diff options
Diffstat (limited to 'lib/afs')
-rw-r--r-- | lib/afs/afs_funcs.c | 313 | ||||
-rw-r--r-- | lib/afs/afs_funcs.h | 42 | ||||
-rw-r--r-- | lib/afs/afs_settoken.c | 264 | ||||
-rw-r--r-- | lib/afs/afs_settoken.h | 21 | ||||
-rw-r--r-- | lib/afs/wscript_build | 10 |
5 files changed, 650 insertions, 0 deletions
diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c new file mode 100644 index 0000000..c7b263c --- /dev/null +++ b/lib/afs/afs_funcs.c @@ -0,0 +1,313 @@ +/* + * Unix SMB/CIFS implementation. + * Generate AFS tickets + * Copyright (C) Volker Lendecke 2003 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "lib/afs/afs_funcs.h" + +#ifdef WITH_FAKE_KASERVER + +#define NO_ASN1_TYPEDEFS 1 + +#include "secrets.h" +#include "passdb.h" +#include "auth.h" +#include "../librpc/gen_ndr/ndr_netlogon.h" +#include "lib/afs/afs_settoken.h" + +#include <afs/param.h> +#include <afs/stds.h> +#include <afs/auth.h> +#include <afs/venus.h> +#include <asm/unistd.h> +#include <openssl/des.h> + +struct ClearToken { + uint32 AuthHandle; + char HandShakeKey[8]; + uint32 ViceId; + uint32 BeginTimestamp; + uint32 EndTimestamp; +}; + +static char *afs_encode_token(const char *cell, const DATA_BLOB ticket, + const struct ClearToken *ct) +{ + char *base64_ticket; + char *result = NULL; + + DATA_BLOB key = data_blob(ct->HandShakeKey, 8); + char *base64_key; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_stackframe(); + if (mem_ctx == NULL) + goto done; + + base64_ticket = base64_encode_data_blob(mem_ctx, ticket); + if (base64_ticket == NULL) + goto done; + + base64_key = base64_encode_data_blob(mem_ctx, key); + if (base64_key == NULL) + goto done; + + asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell, + ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp, + ct->EndTimestamp, base64_ticket); + + DEBUG(10, ("Got ticket string:\n%s\n", result)); + +done: + TALLOC_FREE(mem_ctx); + + return result; +} + +/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the + * ViceId set, this should be set by the caller. */ + +static bool afs_createtoken(const char *username, const char *cell, + DATA_BLOB *ticket, struct ClearToken *ct) +{ + fstring clear_ticket; + char *p = clear_ticket; + uint32 len; + uint32 now; + + struct afs_key key; + des_key_schedule key_schedule; + + if (!secrets_init()) + return false; + + if (!secrets_fetch_afs_key(cell, &key)) { + DEBUG(1, ("Could not fetch AFS service key\n")); + return false; + } + + ct->AuthHandle = key.kvno; + + /* Build the ticket. This is going to be encrypted, so in our + way we fill in ct while we still have the unencrypted + form. */ + + p = clear_ticket; + + /* The byte-order */ + *p = 1; + p += 1; + + /* "Alice", the client username */ + strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1); + p += strlen(p)+1; + strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1); + p += strlen(p)+1; + strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1); + p += strlen(p)+1; + + /* Alice's network layer address. At least Openafs-1.2.10 + ignores this, so we fill in a dummy value here. */ + SIVAL(p, 0, 0); + p += 4; + + /* We need to create a session key */ + generate_random_buffer((uint8_t *)p, 8); + + /* Our client code needs the the key in the clear, it does not + know the server-key ... */ + memcpy(ct->HandShakeKey, p, 8); + + p += 8; + + /* This is a kerberos 4 life time. The life time is expressed + * in units of 5 minute intervals up to 38400 seconds, after + * that a table is used up to lifetime 0xBF. Values between + * 0xC0 and 0xFF is undefined. 0xFF is defined to be the + * infinite time that never expire. + * + * So here we cheat and use the infinite time */ + *p = 255; + p += 1; + + /* Ticket creation time */ + now = time(NULL); + SIVAL(p, 0, now); + ct->BeginTimestamp = now; + + if(lp_afs_token_lifetime() == 0) + ct->EndTimestamp = NEVERDATE; + else + ct->EndTimestamp = now + lp_afs_token_lifetime(); + + if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) { + ct->BeginTimestamp += 1; /* Lifetime must be even */ + } + p += 4; + + /* And here comes Bob's name and instance, in this case the + AFS server. */ + strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1); + p += strlen(p)+1; + strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1); + p += strlen(p)+1; + + /* And zero-pad to a multiple of 8 bytes */ + len = PTR_DIFF(p, clear_ticket); + if (len & 7) { + uint32 extra_space = 8-(len & 7); + memset(p, 0, extra_space); + p+=extra_space; + } + len = PTR_DIFF(p, clear_ticket); + + des_key_sched((const_des_cblock *)key.key, key_schedule); + des_pcbc_encrypt((const unsigned char*) clear_ticket, + (unsigned char*) clear_ticket, + len, key_schedule, (C_Block *)key.key, 1); + + ZERO_STRUCT(key); + + *ticket = data_blob(clear_ticket, len); + + return true; +} + +char *afs_createtoken_str(const char *username, const char *cell) +{ + DATA_BLOB ticket; + struct ClearToken ct; + char *result; + + if (!afs_createtoken(username, cell, &ticket, &ct)) + return NULL; + + result = afs_encode_token(cell, ticket, &ct); + + data_blob_free(&ticket); + + return result; +} + +/* + This routine takes a radical approach completely bypassing the + Kerberos idea of security and using AFS simply as an intelligent + file backend. Samba has persuaded itself somehow that the user is + actually correctly identified and then we create a ticket that the + AFS server hopefully accepts using its KeyFile that the admin has + kindly stored to our secrets.tdb. + + Thanks to the book "Network Security -- PRIVATE Communication in a + PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner + Kerberos 4 tickets are not really hard to construct. + + For the comments "Alice" is the User to be auth'ed, and "Bob" is the + AFS server. */ + +bool afs_login(connection_struct *conn) +{ + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + DATA_BLOB ticket; + char *afs_username = NULL; + char *cell = NULL; + bool result; + char *ticket_str = NULL; + const struct dom_sid *user_sid; + TALLOC_CTX *ctx = talloc_tos(); + struct dom_sid_buf buf; + + struct ClearToken ct; + + afs_username = talloc_strdup(ctx, + lp_afs_username_map()); + if (!afs_username) { + return false; + } + + afs_username = talloc_sub_advanced(ctx, + lp_servicename(ctx, lp_sub, SNUM(conn)), + conn->session_info->unix_info->unix_name, + conn->connectpath, + conn->session_info->unix_token->gid, + conn->session_info->unix_info->sanitized_username, + conn->session_info->info->domain_name, + afs_username); + if (!afs_username) { + return false; + } + + user_sid = &conn->session_info->security_token->sids[0]; + afs_username = talloc_string_sub(talloc_tos(), + afs_username, + "%s", + dom_sid_str_buf(user_sid, &buf)); + if (!afs_username) { + return false; + } + + /* The pts command always generates completely lower-case user + * names. */ + if (!strlower_m(afs_username)) { + return false; + } + + cell = strchr(afs_username, '@'); + + if (cell == NULL) { + DEBUG(1, ("AFS username doesn't contain a @, " + "could not find cell\n")); + return false; + } + + *cell = '\0'; + cell += 1; + + DEBUG(10, ("Trying to log into AFS for user %s@%s\n", + afs_username, cell)); + + if (!afs_createtoken(afs_username, cell, &ticket, &ct)) + return false; + + /* For which Unix-UID do we want to set the token? */ + ct.ViceId = getuid(); + + ticket_str = afs_encode_token(cell, ticket, &ct); + + result = afs_settoken_str(ticket_str); + + SAFE_FREE(ticket_str); + + data_blob_free(&ticket); + + return result; +} + +#else + +bool afs_login(connection_struct *conn) +{ + return true; +} + +char *afs_createtoken_str(const char *username, const char *cell) +{ + return NULL; +} + +#endif /* WITH_FAKE_KASERVER */ diff --git a/lib/afs/afs_funcs.h b/lib/afs/afs_funcs.h new file mode 100644 index 0000000..95e916b --- /dev/null +++ b/lib/afs/afs_funcs.h @@ -0,0 +1,42 @@ +/* + * Unix SMB/CIFS implementation. + * Generate AFS tickets + * Copyright (C) Volker Lendecke 2003 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef LIB_AFS_AFS_FUNCS_H +#define LIB_AFS_AFS_FUNCS_H 1 + +char *afs_createtoken_str(const char *username, const char *cell); + +/* + This routine takes a radical approach completely bypassing the + Kerberos idea of security and using AFS simply as an intelligent + file backend. Samba has persuaded itself somehow that the user is + actually correctly identified and then we create a ticket that the + AFS server hopefully accepts using its KeyFile that the admin has + kindly stored to our secrets.tdb. + + Thanks to the book "Network Security -- PRIVATE Communication in a + PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner + Kerberos 4 tickets are not really hard to construct. + + For the comments "Alice" is the User to be auth'ed, and "Bob" is the + AFS server. */ + +bool afs_login(connection_struct *conn); + +#endif diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c new file mode 100644 index 0000000..d0ffa49 --- /dev/null +++ b/lib/afs/afs_settoken.c @@ -0,0 +1,264 @@ +/* + * Unix SMB/CIFS implementation. + * Generate AFS tickets + * Copyright (C) Volker Lendecke 2004 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "lib/afs/afs_settoken.h" + +#ifdef WITH_FAKE_KASERVER + +#define NO_ASN1_TYPEDEFS 1 + +#include "system/filesys.h" + +#include <afs/param.h> +#include <afs/stds.h> +#include <afs/afs_args.h> +#include <afs/auth.h> +#include <afs/venus.h> +#include <asm/unistd.h> +#include <openssl/des.h> +#include <sys/syscall.h> + +int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow) +{ +/* + return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow)); +*/ + int errcode; + int proc_afs_file; + struct afsprocdata afs_syscall_data; + afs_syscall_data.syscall = subcall; + afs_syscall_data.param1 = (long)path; + afs_syscall_data.param2 = cmd; + afs_syscall_data.param3 = (long)cmarg; + afs_syscall_data.param4 = follow; + proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR); + if (proc_afs_file < 0) + proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR); + if (proc_afs_file < 0) + return -1; + errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data); + close(proc_afs_file); + return errcode; +} + +struct ClearToken { + uint32 AuthHandle; + char HandShakeKey[8]; + uint32 ViceId; + uint32 BeginTimestamp; + uint32 EndTimestamp; +}; + +static bool afs_decode_token(const char *string, char **cell, + DATA_BLOB *ticket, struct ClearToken *ct) +{ + DATA_BLOB blob; + struct ClearToken result_ct; + char *saveptr; + + char *s = SMB_STRDUP(string); + + char *t; + + if ((t = strtok_r(s, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + *cell = SMB_STRDUP(t); + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) { + DEBUG(10, ("sscanf AuthHandle failed\n")); + return false; + } + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + blob = base64_decode_data_blob(t); + + if ( (blob.data == NULL) || + (blob.length != sizeof(result_ct.HandShakeKey) )) { + DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data, + (unsigned long) blob.length)); + return false; + } + + memcpy(result_ct.HandShakeKey, blob.data, blob.length); + + data_blob_free(&blob); + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + if (sscanf(t, "%u", &result_ct.ViceId) != 1) { + DEBUG(10, ("sscanf ViceId failed\n")); + return false; + } + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) { + DEBUG(10, ("sscanf BeginTimestamp failed\n")); + return false; + } + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) { + DEBUG(10, ("sscanf EndTimestamp failed\n")); + return false; + } + + if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { + DEBUG(10, ("strtok_r failed\n")); + return false; + } + + blob = base64_decode_data_blob(t); + + if (blob.data == NULL) { + DEBUG(10, ("Could not get ticket\n")); + return false; + } + + *ticket = blob; + *ct = result_ct; + + return true; +} + +/* + Put an AFS token into the Kernel so that it can authenticate against + the AFS server. This assumes correct local uid settings. + + This is currently highly Linux and OpenAFS-specific. The correct API + call for this would be ktc_SetToken. But to do that we would have to + import a REALLY big bunch of libraries which I would currently like + to avoid. +*/ + +static bool afs_settoken(const char *cell, + const struct ClearToken *ctok, + DATA_BLOB ticket) +{ + int ret; + struct { + char *in, *out; + uint16 in_size, out_size; + } iob; + + char buf[1024]; + char *p = buf; + int tmp; + + memcpy(p, &ticket.length, sizeof(uint32)); + p += sizeof(uint32); + memcpy(p, ticket.data, ticket.length); + p += ticket.length; + + tmp = sizeof(struct ClearToken); + memcpy(p, &tmp, sizeof(uint32)); + p += sizeof(uint32); + memcpy(p, ctok, tmp); + p += tmp; + + tmp = 0; + + memcpy(p, &tmp, sizeof(uint32)); + p += sizeof(uint32); + + tmp = strlen(cell); + if (tmp >= MAXKTCREALMLEN) { + DEBUG(1, ("Realm too long\n")); + return false; + } + + strncpy(p, cell, tmp); + p += tmp; + *p = 0; + p +=1; + + iob.in = buf; + iob.in_size = PTR_DIFF(p,buf); + iob.out = buf; + iob.out_size = sizeof(buf); + +#if 0 + file_save("/tmp/ioctlbuf", iob.in, iob.in_size); +#endif + + ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0); + + DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret)); + return (ret == 0); +} + +bool afs_settoken_str(const char *token_string) +{ + DATA_BLOB ticket; + struct ClearToken ct; + bool result; + char *cell; + + if (!afs_decode_token(token_string, &cell, &ticket, &ct)) + return false; + + if (geteuid() != 0) { + ct.ViceId = geteuid(); + } + + result = afs_settoken(cell, &ct, ticket); + + SAFE_FREE(cell); + data_blob_free(&ticket); + + return result; +} + +#else + +int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow) +{ + errno = ENOSYS; + return -1; +} + +bool afs_settoken_str(const char *token_string) +{ + return false; +} + +#endif diff --git a/lib/afs/afs_settoken.h b/lib/afs/afs_settoken.h new file mode 100644 index 0000000..d6cc462 --- /dev/null +++ b/lib/afs/afs_settoken.h @@ -0,0 +1,21 @@ +/* + * Unix SMB/CIFS implementation. + * Generate AFS tickets + * Copyright (C) Volker Lendecke 2004 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow); +bool afs_settoken_str(const char *token_string); diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build new file mode 100644 index 0000000..d584a17 --- /dev/null +++ b/lib/afs/wscript_build @@ -0,0 +1,10 @@ +#!/usr/bin/env python + +bld.SAMBA3_SUBSYSTEM('LIBAFS', + source='afs_funcs.c', + deps='samba-util crypto LIBAFS_SETTOKEN') + +bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN', + source='afs_settoken.c', + deps='samba-util') + |