diff --git a/lib/kafs/common.c b/lib/kafs/common.c index e16d4d842..44b00776b 100644 --- a/lib/kafs/common.c +++ b/lib/kafs/common.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -57,61 +57,29 @@ foldup(char *a, const char *b) } int -kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) +kafs_settoken_rxkad(const char *cell, struct ClearToken *ct, + void *ticket, size_t ticket_len) { struct ViceIoctl parms; - struct ClearToken ct; - int32_t sizeof_x; char buf[2048], *t; - int ret; + int32_t sizeof_x; - /* - * Build a struct ClearToken - */ - ct.AuthHandle = c->kvno; - memcpy (ct.HandShakeKey, c->session, sizeof(c->session)); - ct.ViceId = uid; - ct.BeginTimestamp = c->issue_date; - ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); - if(ct.EndTimestamp < time(NULL)) - return 0; /* don't store tokens that has expired (and possibly - overwriting valid tokens)*/ - -#define ODD(x) ((x) & 1) - /* According to Transarc conventions ViceId is valid iff - * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime - * the transformations: - * - * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) - * preserves the original values. - */ - if (uid != 0) /* valid ViceId */ - { - if (!ODD(ct.EndTimestamp - ct.BeginTimestamp)) - ct.EndTimestamp--; - } - else /* not valid ViceId */ - { - if (ODD(ct.EndTimestamp - ct.BeginTimestamp)) - ct.EndTimestamp--; - } - t = buf; /* * length of secret token followed by secret token */ - sizeof_x = c->ticket_st.length; + sizeof_x = ticket_len; memcpy(t, &sizeof_x, sizeof(sizeof_x)); t += sizeof(sizeof_x); - memcpy(t, c->ticket_st.dat, sizeof_x); + memcpy(t, ticket, sizeof_x); t += sizeof_x; /* * length of clear token followed by clear token */ - sizeof_x = sizeof(ct); + sizeof_x = sizeof(*ct); memcpy(t, &sizeof_x, sizeof(sizeof_x)); t += sizeof(sizeof_x); - memcpy(t, &ct, sizeof_x); + memcpy(t, ct, sizeof_x); t += sizeof_x; /* @@ -134,8 +102,60 @@ kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) parms.in_size = t - buf; parms.out = 0; parms.out_size = 0; - ret = k_pioctl(0, VIOCSETTOK, &parms, 0); - return ret; + + return k_pioctl(0, VIOCSETTOK, &parms, 0); +} + +void +_kafs_fixup_viceid(struct ClearToken *ct, uid_t uid) +{ +#define ODD(x) ((x) & 1) + /* According to Transarc conventions ViceId is valid iff + * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime + * the transformations: + * + * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) + * preserves the original values. + */ + if (uid != 0) /* valid ViceId */ + { + if (!ODD(ct->EndTimestamp - ct->BeginTimestamp)) + ct->EndTimestamp--; + } + else /* not valid ViceId */ + { + if (ODD(ct->EndTimestamp - ct->BeginTimestamp)) + ct->EndTimestamp--; + } +} + + +int +_kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt) +{ + kt->ticket = NULL; + + if (c->ticket_st.length > MAX_KTXT_LEN) + return EINVAL; + + kt->ticket = malloc(c->ticket_st.length); + if (kt->ticket == NULL) + return ENOMEM; + kt->ticket_len = c->ticket_st.length; + memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len); + + /* + * Build a struct ClearToken + */ + kt->ct.AuthHandle = c->kvno; + memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session)); + kt->ct.ViceId = uid; + kt->ct.BeginTimestamp = c->issue_date; + kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); + + _kafs_fixup_viceid(&kt->ct, uid); + + return 0; } /* Try to get a db-server for an AFS cell from a AFSDB record */ @@ -332,10 +352,11 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) int _kafs_get_cred(kafs_data *data, - const char *cell, - const char *realm_hint, - const char *realm, - CREDENTIALS *c) + const char *cell, + const char *realm_hint, + const char *realm, + uid_t uid, + struct kafs_token *kt) { int ret = -1; char *vl_realm; @@ -366,9 +387,11 @@ _kafs_get_cred(kafs_data *data, */ if (realm_hint) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + cell, realm_hint, uid, kt); if (ret == 0) return 0; - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + "", realm_hint, uid, kt); if (ret == 0) return 0; } @@ -379,7 +402,8 @@ _kafs_get_cred(kafs_data *data, * Try afs@REALM. */ if (strcmp(CELL, realm) == 0) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + "", realm, uid, kt); if (ret == 0) return 0; /* Try afs.cell@REALM below. */ } @@ -389,7 +413,8 @@ _kafs_get_cred(kafs_data *data, * REALM we still don't have to resort to cross-cell authentication. * Try afs.cell@REALM. */ - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + cell, realm, uid, kt); if (ret == 0) return 0; /* @@ -398,9 +423,11 @@ _kafs_get_cred(kafs_data *data, * Try afs@CELL. * Try afs.cell@CELL. */ - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + "", CELL, uid, kt); if (ret == 0) return 0; - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + cell, CELL, uid, kt); if (ret == 0) return 0; /* @@ -412,9 +439,11 @@ _kafs_get_cred(kafs_data *data, if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 && strcmp(vl_realm, realm) != 0 && strcmp(vl_realm, CELL) != 0) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + cell, vl_realm, uid, kt); if (ret) - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); + ret = (*data->get_cred)(data, AUTH_SUPERUSER, + "", vl_realm, uid, kt); free(vl_realm); if (ret == 0) return 0; }