/*
* Determine if the user is a member of 'identifier'
* Returns one of:
* 0 User does not match identifier
* 1 identifier matches everybody
* 2 User is in the group that is identifier
* 3 User is identifer
*/
static int mymemberof(const struct auth_state *auth_state, const char *identifier)
{
char aname[ANAME_SZ];
char inst[INST_SZ];
char realm[REALM_SZ];
if (!auth_state) auth_state = &auth_anonymous;
if (strcmp(identifier, "anyone") == 0) return 1;
if (strcmp(identifier, auth_state->userid) == 0) return 3;
/* "anonymous" is not a member of any group */
if (strcmp(auth_state->userid, "anonymous") == 0) return 0;
aname[0] = inst[0] = realm[0] = '\0';
if (kname_parse(aname, inst, realm, (char *) identifier) != 0) {
return 0;
}
if (strcmp(aname, auth_state->aname) != 0 && strcmp(aname, "*") != 0) {
return 0;
}
if (strcmp(inst, auth_state->inst) != 0 && strcmp(inst, "*") != 0) {
return 0;
}
if (strcmp(realm, auth_state->realm) != 0 && strcmp(realm, "*") != 0) {
return 0;
}
return 2;
}
/*
* Convert 'identifier' into canonical form.
* Returns a pointer to a static buffer containing the canonical form
* or NULL if 'identifier' is invalid.
*/
static char *afspts_canonifyid(const char *identifier, size_t len)
{
static char retbuf[MAX_K_NAME_SZ+1];
char aname[ANAME_SZ];
char inst[INST_SZ];
char realm[REALM_SZ];
char lrealm[REALM_SZ];
char krbhst[MAX_HSTNM];
char *canon_buf;
char *p;
if(!len) len = strlen(identifier);
canon_buf = xmalloc(len + 1);
memcpy(canon_buf, identifier, len);
canon_buf[len] = '\0';
aname[0] = inst[0] = realm[0] = '\0';
if (kname_parse(aname, inst, realm, canon_buf) != 0) {
free(canon_buf);
return 0;
}
free(canon_buf);
/* Upcase realm name */
for (p = realm; *p; p++) {
if (Uislower(*p)) *p = toupper(*p);
}
if (*realm) {
if (krb_get_lrealm(lrealm,1) == 0 &&
strcmp(lrealm, realm) == 0) {
*realm = 0;
}
else if (krb_get_krbhst(krbhst, realm, 1)) {
return 0; /* Unknown realm */
}
}
/* Check for krb.equiv remappings. */
p = auth_map_krbid(aname, inst, realm);
if (p) {
strcpy(retbuf, p);
return retbuf;
}
strcpy(retbuf, aname);
if (*inst) {
strcat(retbuf, ".");
strcat(retbuf, inst);
}
if (*realm && !is_local_realm(realm)) {
strcat(retbuf, "@");
strcat(retbuf, realm);
}
return retbuf;
}
/*
* Function: Intialize name fields in the Kerberos dialog.
*
* Parameters:
* hwnd - the window recieving the message.
*
* fullname - the full kerberos name to initialize with
*/
void
kwin_init_name(HWND hwnd, char *fullname)
{
char name[ANAME_SZ];
char instance[INST_SZ];
char realm[REALM_SZ];
int krc;
#ifdef KRB5
krb5_error_code code;
char *ptr;
#endif
if (fullname == NULL || fullname[0] == 0) {
#ifdef KRB4
strcpy(name, krb_get_default_user());
strcpy(instance, cns_res.instance);
krc = krb_get_lrealm(realm, 1);
if (krc != KSUCCESS)
realm[0] = 0;
strcpy(realm, cns_res.realm);
#endif /* KRB4 */
#ifdef KRB5
strcpy(name, cns_res.name);
*realm = '\0';
code = krb5_get_default_realm(k5_context, &ptr);
if (!code) {
strcpy(realm, ptr);
/* free(ptr); XXX */
}
strcpy(realm, cns_res.realm);
#endif /* KRB5 */
} else {
#ifdef KRB4
kname_parse(name, instance, realm, fullname);
SetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance);
#endif
#ifdef KRB5
krc = k5_kname_parse(name, realm, fullname);
*instance = '\0';
#endif
}
SetDlgItemText(hwnd, IDD_LOGIN_NAME, name);
SetDlgItemText(hwnd, IDD_LOGIN_REALM, realm);
}
/*
* Credentials file -> realm mapping
*
* Determine the realm by opening the named cache and parsing realm from the principal
*/
int KRB5_CALLCONV
krb_get_tf_realm (
const char* ticket_file,
char* realm)
{
cc_string_t principal;
char pname [ANAME_SZ];
char pinst [INST_SZ];
char prealm [REALM_SZ];
int kerr = KSUCCESS;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version = 0;
cc_ccache_t ccache = NULL;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache);
}
if (cc_err == ccNoError) {
cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal);
}
if (cc_err == ccNoError) {
/* found cache. get princiapl and parse it */
kerr = kname_parse (pname, pinst, prealm, (char*) principal -> data);
cc_string_release (principal);
}
if ((cc_err == ccNoError) && (kerr == KSUCCESS)) {
strcpy (realm, prealm);
}
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (kerr != KSUCCESS)
return kerr;
if (cc_err != ccNoError)
return GC_NOTKT;
else
return KSUCCESS;
}
/*
* Credentials file -> name, instance, realm mapping
*/
int KRB5_CALLCONV
krb_get_tf_fullname (
const char* ticket_file,
char* name,
char* instance,
char* realm)
{
cc_string_t principal;
int kerr = KSUCCESS;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache);
}
if (cc_err == ccNoError) {
/* found cache. get principal and parse it */
cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal);
}
if (cc_err == ccNoError) {
kerr = kname_parse (name, instance, realm, (char*) principal -> data);
cc_string_release (principal);
}
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (kerr != KSUCCESS)
return kerr;
if (cc_err != ccNoError)
return GC_NOTKT;
else
return KSUCCESS;
}
int
main(int argc, char **argv)
{
struct afsconf_dir *tdir;
afs_int32 code;
if (argc == 1) {
printf("bos_util: usage is 'bos_util <opcode> options, e.g.\n");
printf(" bos_util add <kvno>\n");
printf(" bos_util adddes <kvno>\n");
#ifdef KERBEROS
printf(" bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
#endif
printf(" bos_util delete <kvno>\n");
printf(" bos_util list\n");
exit(1);
}
tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIR);
if (!tdir) {
printf("bos_util: can't initialize conf dir '%s'\n",
AFSDIR_SERVER_ETC_DIR);
exit(1);
}
if (strcmp(argv[1], "add") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
char buf[BUFSIZ], ver[BUFSIZ];
char *tcell = NULL;
if (argc != 3) {
printf("bos_util add: usage is 'bos_util add <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
ka_StringToKey(buf, tcell, &tkey);
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
} else if (strcmp(argv[1], "adddes") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
afs_int32 code;
char buf[BUFSIZ], ver[BUFSIZ];
if (argc != 3) {
printf("bos_util adddes: usage is 'bos_util adddes <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
des_string_to_key(buf, ktc_to_cblockptr(&tkey));
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#ifdef KERBEROS
else if (strcmp(argv[1], "srvtab2keyfile") == 0) {
char tkey[8], name[255], inst[255], realm[255];
int kvno;
if (argc != 5) {
printf
("bos_util add: usage is 'bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
exit(1);
}
kvno = atoi(argv[2]);
bzero(tkey, sizeof(tkey));
code = kname_parse(name, inst, realm, argv[4]);
if (code != 0) {
printf("Invalid kerberos name\n");
exit(1);
}
code = read_service_key(name, inst, realm, kvno, argv[3], tkey);
if (code != 0) {
printf("Can't find key in %s\n", argv[3]);
exit(1);
}
code = afsconf_AddKey(tdir, kvno, tkey, 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#endif
else if (strcmp(argv[1], "delete") == 0) {
long kvno;
if (argc != 3) {
printf("bos_util delete: usage is 'bos_util delete <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
code = afsconf_DeleteKey(tdir, kvno);
if (code) {
printf("bos_util: failed to delete key %ld, (code %d)\n", kvno,
code);
exit(1);
}
} else if (strcmp(argv[1], "list") == 0) {
struct afsconf_keys tkeys;
int i;
unsigned char tbuffer[9];
code = afsconf_GetKeys(tdir, &tkeys);
if (code) {
printf("bos_util: failed to get keys, code %d\n", code);
exit(1);
}
for (i = 0; i < tkeys.nkeys; i++) {
if (tkeys.key[i].kvno != -1) {
int count;
unsigned char x[8];
memcpy(tbuffer, tkeys.key[i].key, 8);
tbuffer[8] = 0;
printf("kvno %4d: key is '%s' '", tkeys.key[i].kvno, tbuffer);
strcpy((char *)x, (char *)tbuffer);
for (count = 0; count < 8; count++)
printf("\\%03o", x[count]);
printf("'\n");
}
}
printf("All done.\n");
} else {
printf
("bos_util: unknown operation '%s', type 'bos_util' for assistance\n",
argv[1]);
exit(1);
}
exit(0);
}
/*
* Map a remote kerberos principal to a local username. If a mapping
* is found, a pointer to the local username is returned. Otherwise,
* a NULL pointer is returned.
* Eventually, this may be more sophisticated than a simple file scan.
*/
static char *auth_map_krbid(const char *real_aname,
const char *real_inst,
const char *real_realm)
{
static char localuser[MAX_K_NAME_SZ + 1];
char principal[MAX_K_NAME_SZ + 1];
char aname[ANAME_SZ];
char inst[INST_SZ];
char realm[REALM_SZ];
char lrealm[REALM_SZ];
char krbhst[MAX_HSTNM];
char *p;
char buf[1024];
FILE *mapfile;
if (!(mapfile = fopen(KRB_MAPNAME, "r"))) {
/* If the file can't be opened, don't do mappings */
return 0;
}
for (;;) {
if (!fgets(buf, sizeof(buf), mapfile)) break;
if (parse_krbequiv_line(buf, principal, localuser) == 0 ||
kname_parse(aname, inst, realm, principal) != 0) {
/* Ignore badly formed lines */
continue;
}
if (!strcmp(aname, real_aname) && !strcmp(inst, real_inst) &&
!strcmp(realm, real_realm)) {
fclose(mapfile);
aname[0] = inst[0] = realm[0] = '\0';
if (kname_parse(aname, inst, realm, localuser) != 0) {
return 0;
}
/* Upcase realm name */
for (p = realm; *p; p++) {
if (Uislower(*p)) *p = toupper(*p);
}
if (*realm) {
if (krb_get_lrealm(lrealm,1) == 0 &&
strcmp(lrealm, realm) == 0) {
*realm = 0;
}
else if (krb_get_krbhst(krbhst, realm, 1)) {
return 0; /* Unknown realm */
}
}
strcpy(localuser, aname);
if (*inst) {
strcat(localuser, ".");
strcat(localuser, inst);
}
if (*realm) {
strcat(localuser, "@");
strcat(localuser, realm);
}
return localuser;
}
}
fclose(mapfile);
return 0;
}
/*
* Store a ticket into the default credentials cache
* cache must exist (if it didn't exist, it would have been created by in_tkt)
*/
int
krb4int_save_credentials_addr(
char* service,
char* instance,
char* realm,
C_Block session,
int lifetime,
int kvno,
KTEXT ticket,
KRB4_32 issue_date,
KRB_UINT32 local_address)
{
cc_int32 cc_err = ccNoError;
int kerr = KSUCCESS;
cc_credentials_v4_t v4creds;
cc_credentials_union creds;
cc_ccache_t ccache = NULL;
cc_string_t principal;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
/* First try existing cache */
cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache);
}
if (cc_err == ccNoError) {
/* Now we have a cache. Fill out the credentials and put them in the cache. */
/* To fill out the credentials, we need the principal */
cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal);
}
if (cc_err == ccNoError) {
kerr = kname_parse (v4creds.principal, v4creds.principal_instance, v4creds.realm, (char*) principal -> data);
cc_string_release (principal);
}
if ((cc_err == ccNoError) && (kerr == KSUCCESS)) {
strncpy (v4creds.service, service, SNAME_SZ);
strncpy (v4creds.service_instance, instance, INST_SZ);
strncpy (v4creds.realm, realm, REALM_SZ);
memmove (v4creds.session_key, session, sizeof (C_Block));
v4creds.kvno = kvno;
v4creds.string_to_key_type = cc_v4_stk_unknown;
v4creds.issue_date = issue_date;
v4creds.address = local_address;
v4creds.lifetime = lifetime;
v4creds.ticket_size = ticket -> length;
memmove (v4creds.ticket, ticket -> dat, ticket -> length);
creds.version = cc_credentials_v4;
creds.credentials.credentials_v4 = &v4creds;
cc_err = cc_ccache_store_credentials (ccache, &creds);
}
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (kerr != KSUCCESS)
return kerr;
if (cc_err != ccNoError)
return KFAILURE;
else
return KSUCCESS;
}
