(kafs_settoken_rxkad): move all content kerberos version from
kafs_settoken to kafs_settoken_rxkad (_kafs_fixup_viceid): move the fixup the timestamp to make client happy code here. (_kafs_v4_to_kt): move all the kerberos 4 dependant parts from kafs_settoken here. (*): adapt to kafs_token git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11838 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
||||
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -57,61 +57,29 @@ foldup(char *a, const char *b)
|
||||
}
|
||||
|
||||
int
|
||||
kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
|
||||
kafs_settoken_rxkad(const char *cell, struct ClearToken *ct,
|
||||
void *ticket, size_t ticket_len)
|
||||
{
|
||||
struct ViceIoctl parms;
|
||||
struct ClearToken ct;
|
||||
int32_t sizeof_x;
|
||||
char buf[2048], *t;
|
||||
int ret;
|
||||
int32_t sizeof_x;
|
||||
|
||||
/*
|
||||
* Build a struct ClearToken
|
||||
*/
|
||||
ct.AuthHandle = c->kvno;
|
||||
memcpy (ct.HandShakeKey, c->session, sizeof(c->session));
|
||||
ct.ViceId = uid;
|
||||
ct.BeginTimestamp = c->issue_date;
|
||||
ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
|
||||
if(ct.EndTimestamp < time(NULL))
|
||||
return 0; /* don't store tokens that has expired (and possibly
|
||||
overwriting valid tokens)*/
|
||||
|
||||
#define ODD(x) ((x) & 1)
|
||||
/* According to Transarc conventions ViceId is valid iff
|
||||
* (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
|
||||
* the transformations:
|
||||
*
|
||||
* (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
|
||||
* preserves the original values.
|
||||
*/
|
||||
if (uid != 0) /* valid ViceId */
|
||||
{
|
||||
if (!ODD(ct.EndTimestamp - ct.BeginTimestamp))
|
||||
ct.EndTimestamp--;
|
||||
}
|
||||
else /* not valid ViceId */
|
||||
{
|
||||
if (ODD(ct.EndTimestamp - ct.BeginTimestamp))
|
||||
ct.EndTimestamp--;
|
||||
}
|
||||
|
||||
t = buf;
|
||||
/*
|
||||
* length of secret token followed by secret token
|
||||
*/
|
||||
sizeof_x = c->ticket_st.length;
|
||||
sizeof_x = ticket_len;
|
||||
memcpy(t, &sizeof_x, sizeof(sizeof_x));
|
||||
t += sizeof(sizeof_x);
|
||||
memcpy(t, c->ticket_st.dat, sizeof_x);
|
||||
memcpy(t, ticket, sizeof_x);
|
||||
t += sizeof_x;
|
||||
/*
|
||||
* length of clear token followed by clear token
|
||||
*/
|
||||
sizeof_x = sizeof(ct);
|
||||
sizeof_x = sizeof(*ct);
|
||||
memcpy(t, &sizeof_x, sizeof(sizeof_x));
|
||||
t += sizeof(sizeof_x);
|
||||
memcpy(t, &ct, sizeof_x);
|
||||
memcpy(t, ct, sizeof_x);
|
||||
t += sizeof_x;
|
||||
|
||||
/*
|
||||
@@ -134,8 +102,60 @@ kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
|
||||
parms.in_size = t - buf;
|
||||
parms.out = 0;
|
||||
parms.out_size = 0;
|
||||
ret = k_pioctl(0, VIOCSETTOK, &parms, 0);
|
||||
return ret;
|
||||
|
||||
return k_pioctl(0, VIOCSETTOK, &parms, 0);
|
||||
}
|
||||
|
||||
void
|
||||
_kafs_fixup_viceid(struct ClearToken *ct, uid_t uid)
|
||||
{
|
||||
#define ODD(x) ((x) & 1)
|
||||
/* According to Transarc conventions ViceId is valid iff
|
||||
* (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
|
||||
* the transformations:
|
||||
*
|
||||
* (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
|
||||
* preserves the original values.
|
||||
*/
|
||||
if (uid != 0) /* valid ViceId */
|
||||
{
|
||||
if (!ODD(ct->EndTimestamp - ct->BeginTimestamp))
|
||||
ct->EndTimestamp--;
|
||||
}
|
||||
else /* not valid ViceId */
|
||||
{
|
||||
if (ODD(ct->EndTimestamp - ct->BeginTimestamp))
|
||||
ct->EndTimestamp--;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
_kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt)
|
||||
{
|
||||
kt->ticket = NULL;
|
||||
|
||||
if (c->ticket_st.length > MAX_KTXT_LEN)
|
||||
return EINVAL;
|
||||
|
||||
kt->ticket = malloc(c->ticket_st.length);
|
||||
if (kt->ticket == NULL)
|
||||
return ENOMEM;
|
||||
kt->ticket_len = c->ticket_st.length;
|
||||
memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len);
|
||||
|
||||
/*
|
||||
* Build a struct ClearToken
|
||||
*/
|
||||
kt->ct.AuthHandle = c->kvno;
|
||||
memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session));
|
||||
kt->ct.ViceId = uid;
|
||||
kt->ct.BeginTimestamp = c->issue_date;
|
||||
kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
|
||||
|
||||
_kafs_fixup_viceid(&kt->ct, uid);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Try to get a db-server for an AFS cell from a AFSDB record */
|
||||
@@ -332,10 +352,11 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
|
||||
|
||||
int
|
||||
_kafs_get_cred(kafs_data *data,
|
||||
const char *cell,
|
||||
const char *realm_hint,
|
||||
const char *realm,
|
||||
CREDENTIALS *c)
|
||||
const char *cell,
|
||||
const char *realm_hint,
|
||||
const char *realm,
|
||||
uid_t uid,
|
||||
struct kafs_token *kt)
|
||||
{
|
||||
int ret = -1;
|
||||
char *vl_realm;
|
||||
@@ -366,9 +387,11 @@ _kafs_get_cred(kafs_data *data,
|
||||
*/
|
||||
|
||||
if (realm_hint) {
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
cell, realm_hint, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
"", realm_hint, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
}
|
||||
|
||||
@@ -379,7 +402,8 @@ _kafs_get_cred(kafs_data *data,
|
||||
* Try afs@REALM.
|
||||
*/
|
||||
if (strcmp(CELL, realm) == 0) {
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
"", realm, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
/* Try afs.cell@REALM below. */
|
||||
}
|
||||
@@ -389,7 +413,8 @@ _kafs_get_cred(kafs_data *data,
|
||||
* REALM we still don't have to resort to cross-cell authentication.
|
||||
* Try afs.cell@REALM.
|
||||
*/
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
cell, realm, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
|
||||
/*
|
||||
@@ -398,9 +423,11 @@ _kafs_get_cred(kafs_data *data,
|
||||
* Try afs@CELL.
|
||||
* Try afs.cell@CELL.
|
||||
*/
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
"", CELL, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
cell, CELL, uid, kt);
|
||||
if (ret == 0) return 0;
|
||||
|
||||
/*
|
||||
@@ -412,9 +439,11 @@ _kafs_get_cred(kafs_data *data,
|
||||
if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
|
||||
&& strcmp(vl_realm, realm) != 0
|
||||
&& strcmp(vl_realm, CELL) != 0) {
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
cell, vl_realm, uid, kt);
|
||||
if (ret)
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
|
||||
ret = (*data->get_cred)(data, AUTH_SUPERUSER,
|
||||
"", vl_realm, uid, kt);
|
||||
free(vl_realm);
|
||||
if (ret == 0) return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user