struct rx_securityClass *
get_sc(char *cellname)
{
#if 0
char realm[REALM_SZ];
CREDENTIALS c;
#endif
return rxnull_NewClientSecurityObject();
#if 0
ucstring(realm, cellname, REALM_SZ);
if (krb_get_cred("afs", "", realm, &c)) {
if (get_ad_tkt("afs", "", realm, DEFAULT_TKT_LIFE)) {
return NULL;
} else {
if (krb_get_cred("afs", "", realm, &c)) {
return NULL;
}
}
}
return rxkad_NewClientSecurityObject(rxkad_clear, c.session, c.kvno,
c.ticket_st.length, c.ticket_st.dat);
#endif
}
/**
* Pick a security object to use for a connection to a given server,
* by a given user
*
* @param[in] conn
* The AFS connection for which the security object is required
* @param[out] secLevel
* The security level of the returned object
*
* @return
* An rx security object. This function is guaranteed to return
* an object, although that object may be rxnull (with a secLevel
* of 0)
*/
static struct rx_securityClass *
afs_pickSecurityObject(struct afs_conn *conn, int *secLevel)
{
struct rx_securityClass *secObj = NULL;
union tokenUnion *token;
/* Do we have tokens ? */
if (conn->parent->user->states & UHasTokens) {
token = afs_FindToken(conn->parent->user->tokens, RX_SECIDX_KAD);
if (token) {
*secLevel = RX_SECIDX_KAD;
/* kerberos tickets on channel 2 */
secObj = rxkad_NewClientSecurityObject(
cryptall ? rxkad_crypt : rxkad_clear,
(struct ktc_encryptionKey *)
token->rxkad.clearToken.HandShakeKey,
token->rxkad.clearToken.AuthHandle,
token->rxkad.ticketLen, token->rxkad.ticket);
/* We're going to use this token, so populate the viced */
conn->parent->user->viceId = token->rxkad.clearToken.ViceId;
}
}
if (secObj == NULL) {
*secLevel = 0;
secObj = rxnull_NewClientSecurityObject();
}
return secObj;
}
static ConnCacheEntry *
add_connection(int32_t cell,
uint32_t host,
uint16_t port,
uint16_t service,
int (*probe)(struct rx_connection *),
CredCacheEntry *ce)
{
ConnCacheEntry *e;
struct rx_securityClass *securityobj;
int securityindex;
nnpfs_pag_t cred;
if (ce) {
securityindex = ce->securityindex;
cred = ce->cred;
switch (ce->type) {
#ifdef KERBEROS
case CRED_KRB4 : {
struct cred_rxkad *cred = (struct cred_rxkad *)ce->cred_data;
securityobj = rxkad_NewClientSecurityObject(conn_rxkad_level,
cred->ct.HandShakeKey,
cred->ct.AuthHandle,
cred->ticket_len,
cred->ticket);
break;
}
#endif
case CRED_NONE :
securityobj = rxnull_NewClientSecurityObject ();
break;
default :
errx(1, "Unknown credentials type %d\n", ce->type);
}
} else {
securityobj = rxnull_NewClientSecurityObject ();
securityindex = 0;
cred = 0;
}
e = new_connection (cell, host, port, service,
cred, securityindex, probe, securityobj);
hashtabadd (connhtab, (void *)e);
++nactive_connections;
return e;
}
static afs_int32
GenericAuth(struct afsconf_dir *adir,
struct rx_securityClass **astr,
afs_int32 *aindex,
rxkad_level enclevel)
{
char tbuffer[256];
struct ktc_encryptionKey key, session;
struct rx_securityClass *tclass;
afs_int32 kvno;
afs_int32 ticketLen;
register afs_int32 code;
/* first, find the right key and kvno to use */
code = afsconf_GetLatestKey(adir, &kvno, &key);
if (code) {
return QuickAuth(astr, aindex);
}
/* next create random session key, using key for seed to good random */
des_init_random_number_generator(ktc_to_cblock(&key));
code = des_random_key(ktc_to_cblock(&session));
if (code) {
return QuickAuth(astr, aindex);
}
/* now create the actual ticket */
ticketLen = sizeof(tbuffer);
memset(tbuffer, '\0', sizeof(tbuffer));
code =
tkt_MakeTicket(tbuffer, &ticketLen, &key, AUTH_SUPERUSER, "", "", 0,
0xffffffff, &session, 0, "afs", "");
/* parms were buffer, ticketlen, key to seal ticket with, principal
* name, instance and cell, start time, end time, session key to seal
* in ticket, inet host, server name and server instance */
if (code) {
return QuickAuth(astr, aindex);
}
/* Next, we have ticket, kvno and session key, authenticate the connection.
* We use a magic # instead of a constant because of basic compilation
* order when compiling the system from scratch (rx/rxkad.h isn't installed
* yet). */
tclass = (struct rx_securityClass *)
rxkad_NewClientSecurityObject(enclevel, &session, kvno, ticketLen,
tbuffer);
*astr = tclass;
*aindex = RX_SECIDX_KAD;
return 0;
}
static int
whoami(struct ktc_token *atoken,
struct afsconf_cell *cellconfig,
struct ktc_principal *aclient,
int *vicep)
{
int scIndex;
int code;
int i;
struct ubik_client *ptconn = 0;
struct rx_securityClass *sc;
struct rx_connection *conns[MAXSERVERS+1];
idlist lids[1];
namelist lnames[1];
char tempname[PR_MAXNAMELEN + 1];
memset(lnames, 0, sizeof *lnames);
memset(lids, 0, sizeof *lids);
scIndex = 2;
sc = rxkad_NewClientSecurityObject(rxkad_auth,
&atoken->sessionKey, atoken->kvno,
atoken->ticketLen, atoken->ticket);
for (i = 0; i < cellconfig->numServers; ++i)
conns[i] = rx_NewConnection(cellconfig->hostAddr[i].sin_addr.s_addr,
cellconfig->hostAddr[i].sin_port, PRSRV, sc, scIndex);
conns[i] = 0;
ptconn = 0;
if ((code = ubik_ClientInit(conns, &ptconn)))
goto Failed;
if (*aclient->instance)
snprintf (tempname, sizeof tempname, "%s.%s",
aclient->name, aclient->instance);
else
snprintf (tempname, sizeof tempname, "%s", aclient->name);
lnames->namelist_len = 1;
lnames->namelist_val = (prname *) tempname;
code = ubik_PR_NameToID(ptconn, 0, lnames, lids);
if (lids->idlist_val) {
*vicep = *lids->idlist_val;
}
Failed:
if (lids->idlist_val) free(lids->idlist_val);
if (ptconn) ubik_ClientDestroy(ptconn);
return code;
}
afs_int32
afsconf_ClientAuthToken(struct afsconf_cell *info,
afsconf_secflags flags,
struct rx_securityClass **sc,
afs_int32 *scIndex,
time_t *expires)
{
struct ktc_principal sname;
struct ktc_token ttoken;
int encryptLevel;
afs_int32 code;
*sc = NULL;
*scIndex = RX_SECIDX_NULL;
strcpy(sname.cell, info->name);
sname.instance[0] = 0;
strcpy(sname.name, "afs");
code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
if (code == 0) {
/* XXX - We should think about how to handle this */
if (ttoken.kvno < 0 || ttoken.kvno > 256) {
fprintf(stderr,
"funny kvno (%d) in ticket, proceeding\n",
ttoken.kvno);
}
if (flags & AFSCONF_SECOPTS_ALWAYSENCRYPT)
encryptLevel = rxkad_crypt;
else
encryptLevel = rxkad_clear;
*sc = rxkad_NewClientSecurityObject(encryptLevel,
&ttoken.sessionKey,
ttoken.kvno,
ttoken.ticketLen,
ttoken.ticket);
*scIndex = RX_SECIDX_KAD;
if (expires)
*expires = ttoken.endTime;
}
if (*sc == NULL)
return AFSCONF_NO_SECURITY_CLASS;
return code;
}
afs_int32
pxclient_Initialize(int auth, afs_int32 serverAddr)
{
afs_int32 code;
afs_int32 scIndex;
struct rx_securityClass *sc;
code = rx_Init(htons(2115) /*0 */ );
if (code) {
fprintf(stderr, "pxclient_Initialize: Could not initialize rx.\n");
return code;
}
scIndex = 0;
rx_SetRxDeadTime(50);
switch (scIndex) {
case 0:
sc = rxnull_NewClientSecurityObject();
break;
#ifdef notdef /* security */
case 1:
sc = rxvab_NewClientSecurityObject(&ttoken.sessionKey, ttoken.ticket,
0);
break;
case 2:
sc = rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
ttoken.kvno, ttoken.ticketLen,
ttoken.ticket);
#endif /* notdef */
}
serverconns[0] =
rx_NewConnection(serverAddr, htons(7000), 1, sc, scIndex);
code = ubik_ClientInit(serverconns, &cstruct);
if (code) {
fprintf(stderr, "pxclient_Initialize: ubik client init failed.\n");
return code;
}
return 0;
}
/**
* Pick a security object to use for a connection to a given server,
* by a given user
*
* @param[in] conn
* The AFS connection for which the security object is required
* @param[out] secLevel
* The security level of the returned object
*
* @return
* An rx security object. This function is guaranteed to return
* an object, although that object may be rxnull (with a secLevel
* of 0)
*/
static struct rx_securityClass *
afs_pickSecurityObject(struct afs_conn *conn, int *secLevel)
{
struct rx_securityClass *secObj = NULL;
/* Do we have tokens ? */
if (conn->user->vid != UNDEFVID) {
*secLevel = 2;
/* kerberos tickets on channel 2 */
secObj = rxkad_NewClientSecurityObject(
cryptall ? rxkad_crypt : rxkad_clear,
(struct ktc_encryptionKey *)conn->user->ct.HandShakeKey,
conn->user->ct.AuthHandle,
conn->user->stLen, conn->user->stp);
}
if (secObj == NULL) {
*secLevel = 0;
secObj = rxnull_NewClientSecurityObject();
}
return secObj;
}
int
_GetSecurityObject(struct afscp_cell *cell)
{
int code = ENOENT;
#ifdef HAVE_KERBEROS
krb5_context context;
krb5_creds match;
krb5_creds *cred;
krb5_ccache cc;
char **realms, *realm;
struct afsconf_cell celldata;
char localcell[MAXCELLCHARS + 1];
struct rx_securityClass *sc;
struct ktc_encryptionKey k;
int i;
rxkad_level l;
code = _GetCellInfo(cell->name, &celldata);
if (code != 0) {
goto try_anon;
}
if (authas_name[0]) {
code = _GetLocalSecurityObject(cell, authas_name, authas_inst);
if (code == 0) {
return 0;
}
}
code = krb5_init_context(&context); /* see aklog.c main() */
if (code != 0) {
goto try_anon;
}
if (cell->realm == NULL) {
realm = NULL;
code = krb5_get_host_realm(context, celldata.hostName[0], &realms);
if (code == 0) {
strlcpy(localcell, realms[0], sizeof(localcell));
krb5_free_host_realm(context, realms);
realm = localcell;
} else
goto try_anon;
} else {
realm = cell->realm;
strlcpy(localcell, realm, MAXCELLCHARS + 1);
}
if (realm)
if (realm == NULL) {
for (i = 0; (i < MAXCELLCHARS && cell->name[i]); i++) {
if (isalpha(cell->name[i]))
localcell[i] = toupper(cell->name[i]);
else
localcell[i] = cell->name[i];
}
localcell[i] = '\0';
realm = localcell;
}
cc = NULL;
code = krb5_cc_default(context, &cc);
memset(&match, 0, sizeof(match));
Z_enctype(Z_credskey(&match)) = ENCTYPE_DES_CBC_CRC;
if (code == 0)
code = krb5_cc_get_principal(context, cc, &match.client);
if (code == 0)
code = krb5_build_principal(context, &match.server,
strlen(realm), realm,
"afs", cell->name, NULL);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_principal(context, match.server);
match.server = NULL;
code = krb5_build_principal(context, &match.server,
strlen(realm), realm, "afs", NULL);
if (code == 0)
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
}
if (insecure)
l = rxkad_clear;
else
l = rxkad_crypt;
memcpy(&k.data, Z_keydata(Z_credskey(cred)), 8);
sc = (struct rx_securityClass *)rxkad_NewClientSecurityObject
(l, &k, RXKAD_TKT_TYPE_KERBEROS_V5,
cred->ticket.length, cred->ticket.data);
krb5_free_creds(context, cred);
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
cell->security = sc;
cell->scindex = 2;
return 0;
try_anon:
#endif /* HAVE_KERBEROS */
if (try_anonymous)
return _GetNullSecurityObject(cell);
else
return code;
}
static int
_GetLocalSecurityObject(struct afscp_cell *cell,
char *aname, char *ainst)
{
int code = 0;
char tbuffer[256];
struct ktc_encryptionKey key, session;
struct rx_securityClass *tc;
afs_int32 kvno;
afs_int32 ticketLen;
rxkad_level lev;
struct afsconf_dir *tdir;
tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);
if (!tdir) {
code = AFSCONF_FAILURE;
goto done;
}
code = afsconf_GetLatestKey(tdir, &kvno, &key);
if (code) {
goto done;
}
DES_init_random_number_generator((DES_cblock *)&key);
code = DES_new_random_key((DES_cblock *)&session);
if (code) {
goto done;
}
ticketLen = sizeof(tbuffer);
memset(tbuffer, 0, sizeof(tbuffer));
code = tkt_MakeTicket(tbuffer, &ticketLen, &key, aname, ainst, "", 0,
0xffffffff, &session, 0, "afs", "");
if (code) {
goto done;
}
if (insecure) {
lev = rxkad_clear;
} else {
lev = rxkad_crypt;
}
tc = (struct rx_securityClass *)
rxkad_NewClientSecurityObject(lev, &session, kvno, ticketLen,
tbuffer);
if (!tc) {
code = RXKADBADKEY;
goto done;
}
cell->security = tc;
cell->scindex = 2;
done:
if (tdir) {
afsconf_Close(tdir);
}
return code;
}
long
rxkst_StartClient(struct clientParms *parms)
{
long code;
long host;
long scIndex;
struct rx_securityClass *sc;
whoami = parms->whoami; /* set this global variable */
host = GetServer(parms->server);
if (parms->authentication >= 0) {
long kvno = 0;
char ticket[MAXKTCTICKETLEN];
int ticketLen;
struct ktc_encryptionKey Ksession;
if (parms->useTokens)
code =
GetToken(&kvno, &Ksession, &ticketLen, ticket, parms->cell);
else
code =
GetTicket(&kvno, &Ksession, &ticketLen, ticket, parms->cell);
if (code)
return code;
/* next, we have ticket, kvno and session key, authenticate the conn */
sc = (struct rx_securityClass *)
rxkad_NewClientSecurityObject(parms->authentication, &Ksession,
kvno, ticketLen, ticket);
assert(sc);
scIndex = RX_SECIDX_KAD;
} else {
/* unauthenticated connection */
sc = rxnull_NewClientSecurityObject();
assert(sc);
scIndex = RX_SECIDX_NULL;
}
code = 0;
if (!code && parms->callTest) {
code = RunCallTest(parms, host, sc, scIndex);
}
if (!code && parms->hijackTest) {
code = RunHijackTest(parms, host, sc, scIndex);
}
if (!code
&& (parms->printTiming || parms->fastCalls || parms->slowCalls
|| parms->copiousCalls)) {
struct rx_connection *conn;
conn =
rx_NewConnection(host, htons(RXKST_SERVICEPORT), RXKST_SERVICEID,
sc, scIndex);
if (conn) {
code = RepeatLoadTest(parms, conn);
rx_DestroyConnection(conn);
} else
code = RXKST_NEWCONNFAILED;
}
if (!code && parms->stopServer) {
struct rx_connection *conn;
conn =
rx_NewConnection(host, htons(RXKST_SERVICEPORT), RXKST_SERVICEID,
sc, scIndex);
if (conn) {
code = RXKST_Kill(conn);
if (code) {
afs_com_err(whoami, code, "trying to stop server");
}
rx_DestroyConnection(conn);
} else
code = RXKST_NEWCONNFAILED;
}
if (parms->printStats) {
rx_PrintStats(stdout);
#if 0
/* use rxdebug style iteration here */
rx_PrintPeerStats(stdout, rx_PeerOf(conn));
#endif
}
rxs_Release(sc);
rx_Finalize();
if (code) {
afs_com_err(parms->whoami, code, "test fails");
exit(13);
} else {
printf("Test Okay\n");
if (!parms->noExit)
exit(0);
}
return 0;
}