| 1 | /*
|
|---|
| 2 | * Unix SMB/CIFS implementation.
|
|---|
| 3 | * Generate AFS tickets
|
|---|
| 4 | * Copyright (C) Volker Lendecke 2004
|
|---|
| 5 | *
|
|---|
| 6 | * This program is free software; you can redistribute it and/or modify
|
|---|
| 7 | * it under the terms of the GNU General Public License as published by
|
|---|
| 8 | * the Free Software Foundation; either version 3 of the License, or
|
|---|
| 9 | * (at your option) any later version.
|
|---|
| 10 | *
|
|---|
| 11 | * This program is distributed in the hope that it will be useful,
|
|---|
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 14 | * GNU General Public License for more details.
|
|---|
| 15 | *
|
|---|
| 16 | * You should have received a copy of the GNU General Public License
|
|---|
| 17 | * along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|---|
| 18 | */
|
|---|
| 19 |
|
|---|
| 20 | #include "includes.h"
|
|---|
| 21 |
|
|---|
| 22 | #ifdef WITH_FAKE_KASERVER
|
|---|
| 23 |
|
|---|
| 24 | #define NO_ASN1_TYPEDEFS 1
|
|---|
| 25 |
|
|---|
| 26 | #include "system/filesys.h"
|
|---|
| 27 |
|
|---|
| 28 | #include <afs/param.h>
|
|---|
| 29 | #include <afs/stds.h>
|
|---|
| 30 | #include <afs/afs.h>
|
|---|
| 31 | #include <afs/auth.h>
|
|---|
| 32 | #include <afs/venus.h>
|
|---|
| 33 | #include <asm/unistd.h>
|
|---|
| 34 | #include <openssl/des.h>
|
|---|
| 35 | #include <sys/syscall.h>
|
|---|
| 36 |
|
|---|
| 37 | int afs_syscall( int subcall,
|
|---|
| 38 | char * path,
|
|---|
| 39 | int cmd,
|
|---|
| 40 | char * cmarg,
|
|---|
| 41 | int follow)
|
|---|
| 42 | {
|
|---|
| 43 | /*
|
|---|
| 44 | return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
|
|---|
| 45 | */
|
|---|
| 46 | int errcode;
|
|---|
| 47 | struct afsprocdata afs_syscall_data;
|
|---|
| 48 | afs_syscall_data.syscall = subcall;
|
|---|
| 49 | afs_syscall_data.param1 = (long)path;
|
|---|
| 50 | afs_syscall_data.param2 = cmd;
|
|---|
| 51 | afs_syscall_data.param3 = (long)cmarg;
|
|---|
| 52 | afs_syscall_data.param4 = follow;
|
|---|
| 53 | int proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
|
|---|
| 54 | if (proc_afs_file < 0)
|
|---|
| 55 | proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
|
|---|
| 56 | if (proc_afs_file < 0)
|
|---|
| 57 | return -1;
|
|---|
| 58 | errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
|
|---|
| 59 | close(proc_afs_file);
|
|---|
| 60 | return errcode;
|
|---|
| 61 | }
|
|---|
| 62 |
|
|---|
| 63 | struct ClearToken {
|
|---|
| 64 | uint32 AuthHandle;
|
|---|
| 65 | char HandShakeKey[8];
|
|---|
| 66 | uint32 ViceId;
|
|---|
| 67 | uint32 BeginTimestamp;
|
|---|
| 68 | uint32 EndTimestamp;
|
|---|
| 69 | };
|
|---|
| 70 |
|
|---|
| 71 | static bool afs_decode_token(const char *string, char **cell,
|
|---|
| 72 | DATA_BLOB *ticket, struct ClearToken *ct)
|
|---|
| 73 | {
|
|---|
| 74 | DATA_BLOB blob;
|
|---|
| 75 | struct ClearToken result_ct;
|
|---|
| 76 | char *saveptr;
|
|---|
| 77 |
|
|---|
| 78 | char *s = SMB_STRDUP(string);
|
|---|
| 79 |
|
|---|
| 80 | char *t;
|
|---|
| 81 |
|
|---|
| 82 | if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
|
|---|
| 83 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 84 | return False;
|
|---|
| 85 | }
|
|---|
| 86 |
|
|---|
| 87 | *cell = SMB_STRDUP(t);
|
|---|
| 88 |
|
|---|
| 89 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 90 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 91 | return False;
|
|---|
| 92 | }
|
|---|
| 93 |
|
|---|
| 94 | if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
|
|---|
| 95 | DEBUG(10, ("sscanf AuthHandle failed\n"));
|
|---|
| 96 | return False;
|
|---|
| 97 | }
|
|---|
| 98 |
|
|---|
| 99 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 100 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 101 | return False;
|
|---|
| 102 | }
|
|---|
| 103 |
|
|---|
| 104 | blob = base64_decode_data_blob(t);
|
|---|
| 105 |
|
|---|
| 106 | if ( (blob.data == NULL) ||
|
|---|
| 107 | (blob.length != sizeof(result_ct.HandShakeKey) )) {
|
|---|
| 108 | DEBUG(10, ("invalid key: %x/%d\n", (uint32)blob.data,
|
|---|
| 109 | blob.length));
|
|---|
| 110 | return False;
|
|---|
| 111 | }
|
|---|
| 112 |
|
|---|
| 113 | memcpy(result_ct.HandShakeKey, blob.data, blob.length);
|
|---|
| 114 |
|
|---|
| 115 | data_blob_free(&blob);
|
|---|
| 116 |
|
|---|
| 117 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 118 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 119 | return False;
|
|---|
| 120 | }
|
|---|
| 121 |
|
|---|
| 122 | if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
|
|---|
| 123 | DEBUG(10, ("sscanf ViceId failed\n"));
|
|---|
| 124 | return False;
|
|---|
| 125 | }
|
|---|
| 126 |
|
|---|
| 127 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 128 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 129 | return False;
|
|---|
| 130 | }
|
|---|
| 131 |
|
|---|
| 132 | if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
|
|---|
| 133 | DEBUG(10, ("sscanf BeginTimestamp failed\n"));
|
|---|
| 134 | return False;
|
|---|
| 135 | }
|
|---|
| 136 |
|
|---|
| 137 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 138 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 139 | return False;
|
|---|
| 140 | }
|
|---|
| 141 |
|
|---|
| 142 | if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
|
|---|
| 143 | DEBUG(10, ("sscanf EndTimestamp failed\n"));
|
|---|
| 144 | return False;
|
|---|
| 145 | }
|
|---|
| 146 |
|
|---|
| 147 | if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
|
|---|
| 148 | DEBUG(10, ("strtok_r failed\n"));
|
|---|
| 149 | return False;
|
|---|
| 150 | }
|
|---|
| 151 |
|
|---|
| 152 | blob = base64_decode_data_blob(t);
|
|---|
| 153 |
|
|---|
| 154 | if (blob.data == NULL) {
|
|---|
| 155 | DEBUG(10, ("Could not get ticket\n"));
|
|---|
| 156 | return False;
|
|---|
| 157 | }
|
|---|
| 158 |
|
|---|
| 159 | *ticket = blob;
|
|---|
| 160 | *ct = result_ct;
|
|---|
| 161 |
|
|---|
| 162 | return True;
|
|---|
| 163 | }
|
|---|
| 164 |
|
|---|
| 165 | /*
|
|---|
| 166 | Put an AFS token into the Kernel so that it can authenticate against
|
|---|
| 167 | the AFS server. This assumes correct local uid settings.
|
|---|
| 168 |
|
|---|
| 169 | This is currently highly Linux and OpenAFS-specific. The correct API
|
|---|
| 170 | call for this would be ktc_SetToken. But to do that we would have to
|
|---|
| 171 | import a REALLY big bunch of libraries which I would currently like
|
|---|
| 172 | to avoid.
|
|---|
| 173 | */
|
|---|
| 174 |
|
|---|
| 175 | static bool afs_settoken(const char *cell,
|
|---|
| 176 | const struct ClearToken *ctok,
|
|---|
| 177 | DATA_BLOB ticket)
|
|---|
| 178 | {
|
|---|
| 179 | int ret;
|
|---|
| 180 | struct {
|
|---|
| 181 | char *in, *out;
|
|---|
| 182 | uint16 in_size, out_size;
|
|---|
| 183 | } iob;
|
|---|
| 184 |
|
|---|
| 185 | char buf[1024];
|
|---|
| 186 | char *p = buf;
|
|---|
| 187 | int tmp;
|
|---|
| 188 |
|
|---|
| 189 | memcpy(p, &ticket.length, sizeof(uint32));
|
|---|
| 190 | p += sizeof(uint32);
|
|---|
| 191 | memcpy(p, ticket.data, ticket.length);
|
|---|
| 192 | p += ticket.length;
|
|---|
| 193 |
|
|---|
| 194 | tmp = sizeof(struct ClearToken);
|
|---|
| 195 | memcpy(p, &tmp, sizeof(uint32));
|
|---|
| 196 | p += sizeof(uint32);
|
|---|
| 197 | memcpy(p, ctok, tmp);
|
|---|
| 198 | p += tmp;
|
|---|
| 199 |
|
|---|
| 200 | tmp = 0;
|
|---|
| 201 |
|
|---|
| 202 | memcpy(p, &tmp, sizeof(uint32));
|
|---|
| 203 | p += sizeof(uint32);
|
|---|
| 204 |
|
|---|
| 205 | tmp = strlen(cell);
|
|---|
| 206 | if (tmp >= MAXKTCREALMLEN) {
|
|---|
| 207 | DEBUG(1, ("Realm too long\n"));
|
|---|
| 208 | return False;
|
|---|
| 209 | }
|
|---|
| 210 |
|
|---|
| 211 | strncpy(p, cell, tmp);
|
|---|
| 212 | p += tmp;
|
|---|
| 213 | *p = 0;
|
|---|
| 214 | p +=1;
|
|---|
| 215 |
|
|---|
| 216 | iob.in = buf;
|
|---|
| 217 | iob.in_size = PTR_DIFF(p,buf);
|
|---|
| 218 | iob.out = buf;
|
|---|
| 219 | iob.out_size = sizeof(buf);
|
|---|
| 220 |
|
|---|
| 221 | #if 0
|
|---|
| 222 | file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
|
|---|
| 223 | #endif
|
|---|
| 224 |
|
|---|
| 225 | ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
|
|---|
| 226 |
|
|---|
| 227 | DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
|
|---|
| 228 | return (ret == 0);
|
|---|
| 229 | }
|
|---|
| 230 |
|
|---|
| 231 | bool afs_settoken_str(const char *token_string)
|
|---|
| 232 | {
|
|---|
| 233 | DATA_BLOB ticket;
|
|---|
| 234 | struct ClearToken ct;
|
|---|
| 235 | bool result;
|
|---|
| 236 | char *cell;
|
|---|
| 237 |
|
|---|
| 238 | if (!afs_decode_token(token_string, &cell, &ticket, &ct))
|
|---|
| 239 | return False;
|
|---|
| 240 |
|
|---|
| 241 | if (geteuid() != sec_initial_uid())
|
|---|
| 242 | ct.ViceId = getuid();
|
|---|
| 243 |
|
|---|
| 244 | result = afs_settoken(cell, &ct, ticket);
|
|---|
| 245 |
|
|---|
| 246 | SAFE_FREE(cell);
|
|---|
| 247 | data_blob_free(&ticket);
|
|---|
| 248 |
|
|---|
| 249 | return result;
|
|---|
| 250 | }
|
|---|
| 251 |
|
|---|
| 252 | #else
|
|---|
| 253 |
|
|---|
| 254 | bool afs_settoken_str(const char *token_string)
|
|---|
| 255 | {
|
|---|
| 256 | return False;
|
|---|
| 257 | }
|
|---|
| 258 |
|
|---|
| 259 | #endif
|
|---|
