_date;
+    token.kvno = cred.kvno;
+    token.startTime = cred.issue_date;
     /*
      * It seems silly to go through a bunch of contortions to
      * extract the expiration time, when the v5 credentials already
@@ -809,18 +795,16 @@ rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
      * Note that this isn't a security hole, as the expiration time
      * is also contained in the encrypted token
      */
-    rxkadToken->rk_endtime = v5cred->times.endtime;
-    memcpy(&rxkadToken->rk_key, cred.session, 8);
-    rxkadToken->rk_ticket.rk_ticket_len = cred.ticket_st.length;
-    rxkadToken->rk_ticket.rk_ticket_val = malloc(cred.ticket_st.length);
-    if (rxkadToken->rk_ticket.rk_ticket_val == NULL) {
-       free(token);
-       return ENOMEM;
+    token.endTime = v5cred->times.endtime;
+    memcpy(&token.sessionKey, cred.session, 8);
+    token.ticketLen = cred.ticket_st.length;
+    memcpy(token.ticket, cred.ticket_st.dat, token.ticketLen);
+
+    status = token_importRxkadViceId(tokenPtr, &token, 0);
+    if (status) {
+       return status;
     }
-    memcpy(rxkadToken->rk_ticket.rk_ticket_val, cred.ticket_st.dat,
-          rxkadToken->rk_ticket.rk_ticket_len);
 
-    *tokenPtr = token;
     *userPtr = strdup(username);
 
     return 0;
@@ -903,7 +887,8 @@ out:
  * to.
  */
 static int
-auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
+auth_to_cell(krb5_context context, const char *config, 
+            char *cell, char *realm, char **linkedcell)
 {
     int status = AKLOG_SUCCESS;
     int isForeign = 0;
@@ -917,7 +902,7 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
     struct afsconf_cell cellconf;
 
     /* NULL or empty cell returns information on local cell */
-    if ((status = get_cellconfig(cell, &cellconf, &local_cell)))
+    if ((status = get_cellconfig(config, cell, &cellconf, &local_cell)))
        return(status);
 
     if (linkedcell != NULL) {
@@ -1066,8 +1051,13 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
 #endif /* ALLOW_REGISTER */
 
            if ((status == 0) && (viceId != ANONYMOUSID)) {
-               rxkadToken->ktc_tokenUnion_u.at_kad.rk_viceid = viceId;
-               token_replaceToken(token, rxkadToken);
+               status = token_setRxkadViceId(rxkadToken, viceId);
+               if (status) {
+                   fprintf(stderr, "Error %d setting rxkad ViceId\n", status);
+                   status = AKLOG_SUCCESS;
+               } else {
+                   token_replaceToken(token, rxkadToken);
+               }
            }
        }
 
@@ -1094,8 +1084,7 @@ auth_to_cell(krb5_context context, char *cell, char *realm, char **linkedcell)
 
 out:
     if (rxkadToken) {
-       free(rxkadToken->ktc_tokenUnion_u.at_kad.rk_ticket.rk_ticket_val);
-       free(rxkadToken);
+       token_freeToken(&rxkadToken);
     }
 
     if (local_cell)
@@ -1309,7 +1298,7 @@ add_hosts(char *file)
  * every cell it encounters along the way.
  */
 static int
-auth_to_path(krb5_context context, char *path)
+auth_to_path(krb5_context context, const char *config, char *path)
 {
     int status = AKLOG_SUCCESS;
     int auth_status = AKLOG_SUCCESS;
@@ -1359,7 +1348,8 @@ auth_to_path(krb5_context context, char *path)
                add_hosts(pathtocheck);
            if ((endofcell = strchr(mountpoint, VOLMARKER))) {
                *endofcell = '\0';
-               if ((auth_status = auth_to_cell(context, cell, NULL, NULL))) {
+               auth_status = auth_to_cell(context, config, cell, NULL, NULL);
+               if (auth_status) {
                    if (status == AKLOG_SUCCESS)
                        status = auth_status;
                    else if (status != auth_status)
@@ -1447,6 +1437,7 @@ main(int argc, char *argv[])
     linked_list paths;         /* List of paths to log to */
     ll_node *cur_node;
     char *linkedcell;
+    const char *config = AFSDIR_CLIENT_ETC_DIRPATH;
 
     memset(&cellinfo, 0, sizeof(cellinfo));
 
@@ -1466,7 +1457,30 @@ main(int argc, char *argv[])
     else
        progname = argv[0];
 
-    krb5_init_context(&context);
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+    {
+       char *filepath = NULL, *newpath = NULL;
+#ifndef AFS_DARWIN_ENV
+       char *defaultpath = "/etc/krb5.conf";
+#else
+       char *defaultpath = "~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos";
+#endif
+       filepath = getenv("KRB5_CONFIG");
+       asprintf(&newpath, "%s:%s/krb5-weak.conf",
+                filepath ? filepath : defaultpath,
+                AFSDIR_CLIENT_ETC_DIRPATH);
+       setenv("KRB5_CONFIG", newpath, 1);
+#endif
+       krb5_init_context(&context);
+
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+       free(newpath);
+       if (filepath)
+           setenv("KRB5_CONFIG", filepath, 1);
+       else
+           unsetenv("KRB5_CONFIG");
+    }
+#endif
     initialize_KTC_error_table ();
     initialize_U_error_table();
     initialize_RXK_error_table();
@@ -1540,7 +1554,12 @@ main(int argc, char *argv[])
            }
            else
                usage();
-
+       else if (strcmp(argv[i], "-config") == 0)
+           if (++i < argc) {
+               config = argv[i];
+           }
+           else
+               usage();
        else if (argv[i][0] == '-')
            usage();
        else if (!pmode && !cmode) {
@@ -1614,7 +1633,7 @@ main(int argc, char *argv[])
     if ((cells.nelements + paths.nelements) == 0) {
        struct passwd *pwd;
 
-       status = auth_to_cell(context, NULL, NULL, &linkedcell);
+       status = auth_to_cell(context, config, NULL, NULL, &linkedcell);
 
        /* If this cell is linked to a DCE cell, and user requested -linked,
         * get tokens for both. This is very useful when the AFS cell is
@@ -1623,7 +1642,7 @@ main(int argc, char *argv[])
 
        if (!status && linked && linkedcell != NULL) {
            afs_dprintf("Linked cell: %s\n", linkedcell);
-           status = auth_to_cell(context, linkedcell, NULL, NULL);
+           status = auth_to_cell(context, config, linkedcell, NULL, NULL);
        }
        if (linkedcell) {
            free(linkedcell);
@@ -1657,7 +1676,7 @@ main(int argc, char *argv[])
 
                    afs_dprintf("Found cell %s in %s.\n", fcell, xlog_path);
 
-                   auth_status = auth_to_cell(context, fcell, NULL, NULL);
+                   auth_status = auth_to_cell(context, config, fcell, NULL, NULL);
                    if (status == AKLOG_SUCCESS)
                        status = auth_status;
                    else
@@ -1670,14 +1689,16 @@ main(int argc, char *argv[])
        /* Log to all cells in the cells list first */
        for (cur_node = cells.first; cur_node; cur_node = cur_node->next) {
            memcpy((char *)&cellinfo, cur_node->data, sizeof(cellinfo));
-           if ((status = auth_to_cell(context, cellinfo.cell, cellinfo.realm,
-                                      &linkedcell)))
+           status = auth_to_cell(context, config, cellinfo.cell,
+                                 cellinfo.realm, &linkedcell);
+           if (status) {
                somethingswrong++;
-           else {
+           } else {
                if (linked && linkedcell != NULL) {
                    afs_dprintf("Linked cell: %s\n", linkedcell);
-                   if ((status = auth_to_cell(context, linkedcell,
-                                              cellinfo.realm, NULL)))
+                   status = auth_to_cell(context, config, linkedcell,
+                                         cellinfo.realm, NULL);
+                   if (status)
                        somethingswrong++;
                }
                if (linkedcell != NULL) {
@@ -1689,7 +1710,8 @@ main(int argc, char *argv[])
 
        /* Then, log to all paths in the paths list */
        for (cur_node = paths.first; cur_node; cur_node = cur_node->next) {
-           if ((status = auth_to_path(context, cur_node->data)))
+           status = auth_to_path(context, config, cur_node->data);
+           if (status)
                somethingswrong++;
        }
 
@@ -1759,7 +1781,7 @@ get_credv5_akimpersonate(krb5_context context,
     EncTicketPart enc_tkt_reply[1];
     krb5_address address[30];
     krb5_addresses faddr[1];
-    int temp_vno[1];
+    unsigned int temp_vno[1];
     time_t temp_time[2];
 #else
     krb5_ticket ticket_reply[1];
@@ -1963,7 +1985,7 @@ get_credv5_akimpersonate(krb5_context context,
         }
     } /* crypto block */
     ticket_reply->enc_part.etype = deref_entry_enctype(entry);
-    ticket_reply->enc_part.kvno = temp_vno;
+    ticket_reply->enc_part.kvno = (void *)temp_vno;
     *ticket_reply->enc_part.kvno = entry->vno;
     ticket_reply->tkt_vno = 5;
 #else
@@ -2124,8 +2146,11 @@ get_user_realm(krb5_context context, char **realm)
 
     *realm = NULL;
 
-    if (!_krb425_ccache)
-        krb5_cc_default(context, &_krb425_ccache);
+    if (!_krb425_ccache) {
+       r = krb5_cc_default(context, &_krb425_ccache);
+       if (r)
+           return r;
+    }
     if (!client_principal) {
        if (client) {
            r = krb5_parse_name(context, client,  &client_principal);