jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 06:50:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

RXK5DEVEL15-rxk5-20070123

Browse Source 
again, massaged by me, shadow@dementia.org
This commit is contained in:
Marcus Watts 2007-01-23 01:01:51 +00:00 committed by Derrick Brashear
parent 6a4b1e662a
commit 22d9bf51a1
454 changed files with 54375 additions and 2396 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -5,6 +5,7 @@ config.cache
config.status
configure
configure-libafs
errors
hp_ux102
hp_ux110
i386_linux22

113
Makefile.in
View File

@ -10,12 +10,23 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
# things that depend on KAUTH have more complicated dependencies
# on libkauth
KAUTH=kauth
# things that depend on KAERRORS only need kaerrors.o from kauth
KAERRORS=kauth
# Enable build+install of obsolete and insecure packages
# Set to anything other than YES, or comment out to disable the build
WITH_OBSOLETE=@WITH_OBSOLETE@
ENABLE_KERNEL_MODULE=@ENABLE_KERNEL_MODULE@
# Build rxk5 if selected
### old: @ENABLE_RXK5@RXK5=@RXK5@
@ENABLE_RXK5@RXK5=rxk5
@ENABLE_RXK5@MAYBE_RXK5_DEPINSTALL=rxk5_depinstall
# To compile AFS from scratch in the src tree run "make".
# This recursively calls "make install ..." and does not depend on the
# existence of any non-standard programs.
@ -121,7 +132,7 @@ procmgmt: pinstall
util: procmgmt des
${COMPILE_PART1} util ${COMPILE_PART2}
audit: util rx rxkad
audit: util rx rxkad ${RXK5} auth_depinstall
${COMPILE_PART1} audit ${COMPILE_PART2} #TODO
comerr: util
@ -177,7 +188,13 @@ sys: cmd comerr afs des rx rxstat fsint sys_depinstall
rxkad: cmd comerr sys des rx rxkad_depinstall
${COMPILE_PART1} rxkad ${COMPILE_PART2}
auth: cmd comerr comerr des lwp rx sys rxkad audit auth_depinstall
trxk5: comerr rx rxk5_depinstall @ENABLE_SSL@ k5ssl
${COMPILE_PART1} trxk5 ${COMPILE_PART2}
rxk5: cmd comerr sys des rx rxk5_depinstall @ENABLE_SSL@ k5ssl
${COMPILE_PART1} rxk5 ${COMPILE_PART2}
auth: cmd comerr comerr des lwp rx sys rxkad ${RXK5} audit auth_depinstall
${COMPILE_PART1} auth ${COMPILE_PART2}
ubik: cmd comerr auth ubik_depinstall
@ -191,7 +208,7 @@ ptserver: cmd comerr ubik cmd comerr auth audit ptserver_depinstall
kauth: cmd comerr ubik cmd auth comerr ptserver audit libacl kauth_depinstall
${COMPILE_PART1} kauth ${COMPILE_PART2}
dauth: cmd comerr ubik cmd auth kauth comerr
dauth: cmd comerr ubik cmd auth $(KAUTH) comerr
${COMPILE_PART1} dauth ${COMPILE_PART2}
libacl: cmd comerr ptserver libacl_depinstall
@ -249,7 +266,7 @@ tviced: cmd comerr viced vlserver libafsrpc libafsauthent
echo Not building MT viced for ${SYS_NAME} ;; \
esac
volser: cmd comerr tviced usd kauth audit
volser: cmd comerr tviced usd $(KAERRORS) audit
${COMPILE_PART1} volser ${COMPILE_PART2}
tvolser: project tviced usd libafsrpc libafsauthent volser
@ -268,7 +285,7 @@ venus: cmd comerr volser ptserver
${COMPILE_PART1} venus ${COMPILE_PART2}
${COMPILE_PART1} venus/test ${COMPILE_PART2}
afsd: cmd comerr sys kauth
afsd: cmd comerr sys auth
${COMPILE_PART1} afsd ${COMPILE_PART2}
null: cmd comerr
@ -283,19 +300,19 @@ ${TOP_LIBDIR}/libtermlib.a:
ln -s /usr/lib/libtermlib.a ${TOP_LIBDIR}/libtermlib.a ;; \
esac
gtx: cmd comerr null auth kauth ${TOP_LIBDIR}/libtermlib.a
gtx: cmd comerr null auth ${TOP_LIBDIR}/libtermlib.a
${COMPILE_PART1} gtx ${COMPILE_PART2}
fsprobe: cmd comerr util fsint volser
fsprobe: cmd comerr util fsint volser $(KAERRORS)
${COMPILE_PART1} fsprobe ${COMPILE_PART2}
scout: cmd comerr gtx fsprobe
scout: cmd comerr gtx fsprobe $(KAERRORS)
${COMPILE_PART1} scout ${COMPILE_PART2}
uss: des kauth cmd comerr rx vlserver vol volser
uss: des $(KAUTH) cmd comerr rx vlserver vol volser
${COMPILE_PART1} uss ${COMPILE_PART2}
bozo: cmd comerr audit auth kauth volser
bozo: cmd comerr audit auth $(KAUTH) volser
${COMPILE_PART1} bozo ${COMPILE_PART2}
vfsck: vol
@ -307,7 +324,7 @@ vfsck: vol
${COMPILE_PART1} vfsck ${COMPILE_PART2} ;; \
esac
pam: cmd comerr kauth rxkad
pam: cmd comerr $(KAUTH) rxkad
set -x; \
if test "@HAVE_PAM@" = "yes"; then \
${COMPILE_PART1} pam ${COMPILE_PART2} ; \
@ -315,7 +332,7 @@ pam: cmd comerr kauth rxkad
echo Skipping pam for ${SYS_NAME} ; \
fi
tsm41: cmd comerr kauth rxkad
tsm41: cmd comerr $(KAUTH) rxkad
set -x; \
case ${SYS_NAME} in \
rs_aix* ) \
@ -324,7 +341,7 @@ tsm41: cmd comerr kauth rxkad
echo Skipping tsm41 for ${SYS_NAME} ;; \
esac
sia: cmd comerr kauth rxkad
sia: cmd comerr $(KAUTH) rxkad
set -x; \
case ${SYS_NAME} in \
alpha_dux* ) \
@ -333,7 +350,7 @@ sia: cmd comerr kauth rxkad
echo Skipping sia for ${SYS_NAME} ;; \
esac
sgistuff: cmd comerr kauth rxkad
sgistuff: cmd comerr $(KAUTH) rxkad
set -x; \
case ${SYS_NAME} in \
sgi_* ) \
@ -342,18 +359,18 @@ sgistuff: cmd comerr kauth rxkad
echo Skipping sgistuff for ${SYS_NAME} ;; \
esac
aklog: comerr ptserver
aklog: comerr ptserver @ENABLE_SSL@ k5ssl
@ENABLE_KRB5@ ${COMPILE_PART1} aklog ${COMPILE_PART2}
@DISABLE_KRB5@ echo Skipping aklog for ${SYS_NAME}
k5ssl: comerr
set -x; \
if test "@BUILD_KRB5@" = "yes"; then \
${COMPILE_PART1} aklog ${COMPILE_PART2} ; \
else \
echo Skipping aklog for ${SYS_NAME} ; \
fi
${COMPILE_PART1} k5ssl ${COMPILE_PART2} \
platform:
${COMPILE_PART1} platform ${COMPILE_PART2}
login: cmd comerr kauth rxkad pam sia tsm41 sgistuff aklog
login: cmd comerr $(KAUTH) rxkad pam sia tsm41 sgistuff aklog
set -x; \
if test "@BUILD_LOGIN@" = "yes"; then \
${COMPILE_PART1} login ${COMPILE_PART2} ; \
@ -380,13 +397,16 @@ rx_depinstall: pinstall
rxkad_depinstall: pinstall comerr
${COMPILE_PART1} rxkad ${COMPILE_DEPINSTALL}
rxk5_depinstall: pinstall comerr rxgen
${COMPILE_PART1} rxk5 ${COMPILE_DEPINSTALL}
ubik_depinstall: pinstall comerr rxgen
${COMPILE_PART1} ubik ${COMPILE_DEPINSTALL}
vlserver_depinstall: pinstall rxgen ubik_depinstall auth_depinstall
${COMPILE_PART1} vlserver ${COMPILE_DEPINSTALL}
auth_depinstall: pinstall comerr
auth_depinstall: pinstall comerr rxgen
${COMPILE_PART1} auth ${COMPILE_DEPINSTALL}
fsint_depinstall: pinstall rxgen
@ -404,7 +424,7 @@ afs_depinstall: pinstall comerr
dir_depinstall: pinstall
${COMPILE_PART1} dir ${COMPILE_DEPINSTALL}
sys_depinstall: pinstall
sys_depinstall: pinstall rxgen
${COMPILE_PART1} sys ${COMPILE_DEPINSTALL}
kauth_depinstall: pinstall rxgen comerr
@ -413,6 +433,12 @@ kauth_depinstall: pinstall rxgen comerr
ptserver_depinstall: pinstall rxgen comerr
${COMPILE_PART1} ptserver ${COMPILE_DEPINSTALL}
bozo_depinstall: pinstall rxgen comerr
${COMPILE_PART1} bozo ${COMPILE_DEPINSTALL}
volser_depinstall: pinstall rxgen comerr
${COMPILE_PART1} volser ${COMPILE_DEPINSTALL}
${DEST}/bin/dedebug: dedebug
${INSTALL} -s $? $@
@ -421,13 +447,15 @@ ${DEST}/bin/dedebug: dedebug
# libafs build targets
#
libafs_setup: config export
src/config/config src/libafs/MakefileProto.${MKAFS_OSTYPE} src/libafs/Makefile ${SYS_NAME}
src/config/config src/libafs/MakefileProto.${MKAFS_OSTYPE} src/libafs/Makefile ${SYS_NAME} ${RXK5} ${NFSSRV}
libafs: libafs_setup lwp_depinstall rx_depinstall vlserver_depinstall rxkad_depinstall fsint_depinstall \
libafs: libafs_setup lwp_depinstall rx_depinstall vlserver_depinstall \
rxkad_depinstall ${MAYBE_RXK5_DEPINSTALL} fsint_depinstall \
libacl_depinstall afs_depinstall dir_depinstall rxstat_depinstall sys_depinstall
${COMPILE_PART1} libafs ${COMPILE_PART2}
libafs_tree: libafs_setup lwp_depinstall rx_depinstall vlserver_depinstall rxkad_depinstall fsint_depinstall \
libafs_tree: libafs_setup lwp_depinstall rx_depinstall vlserver_depinstall \
rxkad_depinstall ${MAYBE_RXK5_DEPINSTALL} fsint_depinstall \
libacl_depinstall afs_depinstall dir_depinstall rxstat_depinstall sys_depinstall
${TOP_SRCDIR}/config/make_libafs_tree.pl \
-sn $(SYS_NAME) \
@ -445,10 +473,11 @@ UKERNELDIR= \
afsweb
libuafs_setup: config export
src/config/config src/libuafs/MakefileProto.${MKAFS_OSTYPE} src/libuafs/Makefile ${SYS_NAME}
src/config/config src/libuafs/MakefileProto.${MKAFS_OSTYPE} src/libuafs/Makefile ${SYS_NAME} ${RXK5}
libuafs: libuafs_setup vlserver_depinstall rx_depinstall fsint_depinstall \
auth_depinstall dir_depinstall libacl_depinstall rxkad_depinstall \
auth_depinstall dir_depinstall libacl_depinstall \
rxkad_depinstall ${MAYBE_RXK5_DEPINSTALL} \
ubik_depinstall afs_depinstall kauth_depinstall ptserver_depinstall \
rxstat_depinstall lwp_depinstall sys_depinstall des
set -x; \
@ -459,7 +488,7 @@ libuafs: libuafs_setup vlserver_depinstall rx_depinstall fsint_depinstall \
${COMPILE_PART1} libuafs ${COMPILE_PART2} ;; \
esac
afsweb: kauth dauth
afsweb: $(KAUTH)
${COMPILE_PART1} afsweb ${COMPILE_PART2}
update: cmd comerr auth
@ -477,10 +506,10 @@ usd: cmd comerr
bubasics: cmd comerr comerr rx
${COMPILE_PART1} bubasics ${COMPILE_PART2}
butm: cmd comerr bubasics usd uss
butm: cmd comerr bubasics usd
${COMPILE_PART1} butm ${COMPILE_PART2}
butc: cmd comerr bubasics butm budb bucoord cmd rxgen rx
butc: cmd comerr bubasics butm budb bucoord cmd rxgen rx $(KAERRORS)
${COMPILE_PART1} butc ${COMPILE_PART2}
tbutc: cmd comerr bubasics butm budb bucoord cmd butc libadmin
@ -491,10 +520,10 @@ tbutc: cmd comerr bubasics butm budb bucoord cmd butc libadmin
echo Not building MT butc for ${SYS_NAME} ;; \
esac
budb: cmd comerr bubasics uss
budb: ptserver ubik cmd comerr bubasics
${COMPILE_PART1} budb ${COMPILE_PART2}
bucoord: cmd comerr bubasics budb volser
bucoord: cmd comerr bubasics budb butm $(KAERRORS) volser
${COMPILE_PART1} bucoord ${COMPILE_PART2}
xstat: cmd comerr fsint viced
@ -506,7 +535,7 @@ afsmonitor: cmd comerr gtx xstat
tests: rxtests ubiktests
# pthread based user space RX library
libafsrpc: rx rxkad des
libafsrpc: rx rxkad des @ENABLE_RXK5@ rxk5_depinstall
case ${SYS_NAME} in \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*|*[of]bsd*|*nbsd[234]*) \
${COMPILE_PART1} libafsrpc ${COMPILE_PART2} ;; \
@ -518,7 +547,7 @@ libafsrpc: rx rxkad des
echo Not building MT libafsrpc for ${SYS_NAME} ;; \
esac
libafsauthent: ubik auth kauth libafsrpc
libafsauthent: ubik auth $(KAUTH) kauth_depinstall libafsrpc ptserver_depinstall
case ${SYS_NAME} in \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*|*[of]bsd*|*nbsd[234]*) \
${COMPILE_PART1} libafsauthent ${COMPILE_PART2} ;; \
@ -531,7 +560,7 @@ libafsauthent: ubik auth kauth libafsrpc
esac
# pthread based user space RX library
shlibafsrpc: rx rxkad des
shlibafsrpc: rx rxkad des @ENABLE_RXK5@ rxk5_depinstall
case ${SYS_NAME} in \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsrpc ${COMPILE_PART2} ;; \
@ -539,7 +568,7 @@ shlibafsrpc: rx rxkad des
echo Not building shared libafsrpc for ${SYS_NAME} ;; \
esac
shlibafsauthent: ubik auth kauth shlibafsrpc
shlibafsauthent: ubik auth $(KAUTH) kauth_depinstall shlibafsrpc ptserver_depinstall
case ${SYS_NAME} in \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsauthent ${COMPILE_PART2} ;; \
@ -559,7 +588,7 @@ libadmin_real:
${COMPILE_PART1} libadmin/test ${COMPILE_PART2}
${COMPILE_PART1} libadmin/samples ${COMPILE_PART2}
libadmin: libafsauthent bozo
libadmin: libafsauthent bozo_depinstall vlserver_depinstall volser_depinstall
case ${SYS_NAME} in \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
$(MAKE) libadmin_real ;; \
@ -585,14 +614,14 @@ jafs: libjafs
jafsadm: libjafsadm
finale: project cmd comerr afsd butc tbutc @ENABLE_KERNEL_MODULE@ libuafs audit kauth log package \
finale: project cmd comerr afsd butc tbutc @ENABLE_KERNEL_MODULE@ libuafs audit $(KAERRORS) log package \
ptserver scout bu_utils ubik uss bozo vfsck volser tvolser tsalvaged \
venus update xstat afsmonitor dauth rxdebug libafsrpc \
libafsauthent shlibafsrpc shlibafsauthent libadmin login man-pages \
platform
${COMPILE_PART1} finale ${COMPILE_PART2}
finale_nolibafs: project cmd comerr afsd butc tbutc libuafs audit kauth log package \
finale_nolibafs: project cmd comerr afsd butc tbutc libuafs audit $(KAUTH) log package \
ptserver scout bu_utils ubik uss bozo vfsck volser tvolser tsalvaged \
venus update xstat afsmonitor dauth rxdebug libafsrpc \
libafsauthent shlibafsrpc shlibafsauthent libadmin login man-pages \
@ -639,10 +668,12 @@ clean2:
-${COMPILE_PART1} des ${COMPILE_CLEAN}
-${COMPILE_PART1} sys ${COMPILE_CLEAN}
-${COMPILE_PART1} rxkad ${COMPILE_CLEAN}
-${COMPILE_PART1} rxk5 ${COMPILE_CLEAN}
-${COMPILE_PART1} auth ${COMPILE_CLEAN}
-${COMPILE_PART1} ubik ${COMPILE_CLEAN}
-${COMPILE_PART1} ptserver ${COMPILE_CLEAN}
-${COMPILE_PART1} kauth ${COMPILE_CLEAN}
-${COMPILE_PART1} k5ssl ${COMPILE_CLEAN}
-${COMPILE_PART1} dauth ${COMPILE_CLEAN}
-${COMPILE_PART1} libacl ${COMPILE_CLEAN}
-${COMPILE_PART1} dir ${COMPILE_CLEAN}
@ -754,6 +785,7 @@ distclean: clean
src/gtx/Makefile \
src/kauth/test/Makefile \
src/kauth/Makefile \
src/k5ssl/Makefile \
src/libacl/test/Makefile \
src/libacl/Makefile \
src/libadmin/adminutil/Makefile \
@ -803,6 +835,7 @@ distclean: clean
src/rxgen/Makefile \
src/rxkad/Makefile \
src/rxkad/test/Makefile \
src/rxk5/Makefile \
src/rxstat/Makefile \
src/scout/Makefile \
src/sgistuff/Makefile \

162
README.RXK5 Normal file
View File

@ -0,0 +1,162 @@
RXK5
"rxk5" is a kerberos 5 based replacement for rxkad.
See src/rxk5/README for more detailed information on rxk5 design.
To use rxk5 with openafs,
/1/ build (see notes below)
/2/ install on servers.
/3/ create a service principal:
afs-k5/<cell-name>@<realm-name>
make sure you only select encryption types supported by your
servers.
/4/ extract and install this service principal's key in:
${afsconfdir}/afs.keytab
(where ${afsconfdir} might be something like
/etc/openaf/server or /usr/afs/etc)
on each db server and file server in your cell.
You must do this by hand: there are no provisions (yet?)
in bosserver to maintain keytabs or k5 principals or
k5 configuration.
If you don't want to support rxkad, remove your
KeyFile. You can run both rxkad & rxk5 in parallel,
in which case, you should not remove this file.
You can remove it later after you have finished migrating
all of your clients.
/5/ if you are supporting multiple "local" kerberos realms,
create ${afsconfdir}/krb.conf
and list all your local kerberos realm realms on the first
line. Your preferred realm should probably be listed first.
If you do not have this file, your local realm is
your cell name upper-cased. When mapping names into
pt names, this file controls which ones are not considered
to be "foreign" principals, so you want to get this right.
/6/ UserList file: ${afsconfdir}/UserList .
For now for rxk5: if you have names with instances: you
must list them as user/foo or user/foo@realm .
There are a number of issues with this; this logic
may change in the future.
/7/ for openafs + rxk5, it's more important to make sure that
afs host to realm mapping work right for all your cell db servers.
This is particularly an issue on the clients, but
many of the choices are global.
* If possible: your realm-name should be the uppercase of your cell name.
* If possible: your kerberos realm should at least be upper-case.
* If possible: your db servers should have dns names exactly like:
<hostname>.<realm-name>
Especially if the above aren't true then:
* dns configuration:
In DNS, you should have host realm mapping txt records,
something like:
_kerberos.<xxx> TXT REALM-NAME
where <xxx> matches the last N elements of your host name.
(the krb5 library will start with the fqdn of your "first
db server, then strip leading elements off one by one
until a _kerberos record is found.
The realm-name should NOT be . terminated, and case matters.
you may also want:
afsdb records for your cell pointing to your db servers.
_kerberos._udp.<realm> srv records for your kerberos kdcs.
* krb5.conf configuration:
[domain_realm] stanza:
For your local environment, you should use this to map
your local domains into your local kerberos realms,
perhaps also favoured foreign domains & realms.
Listing this can speed performance and improve security.
[libdefaults] stanza:
Do NOT have this line: default_etypes = des-cbc-crc
With dns_lookup_realm = 0,
you will disable DNS host_realm mappings. This is
the default with MIT.If you set this to 1, you enable
this, which is the default with Heimdal. Enabling this
might slow down host realm mapping logic, but give better
data for cells outside your local environment.
Client side, run-time.
Tools generally support the following:
-localauth -k5 use local keytab, be "god", rxk5
-localauth -k4 use local keyfile, be "god", rxkad
-localauth keytab if possible, else keyfile, else noauth
-k5 use k5 credentials cache, rxk5
-ktc (?) use ktc, rxk5 or rxkad. XXX not yet implemented.
-noauth none of the above
Tools default to either -k5 or -ktc.
XXX may be compile time option?
To alter the default, set
AFS_RXK5_DEFAULT
if set to 1 or yes, forces use of k5 credentials cache,
otherwise, forces use of ktc.
See notes above on host to realm mapping before defaulting
to -k5. If you need to use "-k" on aklog, -k5 on other
commands will not work.
XXX why can't other tools look for afs-k5/<cell-name>@arbitrary-realm?
Build configuration.
OS & hardware choices:
rxk5 + openafs has been developed and should work best on i386 linux 2.4, 2.6.
Building and testing for other unix-like architectures is in progress;
solaris or aix may be possibilities for you. Windows is its own special
case; in principle this should be no problem, but the necessary modifications
are a separate effort not yet begun. openafs + rxk5 on windows will likely
require some future version of mit kerberos.
possible kerberos libraries:
heimdal
I've used 0.6.4 in the past. I currently use "CVS head"
as of 20060410, which I recommend in preference to 0.6.4
or 0.7.2.
configure openafs with:
--enable-rxk5
--with-krb5-conf=.../krb5-conf
MIT k5
not recommended for now. The MIT folks have indicated
they may be willing to support a suitable interface
in some future version of MIT k5. For now, do not use
unless you are willing to patch, build, and support kerberos.
See note in src/rxk5/README for more information.
shishi
"alpha" quality. Shishi is GPL not LGPL; so there
are probably severe licensing problems if you share
code built with this. You'll have to patch openafs to
make this work; run-time configuration will be special as well.
If you succeed and find it useful: please submit BSD or IPL
compatible patches and documentation to the openafs community.
k5ssl (standalone)
k5ssl is a partial kerberos implementation inside of openafs.
It's always used inside the cache manager with its own private
crypto library. If you supply real openssl libraries, this
can also be used with the rest of openafs. Since openssl
supports hardware accelleration, this may be particularly useful
and attractive for the afs server. Note that the 524 functionality
of aklog is not available with k5ssl.
configure openafs with:
--with-ssl [=path...]
--with-krb5
-Marcus Watts
University of Michigan ITCS UMCE
Mon Sep 4 03:34:05 EDT 2006

80
acconfig.h
View File

@ -1,80 +0,0 @@
@BOTTOM@
#undef PACKAGE
#undef VERSION
#define RCSID(msg) \
static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
#undef HAVE_CONNECT
#undef HAVE_GETHOSTBYNAME
#undef HAVE_RES_SEARCH
#undef HAVE_SOCKET
#undef STRUCT_SOCKADDR_HAS_SA_LEN
#if !defined(__BIG_ENDIAN__) && !defined(__LITTLE_ENDIAN__)
# if ENDIANESS_IN_SYS_PARAM_H
# ifndef KERNEL
# include <sys/types.h>
# include <sys/param.h>
# if BYTE_ORDER == BIG_ENDIAN
# define WORDS_BIGENDIAN 1
# endif
# else
# if defined(AUTOCONF_FOUND_BIGENDIAN)
# define WORDS_BIGENDIAN 1
# else
# undef WORDS_BIGENDIAN
# endif
# endif
# else
# if defined(AUTOCONF_FOUND_BIGENDIAN)
# define WORDS_BIGENDIAN 1
# else
# undef WORDS_BIGENDIAN
# endif
# endif
#else
# if defined(__BIG_ENDIAN__)
# define WORDS_BIGENDIAN 1
# else
# undef WORDS_BIGENDIAN
# endif
#endif
#undef AFS_AFSDB_ENV
#undef AFS_LARGEFILE_ENV
#undef AFS_NAMEI_ENV
#undef BITMAP_LATER
#undef BOS_RESTRICTED_MODE
#undef BOS_NEW_CONFIG
#undef FAST_RESTART
#undef FULL_LISTVOL_SWITCH
#undef COMPLETION_H_EXISTS
#undef DEFINED_FOR_EACH_PROCESS
#undef DEFINED_PREV_TASK
#undef EXPORTED_KALLSYMS_ADDRESS
#undef EXPORTED_KALLSYMS_SYMBOL
#undef EXPORTED_SYS_CALL_TABLE
#undef EXPORTED_IA32_SYS_CALL_TABLE
#undef EXPORTED_TASKLIST_LOCK
#undef INODE_SETATTR_NOT_VOID
#undef IRIX_HAS_MEM_FUNCS
#undef RECALC_SIGPENDING_TAKES_VOID
#undef STRUCT_ADDRESS_SPACE_HAS_GFP_MASK
#undef STRUCT_ADDRESS_SPACE_HAS_PAGE_LOCK
#undef STRUCT_FS_HAS_FS_ROLLED
#undef STRUCT_INODE_HAS_I_DEVICES
#undef STRUCT_INODE_HAS_I_DIRTY_DATA_BUFFERS
#undef STRUCT_INODE_HAS_I_ALLOC_SEM
#undef STRUCT_INODE_HAS_I_TRUNCATE_SEM
#undef STRUCT_TASK_STRUCT_HAS_PARENT
#undef STRUCT_TASK_STRUCT_HAS_REAL_PARENT
#undef STRUCT_TASK_STRUCT_HAS_SIG
#undef STRUCT_TASK_STRUCT_HAS_SIGHAND
#undef STRUCT_TASK_STRUCT_HAS_SIGMASK_LOCK
#undef ssize_t
#undef SIZEOF_TIME_T
#undef HAVE_STRUCT_BUF
#undef HAVE_ARPA_NAMESER_COMPAT_H
/* glue for RedHat kernel bug */
#undef ENABLE_REDHAT_BUILDSYS
#if defined(ENABLE_REDHAT_BUILDSYS) && defined(KERNEL) && defined(REDHAT_FIX)
#include "redhat-fix.h"
#endif

278
acinclude.m4
View File

@ -5,6 +5,49 @@ dnl NB: Because this code is a macro, references to positional shell
dnl parameters must be done like $[]1 instead of $1
AC_DEFUN([OPENAFS_CONFIGURE_COMMON],[
AH_VERBATIM([RCSID],
[#define RCSID(msg) \
static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }])
AH_BOTTOM([/* __BIG_ENDIAN__ is a darwinism, for fat binaries */
#if !defined(__BIG_ENDIAN__) && !defined(__LITTLE_ENDIAN__)
# if defined(ENDIANESS_IN_SYS_PARAM_H) && !defined(KERNEL)
# include <sys/types.h>
# include <sys/param.h>
# if BYTE_ORDER == BIG_ENDIAN
# define WORDS_BIGENDIAN 1
# endif
# else
# if defined(AUTOCONF_FOUND_BIGENDIAN)
# define WORDS_BIGENDIAN 1
# endif
# endif
#else
# if defined(__BIG_ENDIAN__)
# define WORDS_BIGENDIAN 1
# endif
#endif
#if defined(KERNEL) && !defined(UKERNEL) /* all builds use K5SSL in the kernel */
# define USING_SSL 1
# define FAKESSL 1
#else
# ifdef COMPILED_WITH_HEIMDAL
# define USING_HEIMDAL 1
# endif
# ifdef COMPILED_WITH_SHISHI
# define USING_SHISHI 1
# endif
# ifdef COMPILED_WITH_MIT
# define USING_MIT 1
# endif
# ifdef COMPILED_WITH_SSL
# define USING_SSL 1
# endif
#endif
/* glue for RedHat kernel bug */
#undef ENABLE_REDHAT_BUILDSYS
#if defined(ENABLE_REDHAT_BUILDSYS) && defined(KERNEL) && defined(REDHAT_FIX)
#include "redhat-fix.h"
#endif])
AC_CANONICAL_HOST
SRCDIR_PARENT=`pwd`
@ -23,6 +66,10 @@ AC_ARG_ENABLE( bos-restricted-mode,
[ --enable-bos-restricted-mode enable bosserver restricted mode which disables certain bosserver functionality],, enable_bos_restricted_mode="no")
AC_ARG_ENABLE( bos-new-config,
[ --enable-bos-new-config enable bosserver pickup of BosConfig.new on restarts],, enable_bos_new_config="no")
AC_ARG_ENABLE( ka-server,
[ --enable-ka-server enable kaserver (k4 kdc)],, enable_ka_server="no")
AC_ARG_ENABLE( ka-clients,
[ --disable-ka-clients disable building ka (afs k4) tools],, enable_ka_clients="yes")
AC_ARG_ENABLE( largefile-fileserver,
[ --disable-largefile-fileserver disable large file support in fileserver],, enable_largefile_fileserver="yes")
AC_ARG_ENABLE( namei-fileserver,
@ -85,7 +132,8 @@ AC_ARG_ENABLE(debug-pam,
AC_ARG_ENABLE(optimize-pam,
[ --disable-optimize-pam disable optimization for compilation of the PAM code (defaults to enabled)],, enable_optimize_pam="yes"
)
AC_ARG_ENABLE( rxk5,
[ --enable-rxk5 enable support for rxk5 security class],, enable_rxk5="no")
enable_login="no"
@ -116,7 +164,7 @@ case $system in
MKAFS_OSTYPE=LINUX
if test "x$enable_redhat_buildsys" = "xyes"; then
AC_DEFINE(ENABLE_REDHAT_BUILDSYS, 1, [define if you have redhat buildsystem])
AC_DEFINE([ENABLE_REDHAT_BUILDSYS], 1, [define if you have redhat buildsystem])
fi
if test "x$enable_kernel_module" = "xyes"; then
if test "x$with_linux_kernel_headers" != "x"; then
@ -198,7 +246,7 @@ case $system in
MKAFS_OSTYPE=HPUX
AC_MSG_RESULT(hp_ux)
if test -f "/usr/old/usr/include/ndir.h"; then
AC_DEFINE(HAVE_USR_OLD_USR_INCLUDE_NDIR_H, 1, [define if you have old ndir.h])
AC_DEFINE([HAVE_USR_OLD_USR_INCLUDE_NDIR_H], 1, [define if you have old ndir.h])
fi
;;
*-irix*)
@ -553,7 +601,7 @@ else
CPPFLAGS="-I${LINUX_KERNEL_PATH}/include $CPPFLAGS"
AC_TRY_COMPILE(
[#include <linux/autoconf.h>],
[#ifndef CONFIG_USERMODE
[#if !defined(CONFIG_USERMODE) && !defined(CONFIG_UML)
#error not UML
#endif],
ac_cv_linux_is_uml=yes,)
@ -571,30 +619,23 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*)
# Add (sub-) architecture-specific paths needed by conftests
case $AFS_SYSNAME in
*_umlinux26)
UMLINUX26_FLAGS="-I$LINUX_KERNEL_PATH/arch/um/include"
UMLINUX26_FLAGS="$UMLINUX26_FLAGS -I$LINUX_KERNEL_PATH/arch/um/kernel/tt/include"
UMLINUX26_FLAGS="$UMLINUX26_FLAGS -I$LINUX_KERNEL_PATH/arch/um/kernel/skas/include"
CPPFLAGS="$CPPFLAGS $UMLINUX26_FLAGS"
*_umlinux*)
LINUX_SETENV_UM="ARCH=um"
;;
esac
if test "x$enable_kernel_module" = "xyes"; then
if test "x$enable_debug_kernel" = "xno"; then
LINUX_GCC_KOPTS="$LINUX_GCC_KOPTS -fomit-frame-pointer"
fi
OPENAFS_GCC_SUPPORTS_MARCH
AC_SUBST(P5PLUS_KOPTS)
OPENAFS_GCC_NEEDS_NO_STRENGTH_REDUCE
OPENAFS_GCC_NEEDS_NO_STRICT_ALIASING
OPENAFS_GCC_SUPPORTS_NO_COMMON
OPENAFS_GCC_SUPPORTS_PIPE
AC_SUBST(LINUX_GCC_KOPTS)
LINUX_KERNEL_GET_KCC
ifdef([OPENAFS_CONFIGURE_LIBAFS],
[LINUX_BUILD_VNODE_FROM_INODE(src/config,src/afs)],
[LINUX_BUILD_VNODE_FROM_INODE(${srcdir}/src/config,src/afs/LINUX,${srcdir}/src/afs/LINUX)]
)
if test "x$enable_debug_kernel" = "xno"; then
LINUX_KCFLAGS="$LINUX_KCFLAGS -fomit-frame-pointer"
fi
LINUX_KERNEL_COMPILE_WORKS
LINUX_KERNEL_HAS_NFSSRV
LINUX_CONFIG_H_EXISTS
LINUX_COMPLETION_H_EXISTS
LINUX_DEFINES_FOR_EACH_PROCESS
@ -681,163 +722,163 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*)
fi
fi
if test -f "$LINUX_KERNEL_PATH/include/linux/in_systm.h"; then
AC_DEFINE(HAVE_IN_SYSTM_H, 1, [define if you have in_systm.h header file])
AC_DEFINE([HAVE_IN_SYSTM_H], 1, [define if you have in_systm.h header file])
fi
if test -f "$LINUX_KERNEL_PATH/include/linux/mm_inline.h"; then
AC_DEFINE(HAVE_MM_INLINE_H, 1, [define if you have mm_inline.h header file])
AC_DEFINE([HAVE_MM_INLINE_H], 1, [define if you have mm_inline.h header file])
fi
if test -f "$LINUX_KERNEL_PATH/include/linux/in_systm.h"; then
AC_DEFINE(HAVE_IN_SYSTM_H, 1, [define if you have in_systm.h header file])
AC_DEFINE([HAVE_IN_SYSTM_H], 1, [define if you have in_systm.h header file])
fi
if test "x$ac_cv_linux_exports_sys_chdir" = "xyes" ; then
AC_DEFINE(EXPORTED_SYS_CHDIR, 1, [define if your linux kernel exports sys_chdir])
AC_DEFINE([EXPORTED_SYS_CHDIR], 1, [define if your linux kernel exports sys_chdir])
fi
if test "x$ac_cv_linux_exports_sys_open" = "xyes" ; then
AC_DEFINE(EXPORTED_SYS_OPEN, 1, [define if your linux kernel exports sys_open])
AC_DEFINE([EXPORTED_SYS_OPEN], 1, [define if your linux kernel exports sys_open])
fi
if test "x$ac_cv_linux_exports_sys_close" = "xyes" ; then
AC_DEFINE(EXPORTED_SYS_CLOSE, 1, [define if your linux kernel exports sys_close])
AC_DEFINE([EXPORTED_SYS_CLOSE], 1, [define if your linux kernel exports sys_close])
fi
if test "x$ac_cv_linux_exports_sys_wait4" = "xyes" ; then
AC_DEFINE(EXPORTED_SYS_WAIT4, 1, [define if your linux kernel exports sys_wait4])
AC_DEFINE([EXPORTED_SYS_WAIT4], 1, [define if your linux kernel exports sys_wait4])
fi
if test "x$ac_cv_linux_exports_sys_call_table" = "xyes"; then
AC_DEFINE(EXPORTED_SYS_CALL_TABLE)
AC_DEFINE([EXPORTED_SYS_CALL_TABLE],1,[define if linux exports sys_call_table])
fi
if test "x$ac_cv_linux_exports_ia32_sys_call_table" = "xyes"; then
AC_DEFINE(EXPORTED_IA32_SYS_CALL_TABLE)
AC_DEFINE([EXPORTED_IA32_SYS_CALL_TABLE],1,[specific to amd64/i386])
fi
if test "x$ac_cv_linux_exports_kallsyms_symbol" = "xyes"; then
AC_DEFINE(EXPORTED_KALLSYMS_SYMBOL)
AC_DEFINE([EXPORTED_KALLSYMS_SYMBOL],1,[define if linux exports kallsyms_symbol_to_address])
fi
if test "x$ac_cv_linux_exports_kallsyms_address" = "xyes"; then
AC_DEFINE(EXPORTED_KALLSYMS_ADDRESS)
AC_DEFINE([EXPORTED_KALLSYMS_ADDRESS],1,[define if linux exports kallsyms_address_to_symbol])
fi
if test "x$ac_cv_linux_completion_h_exists" = "xyes" ; then
AC_DEFINE(COMPLETION_H_EXISTS, 1, [define if completion_h exists])
AC_DEFINE([COMPLETION_H_EXISTS], 1, [define if completion_h exists])
fi
if test "x$ac_cv_linux_config_h_exists" = "xyes" ; then
AC_DEFINE(CONFIG_H_EXISTS, 1, [define if config.h exists])
fi
if test "x$ac_cv_linux_defines_for_each_process" = "xyes" ; then
AC_DEFINE(DEFINED_FOR_EACH_PROCESS, 1, [define if for_each_process defined])
AC_DEFINE([DEFINED_FOR_EACH_PROCESS], 1, [define if for_each_process defined])
fi
if test "x$ac_cv_linux_defines_prev_task" = "xyes" ; then
AC_DEFINE(DEFINED_PREV_TASK, 1, [define if prev_task defined])
AC_DEFINE([DEFINED_PREV_TASK], 1, [define if prev_task defined])
fi
if test "x$ac_cv_linux_func_inode_setattr_returns_int" = "xyes" ; then
AC_DEFINE(INODE_SETATTR_NOT_VOID, 1, [define if your setattr return return non-void])
AC_DEFINE([INODE_SETATTR_NOT_VOID], 1, [define if your setattr return return non-void])
fi
if test "x$ac_cv_linux_func_write_inode_returns_int" = "xyes" ; then
AC_DEFINE(WRITE_INODE_NOT_VOID, 1, [define if your sops.write_inode returns non-void])
AC_DEFINE([WRITE_INODE_NOT_VOID], 1, [define if your sops.write_inode returns non-void])
fi
if test "x$ac_cv_linux_fs_struct_super_has_alloc_inode" = "xyes" ; then
AC_DEFINE(STRUCT_SUPER_HAS_ALLOC_INODE, 1, [define if your struct super_operations has alloc_inode])
AC_DEFINE([STRUCT_SUPER_HAS_ALLOC_INODE], 1, [define if your struct super_operations has alloc_inode])
fi
if test "x$ac_cv_linux_fs_struct_address_space_has_page_lock" = "xyes"; then
AC_DEFINE(STRUCT_ADDRESS_SPACE_HAS_PAGE_LOCK, 1, [define if your struct address_space has page_lock])
AC_DEFINE([STRUCT_ADDRESS_SPACE_HAS_PAGE_LOCK], 1, [define if your struct address_space has page_lock])
fi
if test "x$ac_cv_linux_fs_struct_address_space_has_gfp_mask" = "xyes"; then
AC_DEFINE(STRUCT_ADDRESS_SPACE_HAS_GFP_MASK, 1, [define if your struct address_space has gfp_mask])
AC_DEFINE([STRUCT_ADDRESS_SPACE_HAS_GFP_MASK], 1, [define if your struct address_space has gfp_mask])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_truncate_sem" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_TRUNCATE_SEM, 1, [define if your struct inode has truncate_sem])
AC_DEFINE([STRUCT_INODE_HAS_I_TRUNCATE_SEM], 1, [define if your struct inode has truncate_sem])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_alloc_sem" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_ALLOC_SEM, 1, [define if your struct inode has alloc_sem])
AC_DEFINE([STRUCT_INODE_HAS_I_ALLOC_SEM], 1, [define if your struct inode has alloc_sem])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_blksize" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_BLKSIZE, 1, [define if your struct inode has i_blksize])
AC_DEFINE([STRUCT_INODE_HAS_I_BLKSIZE], 1, [define if your struct inode has i_blksize])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_devices" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_DEVICES, 1, [define if you struct inode has i_devices])
AC_DEFINE([STRUCT_INODE_HAS_I_DEVICES], 1, [define if you struct inode has i_devices])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_security" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_SECURITY, 1, [define if you struct inode has i_security])
AC_DEFINE([STRUCT_INODE_HAS_I_SECURITY], 1, [define if you struct inode has i_security])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_mutex" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_MUTEX, 1, [define if you struct inode has i_mutex])
AC_DEFINE([STRUCT_INODE_HAS_I_MUTEX], 1, [define if you struct inode has i_mutex])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_sb_list" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_SB_LIST, 1, [define if you struct inode has i_sb_list])
AC_DEFINE([STRUCT_INODE_HAS_I_SB_LIST], 1, [define if you struct inode has i_sb_list])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_i_dirty_data_buffers" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_I_DIRTY_DATA_BUFFERS, 1, [define if your struct inode has data_buffers])
AC_DEFINE([STRUCT_INODE_HAS_I_DIRTY_DATA_BUFFERS], 1, [define if your struct inode has data_buffers])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_inotify_lock" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_INOTIFY_LOCK, 1, [define if your struct inode has inotify_lock])
AC_DEFINE([STRUCT_INODE_HAS_INOTIFY_LOCK], 1, [define if your struct inode has inotify_lock])
fi
if test "x$ac_cv_linux_fs_struct_inode_has_inotify_sem" = "xyes"; then
AC_DEFINE(STRUCT_INODE_HAS_INOTIFY_SEM, 1, [define if your struct inode has inotify_sem])
AC_DEFINE([STRUCT_INODE_HAS_INOTIFY_SEM], 1, [define if your struct inode has inotify_sem])
fi
if test "x$ac_cv_linux_func_recalc_sigpending_takes_void" = "xyes"; then
AC_DEFINE(RECALC_SIGPENDING_TAKES_VOID, 1, [define if your recalc_sigpending takes void])
AC_DEFINE([RECALC_SIGPENDING_TAKES_VOID], 1, [define if your recalc_sigpending takes void])
fi
if test "x$ac_cv_linux_kernel_is_selinux" = "xyes" ; then
AC_DEFINE(LINUX_KERNEL_IS_SELINUX, 1, [define if your linux kernel uses SELinux features])
AC_DEFINE([LINUX_KERNEL_IS_SELINUX], 1, [define if your linux kernel uses SELinux features])
fi
if test "x$ac_cv_linux_kernel_sock_create_v" = "xyes" ; then
AC_DEFINE(LINUX_KERNEL_SOCK_CREATE_V, 1, [define if your linux kernel uses 5 arguments for sock_create])
AC_DEFINE([LINUX_KERNEL_SOCK_CREATE_V], 1, [define if your linux kernel uses 5 arguments for sock_create])
fi
if test "x$ac_cv_linux_kernel_page_follow_link" = "xyes" ; then
AC_DEFINE(HAVE_KERNEL_PAGE_FOLLOW_LINK, 1, [define if your linux kernel provides page_follow_link])
AC_DEFINE([HAVE_KERNEL_PAGE_FOLLOW_LINK], 1, [define if your linux kernel provides page_follow_link])
fi
if test "x$ac_linux_syscall" = "xyes" ; then
AC_DEFINE(HAVE_KERNEL_LINUX_SYSCALL_H, 1, [define if your linux kernel has linux/syscall.h])
AC_DEFINE([HAVE_KERNEL_LINUX_SYSCALL_H], 1, [define if your linux kernel has linux/syscall.h])
fi
if test "x$ac_linux_seq_file" = "xyes" ; then
AC_DEFINE(HAVE_KERNEL_LINUX_SEQ_FILE_H, 1, [define if your linux kernel has linux/seq_file.h])
AC_DEFINE([HAVE_KERNEL_LINUX_SEQ_FILE_H], 1, [define if your linux kernel has linux/seq_file.h])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_parent" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_PARENT, 1, [define if your struct task_struct has parent])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_PARENT], 1, [define if your struct task_struct has parent])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_real_parent" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_REAL_PARENT, 1, [define if your struct task_struct has real_parent])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_REAL_PARENT], 1, [define if your struct task_struct has real_parent])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_sigmask_lock" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_SIGMASK_LOCK, 1, [define if your struct task_struct has sigmask_lock])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_SIGMASK_LOCK], 1, [define if your struct task_struct has sigmask_lock])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_sighand" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_SIGHAND, 1, [define if your struct task_struct has sighand])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_SIGHAND], 1, [define if your struct task_struct has sighand])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_sig" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_SIG, 1, [define if your struct task_struct has sig])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_SIG], 1, [define if your struct task_struct has sig])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_rlim" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_RLIM, 1, [define if your struct task_struct has rlim])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_RLIM], 1, [define if your struct task_struct has rlim])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_signal_rlim" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_SIGNAL_RLIM, 1, [define if your struct task_struct has signal->rlim])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_SIGNAL_RLIM], 1, [define if your struct task_struct has signal->rlim])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_exit_state" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_EXIT_STATE, 1, [define if your struct task_struct has exit_state])
AC_DEFINE([STRUCT_TASK_STRUCT_HAS_EXIT_STATE], 1, [define if your struct task_struct has exit_state])
fi
if test "x$ac_cv_linux_sched_struct_task_struct_has_todo" = "xyes"; then
AC_DEFINE(STRUCT_TASK_STRUCT_HAS_TODO, 1, [define if your struct task_struct has todo])
fi
if test "x$ac_cv_linux_get_sb_has_struct_vfsmount" = "xyes"; then
AC_DEFINE(GET_SB_HAS_STRUCT_VFSMOUNT, 1, [define if your get_sb_nodev needs a struct vfsmount argument])
AC_DEFINE([GET_SB_HAS_STRUCT_VFSMOUNT], 1, [define if your get_sb_nodev needs a struct vfsmount argument])
fi
if test "x$ac_cv_linux_statfs_takes_dentry" = "xyes"; then
AC_DEFINE(STATFS_TAKES_DENTRY, 1, [define if your statfs takes a dentry argument])
fi
if test "x$ac_cv_linux_func_a_writepage_takes_writeback_control" = "xyes" ; then
AC_DEFINE(AOP_WRITEPAGE_TAKES_WRITEBACK_CONTROL, 1, [define if your aops.writepage takes a struct writeback_control argument])
AC_DEFINE([AOP_WRITEPAGE_TAKES_WRITEBACK_CONTROL], 1, [define if your aops.writepage takes a struct writeback_control argument])
fi
if test "x$ac_cv_linux_func_refrigerator_takes_pf_freeze" = "xyes" ; then
AC_DEFINE(LINUX_REFRIGERATOR_TAKES_PF_FREEZE, 1, [define if your refrigerator takes PF_FREEZE])
AC_DEFINE([LINUX_REFRIGERATOR_TAKES_PF_FREEZE], 1, [define if your refrigerator takes PF_FREEZE])
fi
if test "x$ac_cv_linux_func_i_create_takes_nameidata" = "xyes" ; then
AC_DEFINE(IOP_CREATE_TAKES_NAMEIDATA, 1, [define if your iops.create takes a nameidata argument])
AC_DEFINE([IOP_CREATE_TAKES_NAMEIDATA], 1, [define if your iops.create takes a nameidata argument])
fi
if test "x$ac_cv_linux_func_i_lookup_takes_nameidata" = "xyes" ; then
AC_DEFINE(IOP_LOOKUP_TAKES_NAMEIDATA, 1, [define if your iops.lookup takes a nameidata argument])
AC_DEFINE([IOP_LOOKUP_TAKES_NAMEIDATA], 1, [define if your iops.lookup takes a nameidata argument])
fi
if test "x$ac_cv_linux_func_i_permission_takes_nameidata" = "xyes" ; then
AC_DEFINE(IOP_PERMISSION_TAKES_NAMEIDATA, 1, [define if your iops.permission takes a nameidata argument])
AC_DEFINE([IOP_PERMISSION_TAKES_NAMEIDATA], 1, [define if your iops.permission takes a nameidata argument])
fi
if test "x$ac_cv_linux_func_d_revalidate_takes_nameidata" = "xyes" ; then
AC_DEFINE(DOP_REVALIDATE_TAKES_NAMEIDATA, 1, [define if your dops.d_revalidate takes a nameidata argument])
AC_DEFINE([DOP_REVALIDATE_TAKES_NAMEIDATA], 1, [define if your dops.d_revalidate takes a nameidata argument])
fi
if test "x$ac_cv_linux_freezer_h_exists" = "xyes" ; then
AC_DEFINE(FREEZER_H_EXISTS, 1, [define if you have linux/freezer.h])
@ -851,6 +892,7 @@ esac
case $AFS_SYSNAME in
*_darwin*)
AC_DARWIN_EXP_DC
DARWIN_PLIST=src/libafs/afs.${AFS_SYSNAME}.plist
DARWIN_INFOFILE=afs.${AFS_SYSNAME}.plist
dnl the test below fails on darwin, even if the CPPFLAGS below
@ -860,7 +902,7 @@ case $AFS_SYSNAME in
dnl really, such a thing isn't guaranteed to work on any
dnl platform until the kernel cflags from MakefileProto are
dnl known to configure
AC_DEFINE(HAVE_STRUCT_BUF, 1, [define if you have a struct buf])
AC_DEFINE([HAVE_STRUCT_BUF], 1, [define if you have a struct buf])
;;
*)
AC_MSG_CHECKING(for definition of struct buf)
@ -878,7 +920,7 @@ AC_CACHE_VAL(ac_cv_have_struct_buf, [
dnl CPPFLAGS="$save_CPPFLAGS"
AC_MSG_RESULT($ac_cv_have_struct_buf)
if test "$ac_cv_have_struct_buf" = yes; then
AC_DEFINE(HAVE_STRUCT_BUF, 1, [define if you have a struct buf])
AC_DEFINE([HAVE_STRUCT_BUF], 1, [define if you have a struct buf])
fi
;;
esac
@ -893,7 +935,7 @@ AC_TRY_COMPILE( [#include <sys/types.h>
a->sa_len=0;], ac_cv_sockaddr_len=yes, ac_cv_sockaddr_len=no)
AC_MSG_RESULT($ac_cv_sockaddr_len)])
if test "$ac_cv_sockaddr_len" = "yes"; then
AC_DEFINE(STRUCT_SOCKADDR_HAS_SA_LEN, 1, [define if you struct sockaddr sa_len])
AC_DEFINE([STRUCT_SOCKADDR_HAS_SA_LEN], 1, [define if you struct sockaddr sa_len])
fi
if test "x${MKAFS_OSTYPE}" = "xIRIX"; then
echo Skipping library tests because they confuse Irix.
@ -903,7 +945,7 @@ else
if test "$ac_cv_func_socket" = no; then
for lib in socket inet; do
if test "$HAVE_SOCKET" != 1; then
AC_CHECK_LIB(${lib}, socket,LIBS="$LIBS -l$lib";HAVE_SOCKET=1;AC_DEFINE(HAVE_SOCKET, 1, [define if you have socket]))
AC_CHECK_LIB(${lib}, socket,LIBS="$LIBS -l$lib";HAVE_SOCKET=1;AC_DEFINE([HAVE_SOCKET], 1, [define if you have socket]))
fi
done
fi
@ -913,7 +955,7 @@ else
if test "$ac_cv_func_connect" = no; then
for lib in nsl; do
if test "$HAVE_CONNECT" != 1; then
AC_CHECK_LIB(${lib}, connect,LIBS="$LIBS -l$lib";HAVE_CONNECT=1;AC_DEFINE(HAVE_CONNECT, 1, [define if you have connect]))
AC_CHECK_LIB(${lib}, connect,LIBS="$LIBS -l$lib";HAVE_CONNECT=1;AC_DEFINE([HAVE_CONNECT], 1, [define if you have connect]))
fi
done
fi
@ -922,7 +964,7 @@ else
if test "$ac_cv_func_gethostbyname" = no; then
for lib in dns nsl resolv; do
if test "$HAVE_GETHOSTBYNAME" != 1; then
AC_CHECK_LIB(${lib}, gethostbyname, LIBS="$LIBS -l$lib";HAVE_GETHOSTBYNAME=1;AC_DEFINE(HAVE_GETHOSTBYNAME, 1, [define if you have gethostbyname]))
AC_CHECK_LIB(${lib}, gethostbyname, LIBS="$LIBS -l$lib";HAVE_GETHOSTBYNAME=1;AC_DEFINE([HAVE_GETHOSTBYNAME], 1, [define if you have gethostbyname]))
fi
done
fi
@ -941,7 +983,7 @@ else
#include <resolv.h>
], [static int i; i = 0;],
[AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_ARPA_NAMESER_COMPAT_H)],
AC_DEFINE([HAVE_ARPA_NAMESER_COMPAT_H],1,[define if arpa/nameser_compat.h is to be used.])],
[AC_MSG_RESULT(no)
])
@ -959,13 +1001,16 @@ else
done
if test "$ac_cv_func_res_search" = yes; then
LIB_res_search="-l$lib"
AC_DEFINE(HAVE_RES_SEARCH, 1, [])
AC_DEFINE([HAVE_RES_SEARCH], 1, [have res_search])
AC_MSG_RESULT([yes, in lib$lib])
if test "$ac_cv_func_res_nclose" = yes; then
AC_DEFINE([HAVE_RES_NCLOSE], 1, [have res_ninit/res_nsearch/res_nclose too])
fi
else
AC_MSG_RESULT(no)
fi
else
AC_DEFINE(HAVE_RES_SEARCH, 1, [])
AC_DEFINE([HAVE_RES_SEARCH], 1, [have res_search])
AC_MSG_RESULT(yes)
fi
@ -1026,21 +1071,34 @@ else
esac
fi
# Fast restart
if test "$enable_supergroups" = "yes"; then
AC_DEFINE(SUPERGROUPS, 1, [define if you want to have support for nested pts groups])
AC_DEFINE([SUPERGROUPS], 1, [define if you want to have support for nested pts groups])
fi
if test "$enable_rxk5" = "yes"; then
K5SSL_DEF="-DUSE_K5SSL -DUSE_FAKESSL"
K5SSL_INC='-I${TOP_SRCDIR}/k5ssl'
AC_DEFINE([AFS_RXK5], 1, [define if you want the option to use rxk5 for rx security])
DISABLE_RXK5='#'
else
ENABLE_RXK5='#'
fi
AC_SUBST(K5SSL_DEF)
AC_SUBST(K5SSL_INC)
AC_SUBST(ENABLE_RXK5)
AC_SUBST(DISABLE_RXK5)
# Fast restart
if test "$enable_fast_restart" = "yes"; then
AC_DEFINE(FAST_RESTART, 1, [define if you want to have fast restart])
AC_DEFINE([FAST_RESTART], 1, [define if you want to have fast restart])
fi
if test "$enable_bitmap_later" = "yes"; then
AC_DEFINE(BITMAP_LATER, 1, [define if you want to salvager to check bitmasks later])
AC_DEFINE([BITMAP_LATER], 1, [define if you want to salvager to check bitmasks later])
fi
if test "$enable_demand_attach_fs" = "yes"; then
AC_DEFINE(DEMAND_ATTACH_ENABLE, 1, [define if you want the demand attach fileserver])
AC_DEFINE([DEMAND_ATTACH_ENABLE], 1, [define if you want the demand attach fileserver])
DEMAND_ATTACH="yes"
else
DEMAND_ATTACH="no"
@ -1054,28 +1112,61 @@ if test "$enable_fast_restart" = "yes" &&
fi
if test "$enable_full_vos_listvol_switch" = "yes"; then
AC_DEFINE(FULL_LISTVOL_SWITCH, 1, [define if you want to want listvol switch])
AC_DEFINE([FULL_LISTVOL_SWITCH], 1, [define if you want to want listvol switch])
fi
if test "$enable_bos_restricted_mode" = "yes"; then
AC_DEFINE(BOS_RESTRICTED_MODE, 1, [define if you want to want bos restricted mode])
AC_DEFINE([BOS_RESTRICTED_MODE], 1, [define if you want to want bos restricted mode])
fi
if test "$enable_bos_new_config" = "yes"; then
AC_DEFINE(BOS_NEW_CONFIG, 1, [define if you want to enable automatic renaming of BosConfig.new to BosConfig at startup])
AC_DEFINE([BOS_NEW_CONFIG], 1, [define if you want to enable automatic renaming of BosConfig.new to BosConfig at startup])
fi
if test "$enable_largefile_fileserver" = "yes"; then
AC_DEFINE(AFS_LARGEFILE_ENV, 1, [define if you want large file fileserver])
AC_DEFINE([AFS_LARGEFILE_ENV], 1, [define if you want large file fileserver])
fi
if test "$enable_ka_server" = "yes"; then
AC_DEFINE([AFS_ENABLE_KA_SERVER], 1, [define if you want to build kaserver])
DISABLE_KA_SERVER='#'
else
ENABLE_KA_SERVER='#'
fi
if test "$enable_ka_clients" = "yes"; then
AC_DEFINE([AFS_ENABLE_KA_CLIENTS], 1, [define if you want to build ka client tools])
DISABLE_KA_CLIENTS='#'
else
ENABLE_KA_CLIENTS='#'
fi
if test "$enable_ka_server" = "yes" || test "$enable_ka_clients" = "yes";
then
DISABLE_KAUTH='#'
else
ENABLE_KAUTH='#'
fi
AC_SUBST(ENABLE_KA_SERVER)
AC_SUBST(DISABLE_KA_SERVER)
AC_SUBST(ENABLE_KA_CLIENTS)
AC_SUBST(DISABLE_KA_CLIENTS)
AC_SUBST(ENABLE_KAUTH)
AC_SUBST(DISABLE_KAUTH)
if test "$enable_namei_fileserver" = "yes"; then
AC_DEFINE(AFS_NAMEI_ENV, 1, [define if you want to want namei fileserver])
AC_DEFINE([AFS_NAMEI_ENV], 1, [define if you want to want namei fileserver])
fi
if test "$enable_afsdb" = "yes"; then
LIB_AFSDB="$LIB_res_search"
AC_DEFINE(AFS_AFSDB_ENV, 1, [define if you want to want search afsdb rr])
AC_DEFINE([AFS_AFSDB_ENV], 1, [define if you want to want search afsdb rr])
fi
if test "$enable_cm_capabilities" = "yes"; then
CM_CAPABILITIES="cm_capabilities"
AC_SUBST(CM_CAPABILITIES)
AC_DEFINE([AFS_CM_CAPABILITIES], 1, [define to enable support for a GetCapabilities pioctl])
fi
dnl check for tivoli
@ -1134,12 +1225,12 @@ if test "$ac_cv_header_regex_h" = "yes" && \
test "$ac_cv_func_regcomp" = "yes" && \
test "$ac_cv_func_regexec" = "yes" && \
test "$ac_cv_func_regerror" = "yes"; then
AC_DEFINE(HAVE_POSIX_REGEX, 1, [define if you have POSIX regex library])
AC_DEFINE([HAVE_POSIX_REGEX], 1, [define if you have POSIX regex library])
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
AC_CHECK_TYPE(ssize_t, int)
AC_SIZEOF_TYPE(long)
@ -1156,10 +1247,11 @@ main()
}], ac_cv_sizeof_time_t=`cat conftestval`, ac_cv_sizeof_time_t=0)
])
AC_MSG_RESULT($ac_cv_sizeof_time_t)
AC_DEFINE_UNQUOTED(SIZEOF_TIME_T, $ac_cv_sizeof_time_t)
AC_DEFINE_UNQUOTED(SIZEOF_TIME_T, $ac_cv_sizeof_time_t, [define to be sizeof(time_t)])
AC_CHECK_FUNCS(timegm)
AC_CHECK_FUNCS(daemon)
AC_CHECK_FUNCS(fstatfs64)
dnl Directory PATH handling
if test "x$enable_transarc_paths" = "xyes" ; then
@ -1221,8 +1313,10 @@ AC_SUBST(DEST)
AC_SUBST(WITH_OBSOLETE)
AC_SUBST(DARWIN_INFOFILE)
AC_SUBST(IRIX_BUILD_IP35)
AC_SUBST(LINUX_SETENV_UM)
OPENAFS_OSCONF
OPENAFS_SSL
OPENAFS_KRB5CONF
TOP_SRCDIR="${srcdir}/src"

9
configure.in
View File

@ -1,11 +1,12 @@
AC_INIT(src/config/stds.h)
AM_INIT_AUTOMAKE(openafs,1.5.14)
AC_INIT(openafs,1.5.14)
AC_CONFIG_SRCDIR(src/config/stds.h)
AM_INIT_AUTOMAKE
AC_CONFIG_HEADER(src/config/afsconfig.h)
AC_PROG_CC
OPENAFS_CONFIGURE_COMMON
if test -d 'doc/man-pages' ; then
if test -e 'doc/man-pages/Makefile.in' ; then
MAN_MAKEFILE="doc/man-pages/Makefile doc/man-pages/install-man"
else
MAN_MAKEFILE=
@ -49,6 +50,7 @@ src/fsint/Makefile \
src/fsprobe/Makefile \
src/gtx/Makefile \
src/JAVA/libjafs/Makefile \
src/k5ssl/Makefile \
src/kauth/Makefile \
src/kauth/test/Makefile \
src/libacl/Makefile \
@ -95,6 +97,7 @@ src/rx/simple.example/Makefile \
src/rx/test/Makefile \
src/rxdebug/Makefile \
src/rxgen/Makefile \
src/rxk5/Makefile \
src/rxkad/Makefile \
src/rxkad/test/Makefile \
src/rxstat/Makefile \

5
doc/man-pages/pod1/pts.pod
View File

@ -136,6 +136,7 @@ L<pts_createuser(1)>,
L<pts_delete(1)>,
L<pts_examine(1)>,
L<pts_help(1)>,
L<pts_interactive(1)>,
L<pts_listentries(1)>,
L<pts_listmax(1)>,
L<pts_listowned(1)>,
@ -143,7 +144,9 @@ L<pts_membership(1)>,
L<pts_removeuser(1)>,
L<pts_rename(1)>,
L<pts_setfields(1)>,
L<pts_setmax(1)>
L<pts_setmax(1)>,
L<pts_sleep(1)>,
L<pts_source(1)>
=head1 COPYRIGHT

67
doc/man-pages/pod1/pts_interactive.pod Normal file
View File

@ -0,0 +1,67 @@
=head1 NAME
pts interactive - issue multiple multiple pts commands
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<pts interactive>
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-help>]
B<pts in>
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-help>]
=for html
</div>
=head1 DESCRIPTION
The B<pts interactive> command prompts for and reads additional pts
commands from standard in and executes them, one at a time.
All commands will reuse the same rx connection, if possible,
which is advantageous if the plan is to submit many thousands
of pts commands.
=head1 OPTIONS
=over 4
=item B<-cell> <I<cell name>>
Names the cell in which to run the command. For more details, see
L<pts(1)>.
=item B<-noauth>
Assigns the unprivileged identity anonymous to the issuer. For more
details, see L<pts(1)>.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 EXAMPLES
The following example removes jones from system:administrators, then
adds smith to the same group.
% pts interactive
> removeuser jones system:administrators
> adduser smith system:administrators
> quit
%
=head1 SEE ALSO
L<pts(1)>,
L<pts_source(1)>,
L<pts_sleep(1)>
=head1 COPYRIGHT
See L<umich.copyright(8)>.

73
doc/man-pages/pod1/pts_sleep.pod Normal file
View File

@ -0,0 +1,73 @@
=head1 NAME
pts sleep - pause for time
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<pts sleep>
S<<< [B<-delay> <I<seconds>>] >>>
[B<-help>]
B<pts sl>
S<<< [B<-delay> <I<seconds>>] >>>
[B<-help>]
=for html
</div>
=head1 DESCRIPTION
The B<pts sleep> command can be used to cause a delay
of the indicated number of seconds.
This is mainly used with B<pts source> or B<pts interactive>
commands to insert a programmed delay between other commands.
This is useful when performing many operations that do not
need to be completed in a particularly timely fashion,
to give users with more timely needs better service.
=head1 OPTIONS
=over 4
=item B<-delay> <I<seconds>>
Indicate the number of seconds to dawdle, before proceeding.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 EXAMPLES
The following example will remove jones from system:administrators, wait
5 seconds, and then add smith to the same group.
% cat >/tmp/something.pt <<EOF
removeuser kkryza students:k
adduser tifair students:t
removeuser yizhan students:y
sleep 5
adduser mafha students:m
removeuser shortjer students:s
adduser ruimata students:r
sleep 5
adduser seotw students:s
EOF
% pts source /tmp/something.pt
%
=head1 SEE ALSO
L<pts(1)>,
L<pts_interactive(1)>,
L<pts_source(1)>
=head1 COPYRIGHT
See L<umich.copyright(8)>.

80
doc/man-pages/pod1/pts_source.pod Normal file
View File

@ -0,0 +1,80 @@
=head1 NAME
pts source - read pts commands from a file.
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<pts source>
S<<< [B<-file> <I<file name>>] >>>
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-help>]
B<pts so>
S<<< [B<-file> <I<file name>>] >>>
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-help>]
=for html
</div>
=head1 DESCRIPTION
The B<pts source> command reads additional pts commands
from the specified file and executes them, one at a time.
All commands will reuse the same rx connection, if possible,
which is advantageous if the plan is to submit many thousands
of pts commands.
It is possible to nest multiple invocations of B<source>
and to intersperse uses of B<interactive>.
=head1 OPTIONS
=over 4
=item B<-file> <I<input file>>
Indicates the file from which commands are to be read.
For more details, see
L<pts(1)>.
=item B<-cell> <I<cell name>>
Names the cell in which to run the command. For more details, see
L<pts(1)>.
=item B<-noauth>
Assigns the unprivileged identity anonymous to the issuer. For more
details, see L<pts(1)>.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 EXAMPLES
The following example will remove jones from system:administrators, wait
5 seconds, and then add smith to the same group.
% cat >/tmp/something.pt <<EOF
removeuser jones system:administrators
sleep 5
adduser smith system:administrators
EOF
% pts source /tmp/something.pt
%
=head1 SEE ALSO
L<pts(1)>,
L<pts_interactive(1)>,
L<pts_sleep(1)>
=head1 COPYRIGHT
See L<umich.copyright(8)>.

10
doc/man-pages/pod5/NoAuth.pod
View File

@ -11,7 +11,9 @@ any action for any user who logs into the machine's local file system or
issues a remote command that affects the machine's AFS server functioning,
such as commands from the AFS command suites. Because failure to check
authorization exposes the machine's AFS server functionality to attack,
there are normally only two circumstances in which the file is present:
this is almost never desirable.
In older releases of AFS, there were two
circumstances in which this file might be present:
=over 4
@ -19,11 +21,17 @@ there are normally only two circumstances in which the file is present:
During installation of the machine, as instructed in the I<IBM AFS Quick
Beginnings>.
There is an alternate way to install a cell which uses pt_util(8)
to create the initial protection database, which does not require
the use of noauth mode.
=item *
During correction of a server encryption key emergency, as discussed in
the I<IBM AFS Administration Guide>.
That procedure is obselete; see afs.keytab(5) for better information.
If you have root or any other administrative access to the server, including
physical access, you do not need this procedure.
=back

73
doc/man-pages/pod5/afs.keytab.pod Normal file
View File

@ -0,0 +1,73 @@
=head1 NAME
afs.keytab - Contains AFS server encryption keys
=head1 DESCRIPTION
The F<afs.keytab> file defines the server encryption keys that the AFS server
processes running on the machine use to decrypt the tickets presented by
clients using rxk5. AFS server processes
perform privileged actions only for clients that possess a ticket
encrypted with one of the entries from the file.
The file must reside in the
F</usr/afs/etc> directory on every server machine.
If the keytab does not exist when a server process starts up,
that process will decide not to accept any authentication, at least via rxk5.
This is almost never desirable.
For more detailed
information on mutual authentication and server encryption keys, see the
I<OpenAFS Administration Guide>.
Each key has a corresponding a key version number that distinguishes it
from the other keys. The tickets that clients present are also marked with
a service principal and key version number to tell the server process which
key to use to decrypt it. The F<afs.keytab> file must always include the
same principals, keys, and key versions as the corresponding entries in
the realm's kerberos 5 database.
The F<afs.keytab> file is in binary format, so always use the appropriate
commands from kerberos to administer it:
=over 4
=item *
The B<kadmin> command to define a new key.
=item *
The B<klist> command to display the keys.
=item *
The B<ktutil> command to remove a key from the file.
=back
This file should contain service principals that are named
afs-k5/I<cell-name>@I<realm-name> .
cell-name should be in lower-case; realm-name should be your kerberos
5 realm, normally the upper-case version of the cell name.
You can update the keytab at any time, even while server processes are running.
You may need to restart server processes if the keytab did not exist
when they were started.
In cells that use the Update Server to distribute the contents of the
F</usr/afs/etc> directory, it is customary to edit only the copy of the
file stored on the system control machine. Otherwise, edit the file on
each server machine individually.
=head1 SEE ALSO
L<klist(1)>,
L<kadmin(8)>,
L<ktutil(8)>,
L<upclient(8)>,
L<upserver(8)>
I<OpenAFS Administration Guide>
=head1 COPYRIGHT
See L<umich.copyright(8)>.

11
doc/man-pages/pod8/bos_addkey.pod
View File

@ -41,6 +41,16 @@ with a server process because the current key is overwritten with a new
key. Use the B<bos listkeys> command to display the key version numbers in
the F</usr/afs/etc/KeyFile> file.
=head1 CAUTIONS
KeyFile entries can only be used with rxkad, des, kerberos 4, and fcrypt,
so provide less security overall.
You should only use this if the lesser security is acceptable and you
have older clients that only work with rxkad.
Otherwise, create and use a keytab with stronger encryption types,
for use with rxk5.
See L<afs.keytab(5)> for more information.
=head1 OPTIONS
=over 4
@ -125,6 +135,7 @@ included.
=head1 SEE ALSO
L<afs.keytab(5)>,
L<KeyFile(5)>,
L<UserList(5)>,
L<bos(8)>,

9
doc/man-pages/pod8/bos_listkeys.pod
View File

@ -31,6 +31,14 @@ Displaying actual keys on the standard output stream (by including the
B<-showkey> flag) is a security exposure. Displaying a checksum is
sufficient for most purposes.
KeyFile entries can only be used with rxkad, des, kerberos 4, and fcrypt,
so provide less security overall.
You should only use this if the lesser security is acceptable and you
have older clients that only work with rxkad.
Otherwise, create and use a keytab with stronger encryption types,
for use with rxk5.
See L<afs.keytab(5)> for more information.
=head1 OPTIONS
=over 4
@ -128,6 +136,7 @@ included.
=head1 SEE ALSO
L<afs.keytab(5)>,
L<KeyFile(5)>,
L<UserList(5)>,
L<bos_addkey(8)>,

9
doc/man-pages/pod8/bos_removekey.pod
View File

@ -32,6 +32,14 @@ lifetime has passed since the current key was defined using the B<kas
setpassword> and B<bos addkey> commands. This ensures that no clients
still possess tickets encrypted with the obsolete key.
KeyFile entries can only be used with rxkad, des, kerberos 4, and fcrypt,
so provide less security overall.
You should only use this if the lesser security is acceptable and you
have older clients that only work with rxkad.
Otherwise, create and use a keytab with stronger encryption types,
for use with rxk5.
See L<afs.keytab(5)> for more information.
=head1 OPTIONS
=over 4
@ -95,6 +103,7 @@ included.
=head1 SEE ALSO
L<afs.keytab(5)>,
L<KeyFile(5)>,
L<UserList(5)>,
L<bos(8)>,

38
doc/man-pages/pod8/umich.copyright.pod Normal file
View File

@ -0,0 +1,38 @@
=head1 NAME
umich.copyright - omnibus copyright.
=head1 DESCRIPTION
All-purpose copyright statement, because online help
should not be an excuse to spew out a long legal manifesto.
=head1 COPYRIGHT
Copyright (c) 2005
The Regents of the University of Michigan
ALL RIGHTS RESERVED
Permission is granted to use, copy, create derivative works
and redistribute this software and such derivative works
for any purpose, so long as the name of the University of
Michigan is not used in any advertising or publicity
pertaining to the use or distribution of this software
without specific, written prior authorization. If the
above copyright notice or any other identification of the
University of Michigan is included in any copy of any
portion of this software, then the disclaimer below must
also be included.
This software is provided as is, without representation
from the University of Michigan as to its fitness for any
purpose, and without warranty by the University of
Michigan of any kind, either express or implied, including
without limitation the implied warranties of
merchantability and fitness for a particular purpose. The
regents of the University of Michigan shall not be liable
for any damages, including special, indirect, incidental, or
consequential damages, with respect to any claim arising
out of or in connection with the use of the software, even
if it has been or is hereafter advised of the possibility of
such damages.

2
regen.sh
View File

@ -17,7 +17,7 @@ rm -r autom4te.cache
# Rebuild the man pages, to not require those building from source to have
# pod2man available.
if test -d doc/man-pages ; then
if test -e doc/man-pages/generate-man ; then
echo "Building man pages"
(cd doc/man-pages && ./generate-man)
fi

5
src/JAVA/libjafs/UserToken.c
View File

@ -56,11 +56,6 @@ extern int readCacheParms(char *afsMountPoint, char *afsConfDir,
* - For every malloc call the corresponding free.
*/
int osi_audit(void)
{
return 0;
}
/*JNIEXPORT void JNICALL Java_org_openafs_jafs_Token_callDebugger
(JNIEnv *env, jobject obj)
{

10
src/WINNT/afsd/cm_conn.c
View File

@ -759,10 +759,18 @@ static void cm_NewRXConnection(cm_conn_t *tcp, cm_ucell_t *ucellp,
port = htons(7000);
serviceID = 1;
}
#ifdef AFS_RXK5
need.logic.to.call.rxk5_NewClientSecurityObject.here;
#endif
if (ucellp->flags & CM_UCELLFLAG_RXKAD) {
secIndex = 2;
secIndex = 2;
if (cryptall) {
tcp->cryptlevel = rxkad_crypt;
#if 0
/* this is a myth. See note in viced/viced.c */
if (serverp->type == CM_SERVER_FILE)
secIndex = 3; /* ! */
#endif
} else {
tcp->cryptlevel = rxkad_clear;
}

4
src/WINNT/afsd/cm_ioctl.c
View File

@ -1959,6 +1959,10 @@ long cm_UsernameToId(char *uname, cm_ucell_t * ucellp, afs_uint32* uid)
* call. we just have to use it.
*/
scIndex = 2; /* kerberos ticket */
#ifdef AFS_RXK5
need.logic.to.call.rxk5_NewClientSecurityObject.here;
also.change.declaration.and.logic( sc[3] , sc );
#endif
sc[2] = rxkad_NewClientSecurityObject(rxkad_clear, &ucellp->sessionKey,
ucellp->kvno, ucellp->ticketLen,
ucellp->ticketp);

1
src/afs/LINUX/osi_groups.c
View File

@ -63,7 +63,6 @@ afs_setgroups(cred_t **cr, struct group_info *group_info, int change_parent)
static int
afs_setgroups(cred_t **cr, int ngroups, gid_t * gidset, int change_parent)
{
int ngrps;
int i;
gid_t *gp;

4
src/afs/LINUX/osi_module.c
View File

@ -82,7 +82,7 @@ init_module(void)
#endif /* !defined(AFS_LINUX24_ENV) */
osi_Init();
#ifdef AFS_LINUX26_ENV
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
#if !defined(AFS_NONFSTRANS)
osi_linux_nfssrv_init();
#endif
@ -123,7 +123,7 @@ cleanup_module(void)
unregister_filesystem(&afs_fs_type);
afs_destroy_inodecache();
#ifdef AFS_LINUX26_ENV
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
#if !defined(AFS_NONFSTRANS)
osi_linux_nfssrv_shutdown();
#endif

2
src/afs/LINUX/osi_probe.c
View File

@ -1371,9 +1371,11 @@ static int check_writable(unsigned long address)
#endif
if (pmd_none(*pmd))
return 0;
#ifndef CONFIG_UML
if (pmd_large(*pmd))
pte = (pte_t *)pmd;
else
#endif
pte = pte_offset_kernel(pmd, address);
if (pte_none(*pte) || !pte_present(*pte) || !pte_write(*pte))
return 0;

4
src/afs/LINUX/osi_vfsops.c
View File

@ -39,7 +39,7 @@ struct vfsmount *afs_cacheMnt;
int afs_was_mounted = 0; /* Used to force reload if mount/unmount/mount */
extern struct super_operations afs_sops;
#if defined(AFS_LINUX26_ENV)
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
extern struct export_operations afs_export_ops;
#endif
extern afs_rwlock_t afs_xvcache;
@ -146,7 +146,7 @@ afs_read_super(struct super_block *sb, void *data, int silent)
sb->s_blocksize_bits = 10;
sb->s_magic = AFS_VFSMAGIC;
sb->s_op = &afs_sops; /* Super block (vfs) ops */
#if defined(AFS_LINUX26_ENV)
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
sb->s_export_op = &afs_export_ops;
#endif
#if defined(MAX_NON_LFS)

7
src/afs/LINUX/osi_vnodeops.c
View File

@ -99,7 +99,6 @@ static ssize_t
afs_linux_write(struct file *fp, const char *buf, size_t count, loff_t * offp)
{
ssize_t code = 0;
int code2 = 0;
struct vcache *vcp = VTOAFS(fp->f_dentry->d_inode);
struct vrequest treq;
cred_t *credp = crref();
@ -491,12 +490,14 @@ afs_linux_lock(struct file *fp, int cmd, struct file_lock *flp)
#ifdef AFS_LINUX24_ENV
if (code == 0 && (cmd == F_SETLK || cmd == F_SETLKW)) {
#ifdef AFS_LINUX26_ENV
struct file_lock flp2;
flp2 = *flp;
#ifdef AFS_LINUX26_ENV
flp2.fl_flags &=~ FL_SLEEP;
#endif
code = posix_lock_file(fp, &flp2);
#else
code = posix_lock_file(fp, flp, 0);
#endif
osi_Assert(code != -EAGAIN); /* there should be no conflicts */
if (code) {
struct AFS_FLOCK flock2;

6
src/afs/afs.h
View File

@ -18,6 +18,9 @@
#include "afs/afs_args.h"
#endif
#ifdef AFS_RXK5
typedef void* rxk5_creds_opaque;
#endif
/* Upper bound on number of iovecs out uio routines will deal with. */
#define AFS_MAXIOVCNT 16
@ -281,6 +284,9 @@ struct unixuser {
afs_int32 tokenTime; /* last time tokens were set, used for timing out conn data */
afs_int32 stLen; /* ticket length (if kerberos, includes kvno at head) */
char *stp; /* pointer to ticket itself */
#ifdef AFS_RXK5
rxk5_creds_opaque rxk5creds; /* krb5 creds, if we have them */
#endif
struct ClearToken ct;
struct afs_exporter *exporter; /* more info about the exporter for the remote user */
void *cellinfo; /* pointer to cell info (PAG manager only) */

9
src/afs/afs_analyze.c
View File

@ -46,6 +46,12 @@ RCSID
#endif
#include <inet/ip.h>
#endif
#ifdef AFS_RXK5
#ifndef ERROR_TABLE_BASE_RXK5
/* shouldn't -- but seems reason for below is no compile_et... */
#define ERROR_TABLE_BASE_RXK5 (1233320448L)
#endif
#endif
/* shouldn't do it this way, but for now will do */
@ -409,6 +415,9 @@ afs_Analyze(register struct conn *aconn, afs_int32 acode,
shouldRetry = 1;
acode = 0;
} else if (acode == VICETOKENDEAD
#ifdef AFS_RXK5
|| (acode & ~0xff) == ERROR_TABLE_BASE_RXK5
#endif
|| (acode & ~0xff) == ERROR_TABLE_BASE_RXK) {
/* any rxkad error is treated as token expiration */
struct unixuser *tu;

244
src/afs/afs_capabilities.c Normal file
View File

@ -0,0 +1,244 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <afsconfig.h>
#include "afs/param.h"
#include "afs/sysincludes.h" /*Standard vendor system headers */
#include "afsincludes.h" /*AFS-based standard headers */
#include "afs/afs_stats.h" /*Cache Manager stats */
#include "afs/afs_args.h"
struct CapEntry
{
struct afs_q ceq;
int klen, vlen;
char *key, *value;
};
struct afs_q cap_Queue;
afs_rwlock_t cap_queue_lock;
static afs_int32 cap_Initialized;
afs_int32 rxk5_InitCapabilities();
/* Internal Linkage */
static afs_int32 LenCapQueue(struct afs_q *ceq, int *cnt, int *len)
{
struct CapEntry *ce;
struct afs_q *cpq, *tq;
*cnt = *len = 0;
for (cpq = ceq->next; cpq != (struct afs_q*) &ceq; cpq = tq) {
ce = (struct CapEntry *) cpq; /* todo: review */
*len += ce->klen + ce->vlen;
*cnt++;
tq = QNext(cpq);
}
return *len;
}
static char* FormatCapBuf(struct afs_q *ceq, /* out */ afs_int32 *len) {
struct CapEntry *ce;
struct afs_q *cpq, *tq;
char *str, *ptr;
afs_int32 cnt;
LenCapQueue(ceq, &cnt, len);
*len += 3 * cnt + 1; /* formatting */
str = (char*) afs_osi_Alloc(*len * sizeof(char));
memset(str, 0, *len);
ptr = str;
for (cpq = ceq->next; cpq != (struct afs_q*) &ceq; cpq = tq) {
ce = (struct CapEntry *) cpq;
memcpy(ptr, ce->key, ce->klen * sizeof(char));
ptr += ce->klen;
ptr[0] = ':';
ptr[1] = ':';
ptr+=2;
memcpy(ptr, ce->value, ce->vlen * sizeof(char));
ptr+=ce->vlen;
ptr[0] = '\n';
ptr++;
tq = QNext(cpq);
}
return str;
}
/* External Linkage */
int afs_AddCapability(const char* key, const char* value)
{
afs_int32 r;
struct CapEntry *ce;
r = 0;
ce = (struct CapEntry*) afs_osi_Alloc(sizeof(struct CapEntry));
ce->key = afs_strdup((char*) key);
ce->value = afs_strdup((char*) value);
ce->klen = strlen(ce->key);
ce->vlen = strlen(ce->value);
/* todo: lock generally */
ObtainWriteLock(&cap_queue_lock, 740);
QAdd(&cap_Queue, &ce->ceq);
ReleaseWriteLock(&cap_queue_lock);
return r;
}
int afs_InitCapabilities()
{
/* locks? indices? */
RWLOCK_INIT(&cap_queue_lock, "cap queue lock");
QInit(&cap_Queue);
#ifdef AFS_RXK5
rxk5_InitCapabilities();
#endif
cap_Initialized = 1;
return 0;
}
const char* afs_GetCapability(const char* key)
{
struct CapEntry *ce;
struct afs_q *cpq, *tq;
char *v = 0;
for (cpq = cap_Queue.next; cpq != &cap_Queue; cpq = tq) {
ce = (struct CapEntry *) cpq;
if(!strcmp(key, ce->key)) {
v = ce->value;
break;
}
tq = QNext(cpq);
}
return v;
}
char* afs_GetCapabilities(const char* qStr, /* out */ afs_int32 *qLen)
{
afs_int32 all_wc, d_wc;
char *sp, *dp, *k1, *k2, *nkey, *rslt;
struct CapEntry *ce;
struct afs_q rsltq, *cpq, *tq;
if(!cap_Initialized) {
/* log */
afs_warn("afs_GetCapabilities: afs_GetCapabilities called but module no initialized");
return NULL;
}
all_wc = 0;
d_wc = 0;
k1 = NULL;
nkey = afs_strdup((char*) qStr);
sp = strchr(nkey, '*');
if((sp == nkey) && (*(sp+1) == 0)) {
all_wc = 1;
}
dp = strchr(nkey, '.'); /* all platforms have strchr? */
if(dp) {
int pos = dp - nkey;
d_wc = 1;
k1 = (char*) nkey;
k2 = dp + 1;
if(dp) {
k1[pos] = 0;
}
}
QInit(&rsltq);
for (cpq = cap_Queue.next; cpq != &cap_Queue; cpq = tq) {
int match_p = 0;
ce = (struct CapEntry *) cpq;
if(all_wc) {
match_p = 1;
goto loop_end;
}
if(d_wc && (strstr(ce->key, k1) == ce->key)) {
match_p = 1;
goto loop_end;
}
if(strcmp(nkey, ce->key) == 0) {
match_p = 1;
}
loop_end:
if(match_p) {
QAdd(&rsltq, &ce->ceq);
}
tq = QNext(cpq);
}
rslt = FormatCapBuf(&rsltq, qLen);
afs_osi_FreeStr(nkey); /* osi_Frees strlen(nkey), ok here */
return rslt;
}
#ifdef AFS_RXK5
static afs_int32 appendCapEnctype(char* dst, char* src, int *comma) {
if(*comma == 0) {
afs_strcat(dst, ",");
*comma = 1;
}
afs_strcat(dst, src);
return 0;
}
afs_int32 rxk5_InitCapabilities() {
char * capStr;
afs_int32 comma, capSize;
afs_warn("rxk5_InitCapabilities called\n");
comma = 0;
capSize = 128;
capStr = afs_osi_Alloc(capSize);
memset(capStr, 0, capSize);
appendCapEnctype(capStr, "1" /* DES_CBC_CRC */, &comma);
appendCapEnctype(capStr, "2" /* DES_CBC_MD4 */, &comma);
appendCapEnctype(capStr, "3" /* DES_CBC_MD5 */, &comma);
appendCapEnctype(capStr, "8" /* DES_HMAC_SHA1 */, &comma);
appendCapEnctype(capStr, "16" /* DES3_CBC_SHA1 */, &comma);
appendCapEnctype(capStr, "17" /* AES128_CTS_HMAC_SHA1_96 */, &comma);
appendCapEnctype(capStr, "18" /* AES256_CTS_HMAC_SHA1_96 */, &comma);
appendCapEnctype(capStr, "23" /* ARCFOUR_HMAC_MD5 */, &comma);
appendCapEnctype(capStr, "24" /* ARCFOUR_HMAC_MD5_56 */, &comma);
afs_AddCapability("rxk5.enctypes", capStr);
osi_Free(capStr, capSize);
return 0;
}
#endif

50
src/afs/afs_capabilities.h Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#ifndef AFS_CM_CAPABILITIES_H
#define AFS_CM_CAPABILITIES_H
#include "afs/param.h"
/* Initialize capabilities string table */
int afs_InitCapabilities();
/* Add a capability--called by subsystems during initialization */
int afs_AddCapability(const char* key, const char* value);
/* Lookup capability value by key */
const char* afs_GetCapability(const char* key);
/* Format a buffer with output of matching capabilities.
* On return, qLen is the length of this buffer, which must be freed
* by the caller */
char* afs_GetCapabilities(const char* qStr, /* out */ afs_int32 *qLen);
#endif /* AFS_CM_CAPABILITIES_H */

30
src/afs/afs_conn.c
View File

@ -45,6 +45,16 @@ RCSID
#include <inet/ip.h>
#endif
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#ifdef USING_SSL
#include <k5ssl.h>
#else
#include <krb5.h>
#endif
#include <afs/rxk5_tkt.h>
#endif
/* Exported variables */
afs_rwlock_t afs_xconn; /* allocation lock for new things */
afs_rwlock_t afs_xinterface; /* for multiple client address */
@ -213,18 +223,36 @@ afs_ConnBySA(struct srvAddr *sap, unsigned short aport, afs_int32 acell,
if (tu->vid != UNDEFVID) {
int level;
isec = 2;
if (cryptall) {
#if 0
/* this is a myth. See note in viced/viced.c */
if (service == 1) isec = 3;
#endif
level = rxkad_crypt;
} else {
level = rxkad_clear;
}
isec = 2;
#ifdef AFS_RXK5
/* rxk5_clear, rxk5_auth, and rxk5_crypt have the same values as
rxkad_clear, rxkad_auth, and rxkad_crypt */
if(tu->rxk5creds) {
rxk5_creds *rxk5creds = (rxk5_creds*) tu->rxk5creds;
isec = 5;
if(level == rxkad_clear)
level = rxkad_auth;
csec = rxk5_NewClientSecurityObject(level, rxk5creds->k5creds, 0);
} else {
#endif
/* kerberos tickets on channel 2 */
csec = rxkad_NewClientSecurityObject(level,
(struct ktc_encryptionKey *)tu->ct.HandShakeKey,
/* kvno */
tu->ct.AuthHandle, tu->stLen,
tu->stp);
#ifdef AFS_RXK5
}
#endif
}
if (isec == 0)
csec = rxnull_NewClientSecurityObject();

1
src/afs/afs_daemons.c
View File

@ -342,7 +342,6 @@ afs_CheckRootVolume(void)
afs_rootFid.Cell = localcell;
if (afs_rootFid.Fid.Volume && afs_rootFid.Fid.Volume != volid
&& afs_globalVp) {
struct vcache *tvc = afs_globalVp;
/* If we had a root fid before and it changed location we reset
* the afs_globalVp so that it will be reevaluated.
* Just decrement the reference count. This only occurs during

16
src/afs/afs_icl.c
View File

@ -628,7 +628,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) p1);
ICL_APPENDINT32(logp, (afs_int32) 0);
#endif /* AFS_64BIT_CLIENT */
#else /* AFSLITTLE_ENDIAN */
#else /* WORDS_BIGENDIAN */
#ifdef AFS_64BIT_CLIENT
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p1)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p1)[1]);
@ -636,7 +636,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) 0);
ICL_APPENDINT32(logp, (afs_int32) p1);
#endif /* AFS_64BIT_CLIENT */
#endif /* AFSLITTLE_ENDIAN */
#endif /* WORDS_BIGENDIAN */
} else if (t1 == ICL_TYPE_FID) {
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p1)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p1)[1]);
@ -668,7 +668,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) p2);
ICL_APPENDINT32(logp, (afs_int32) 0);
#endif /* AFS_64BIT_CLIENT */
#else /* AFSLITTLE_ENDIAN */
#else /* WORDS_BIGENDIAN */
#ifdef AFS_64BIT_CLIENT
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p2)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p2)[1]);
@ -676,7 +676,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) 0);
ICL_APPENDINT32(logp, (afs_int32) p2);
#endif /* AFS_64BIT_CLIENT */
#endif /* AFSLITTLE_ENDIAN */
#endif /* WORDS_BIGENDIAN */
} else if (t2 == ICL_TYPE_FID) {
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p2)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p2)[1]);
@ -708,7 +708,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) p3);
ICL_APPENDINT32(logp, (afs_int32) 0);
#endif /* AFS_64BIT_CLIENT */
#else /* AFSLITTLE_ENDIAN */
#else /* WORDS_BIGENDIAN */
#ifdef AFS_64BIT_CLIENT
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p3)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p3)[1]);
@ -716,7 +716,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) 0);
ICL_APPENDINT32(logp, (afs_int32) p3);
#endif /* AFS_64BIT_CLIENT */
#endif /* AFSLITTLE_ENDIAN */
#endif /* WORDS_BIGENDIAN */
} else if (t3 == ICL_TYPE_FID) {
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p3)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p3)[1]);
@ -748,7 +748,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) p4);
ICL_APPENDINT32(logp, (afs_int32) 0);
#endif /* AFS_64BIT_CLIENT */
#else /* AFSLITTLE_ENDIAN */
#else /* WORDS_BIGENDIAN */
#ifdef AFS_64BIT_CLIENT
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p4)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p4)[1]);
@ -756,7 +756,7 @@ afs_icl_AppendRecord(register struct afs_icl_log *logp, afs_int32 op,
ICL_APPENDINT32(logp, (afs_int32) 0);
ICL_APPENDINT32(logp, (afs_int32) p4);
#endif /* AFS_64BIT_CLIENT */
#endif /* AFSLITTLE_ENDIAN */
#endif /* WORDS_BIGENDIAN */
} else if (t4 == ICL_TYPE_FID) {
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p4)[0]);
ICL_APPENDINT32(logp, (afs_int32) ((afs_int32 *) p4)[1]);

16
src/afs/afs_init.c
View File

@ -16,6 +16,15 @@
#include <afsconfig.h>
#include "afs/param.h"
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#ifdef USING_SSL
#include <k5ssl.h>
#endif
#include <afs_capabilities.h>
void rxk5_OnetimeInit();
#endif
RCSID
("$Header$");
@ -480,6 +489,13 @@ afs_ResourceInit(int preallocs)
LOCK_INIT(&osi_flplock, "osi_flplock");
#endif
RWLOCK_INIT(&afs_xconn, "afs_xconn");
#ifdef AFS_RXK5
/* initialize Rxk5 rwlocks */
rxk5_OnetimeInit();
/* capabilities string table */
afs_InitCapabilities();
#endif
afs_CellInit();
afs_InitCBQueue(1); /* initialize callback queues */

4
src/afs/afs_osi_pag.c
View File

@ -421,14 +421,16 @@ AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
int
afs_InitReq(register struct vrequest *av, struct AFS_UCRED *acred)
{
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
int code;
#endif
AFS_STATCNT(afs_InitReq);
memset(av, 0, sizeof(*av));
if (afs_shuttingdown)
return EIO;
#ifdef AFS_LINUX26_ENV
#if defined(AFS_LINUX26_ENV) && defined(CONFIG_GSSRPC)
#if !defined(AFS_NONFSTRANS)
if (osi_linux_nfs_initreq(av, acred, &code))
return code;

408
src/afs/afs_pioctl.c
View File

@ -10,6 +10,8 @@
#include <afsconfig.h>
#include "afs/param.h"
#include "afs_capabilities.h"
RCSID
("$Header$");
@ -25,6 +27,19 @@ RCSID
#include "afs/vice.h"
#include "rx/rx_globals.h"
#ifdef AFS_RXK5
#ifdef USING_SSL
#include <k5ssl.h>
#else
#include <krb5.h>
#endif
#include <rx/rxk5.h>
#include <afs/rxk5_tkt.h>
#else
#include <afs/afs_token.h>
#include <afs/afs_token_protos.h>
#endif
struct VenusFid afs_rootFid;
afs_int32 afs_waitForever = 0;
short afs_waitForeverCount = 0;
@ -91,6 +106,9 @@ DECL_PIOCTL(PPrefetchFromTape);
DECL_PIOCTL(PResidencyCmd);
DECL_PIOCTL(PCallBackAddr);
DECL_PIOCTL(PNFSNukeCreds);
DECL_PIOCTL(PGetCapabilities);
DECL_PIOCTL(PGetTokensNew);
DECL_PIOCTL(PSetTokensNew);
/*
* A macro that says whether we're going to need HandleClientContext().
@ -193,6 +211,11 @@ static int (*(CpioctlSw[])) () = {
PNewAlias, /* 1 -- create new cell alias */
PListAliases, /* 2 -- list cell aliases */
PCallBackAddr, /* 3 -- request addr for callback rxcon */
PBogus, /* 4 */
PBogus, /* 5 -- get/set disconnected */
PGetCapabilities, /* 6 - query cache manager capabilities string table */
PGetTokensNew, /* 7 -- get tokens */
PSetTokensNew, /* 8 -- set tokens */
};
static int (*(OpioctlSw[])) () = {
@ -1346,6 +1369,8 @@ DECL_PIOCTL(PSetTokens)
return EINVAL;
}
memcpy((char *)&clear, ain, sizeof(struct ClearToken));
if (clear.ViceId == UNDEFVID)
return EINVAL;
if (clear.AuthHandle == -1)
clear.AuthHandle = 999; /* more rxvab compat stuff */
ain += sizeof(struct ClearToken);
@ -1394,13 +1419,20 @@ DECL_PIOCTL(PSetTokens)
afs_InitReq(&treq, *acred);
areq = &treq;
}
}
} /* } } */
/* now we just set the tokens */
tu = afs_GetUser(areq->uid, i, WRITE_LOCK); /* i has the cell # */
tu->vid = clear.ViceId;
if (tu->stp != NULL) {
afs_osi_Free(tu->stp, tu->stLen);
}
#ifdef AFS_RXK5
if (tu->rxk5creds) {
krb5_context k5context = rxk5_get_context(0);
rxk5_free_creds(k5context, (rxk5_creds*) tu->rxk5creds);
tu->rxk5creds = 0;
}
#endif
tu->stp = (char *)afs_osi_Alloc(stLen);
tu->stLen = stLen;
memcpy(tu->stp, stp, stLen);
@ -1781,6 +1813,13 @@ DECL_PIOCTL(PUnlog)
if (tu->uid == areq->uid) {
tu->vid = UNDEFVID;
tu->states &= ~UHasTokens;
#ifdef AFS_RXK5
if(tu->rxk5creds) {
krb5_context k5context = rxk5_get_context(0);
rxk5_free_creds(k5context, (rxk5_creds*) tu->rxk5creds);
tu->rxk5creds = NULL;
}
#endif
/* security is not having to say you're sorry */
memset((char *)&tu->ct, 0, sizeof(struct ClearToken));
tu->refCount++;
@ -3909,7 +3948,7 @@ DECL_PIOCTL(PCallBackAddr)
DECL_PIOCTL(PNFSNukeCreds)
{
afs_uint32 addr, code;
afs_uint32 addr;
register afs_int32 i;
register struct unixuser *tu;
@ -3958,3 +3997,368 @@ DECL_PIOCTL(PNFSNukeCreds)
ReleaseWriteLock(&afs_xuser);
return 0;
}
DECL_PIOCTL(PGetCapabilities)
{
char *rsltStr;
afs_int32 rsltLen;
AFS_STATCNT(PGetCapabilities);
rsltStr = afs_GetCapabilities(ain, &rsltLen);
memcpy(aout, rsltStr, rsltLen); /* todo: max aout is AFS_LRALLOCSIZ */
*aoutSize = rsltLen;
osi_Free(rsltStr, rsltLen);
return 0;
}
DECL_PIOCTL(PGetTokensNew)
{
afs_int32 code;
register struct unixuser *tu;
register struct cell *tcell;
register afs_int32 i;
afs_token *a_token;
#ifdef AFS_RXK5
krb5_context k5_context;
#endif
int bufsize;
afs_int32 iterator, style;
void *buf;
AFS_STATCNT(PGetTokensNew);
if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
return EIO; /* Inappropriate ioctl for device */
/* presumably, redundant */
*aoutSize = 0;
/* If no input parameter, return tokens for cell 1.
* If input parameter is just an integer, return the parm'th tokens
* for this unix uid. Return EDOM if counter out of range.
* if input parameter is integer 0 followed by string,
* ignore the 0 and look look by cell name.
* If no tokens for the particular cell, return ENOTCONN.
* Tokens are returned to the client as an XDR-encoded afs_token structure,
* a variant record discriminated by the token type. The primary cell indicator
* and cell name are always sent in the afs_token structure.
*/
a_token = 0;
if (!ainSize)
style = 0;
else if (ainSize == sizeof(afs_int32))
style = 1;
else if (ainSize > sizeof(afs_int32))
style = 2;
else
return EINVAL;
if (style) {
memcpy((char *)&iterator, ain, sizeof(afs_int32));
}
if (style < 2) {
i = UHash(areq->uid);
ObtainReadLock(&afs_xuser);
for (tu = afs_users[i]; tu; tu = tu->next) {
if (style) {
if (tu->uid == areq->uid && (tu->states & UHasTokens)) {
if (iterator-- == 0)
break; /* are we done yet? */
}
} else {
if (tu->uid == areq->uid && afs_IsPrimaryCellNum(tu->cell))
break;
}
}
if (tu) {
/*
* No need to hold a read lock on each user entry
*/
tu->refCount++;
}
ReleaseReadLock(&afs_xuser);
} else {
if (iterator) return EINVAL; /* mbz */
if (ain[ainSize - 1]) return EINVAL; /* not 0 terminated */
tcell = afs_GetCellByName(ain+sizeof(afs_int32), READ_LOCK);
if (tcell) {
i = tcell->cellNum;
afs_PutCell(tcell, READ_LOCK);
tu = afs_GetUser(areq->uid, i, READ_LOCK);
if (tu && !(tu->states & UHasTokens)) {
code = ENOTCONN;
goto Failed;
}
} else tu = 0;
}
if (!tu) {
return EDOM;
}
/* if we get here, we have creds */
#ifdef AFS_RXK5
if(tu->rxk5creds) {
/* expired? */
if(((rxk5_creds*) tu->rxk5creds)->k5creds->times.endtime < osi_Time()) {
code = ENOTCONN;
goto Failed;
}
k5_context = rxk5_get_context(0);
code = make_afs_token_rxk5(
k5_context,
((rxk5_creds*) tu->rxk5creds)->cell,
((rxk5_creds*) tu->rxk5creds)->ViceId,
((rxk5_creds*) tu->rxk5creds)->k5creds,
&a_token);
if(code) {
afs_warn("PGetTokensNew: trouble serializing rxk5creds (oops)\n");
code = EINVAL;
goto Failed;
}
} else {
#endif /* AFS_RXK5 */
/* no creds or, perhaps, expired? */
if (((tu->states & UHasTokens) == 0)
|| (tu->ct.EndTimestamp < osi_Time())) {
tu->states |= (UTokensBad | UNeedsReset);
code = ENOTCONN;
goto Failed;
}
/* make an rxkad_token */
tcell = afs_GetCell(tu->cell, READ_LOCK);
if (!tcell) {
code = ESRCH;
goto Failed;
}
code = make_afs_token_rxkad_k(
tcell->cellName,
(n_clear_token *) &tu->ct, /* XXX ugh */
tu->stp,
tu->stLen,
((tu->states & UPrimary) == 1) ? 1 : 0,
&a_token);
afs_PutCell(tcell, READ_LOCK);
if(code) {
afs_warn("PGetTokensNew: trouble serializing rxkad creds (oops)\n");
code = EINVAL;
goto Failed;
}
#ifdef AFS_RXK5
}
#endif
/* send token if we have one */
if(a_token) {
buf = aout;
bufsize = AFS_LRALLOCSIZ;
code = encode_afs_token(a_token, buf, &bufsize);
*aoutSize = bufsize;
free_afs_token(a_token);
}
/* we have tu */
Failed:
afs_PutUser(tu, READ_LOCK);
return code;
}
DECL_PIOCTL(PSetTokensNew)
{
afs_int32 i;
register struct unixuser *tu;
register struct cell *tcell;
afs_int32 primflag;
struct vrequest treq;
int code, rslt;
afs_token *a_token;
#ifdef AFS_RXK5
rxk5_creds *rxk5creds;
krb5_context k5context = 0;
rxk5_token *k5_token;
#endif
afs_int32 set_parent_pag;
rxkad_token *kad_token;
AFS_STATCNT(PSetTokensNew);
primflag = 0;
rslt = 666;
if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
return EIO; /* Inappropriate ioctl for device */
a_token = 0;
#ifdef AFS_RXK5
rxk5creds = 0;
k5_token = 0;
#endif
kad_token = 0;
set_parent_pag = 0;
code = parse_afs_token(ain, ainSize, &a_token);
if(code)
return EINVAL;
switch(a_token->cu->cu_type) {
case CU_NOAUTH:
tcell = afs_GetCellByName(a_token->cell, READ_LOCK);
break;
case CU_KAD:
/* rxkad */
kad_token = &(a_token->cu->cu_u.cu_kad);
if (kad_token->token.viceid == UNDEFVID)
return EINVAL;
if (kad_token->ticket.ticket_len > (unsigned) MAXKTCTICKETLEN)
return EINVAL;
/* for rxkad, do what we always did */
primflag = kad_token->primary_flag;
if ((primflag & 0x8000) != 0) { /* XXX Use Constant XXX */
primflag &= ~0x8000;
set_parent_pag = 1;
}
tcell = afs_GetCellByName(a_token->cell, READ_LOCK);
/* except apparently the only way to trigger primary cell
behavior was to not send a flag and cell name --
check if this should be emulated as a flag */
break;
#ifdef AFS_RXK5
case CU_K5:
/* rxk5 */
k5context = rxk5_get_context(0);
k5_token = &(a_token->cu->cu_u.cu_rxk5);
if((a_token->flags & KTC_EX_SETPAG) != 0) {
set_parent_pag = 1;
}
if((a_token->cell) && strlen(a_token->cell) > 0) {
/* normally, we'll be here */
tcell = afs_GetCellByName(a_token->cell, READ_LOCK);
primflag = 0;
}
else {
tcell = afs_GetPrimaryCell(READ_LOCK);
primflag = 1;
}
code = afs_token_to_rxk5_creds(a_token, &rxk5creds);
if(code) {
afs_warn("PSetTokensNew: failed converting afs_token to rxk5creds");
return EINVAL;
}
break;
#endif /* AFS_RXK5 */
default:
afs_warn("Unknown credential type %d passed to PSetTokensNew\n",
a_token->cu->cu_type);
return EINVAL;
}
if (!tcell)
goto nocell;
i = tcell->cellNum;
afs_PutCell(tcell, READ_LOCK);
if (set_parent_pag) {
afs_int32 pag;
#if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
#if defined(AFS_DARWIN_ENV)
struct proc *p = current_proc(); /* XXX */
#else
struct proc *p = curproc; /* XXX */
#endif
#ifndef AFS_DARWIN80_ENV
uprintf("Process %d (%s) tried to change pags in PSetTokens\n",
p->p_pid, p->p_comm);
#endif
if (!setpag(p, acred, -1, &pag, 1)) {
#else
#ifdef AFS_OSF_ENV
if (!setpag(u.u_procp, acred, -1, &pag, 1)) { /* XXX u.u_procp is a no-op XXX */
#else
if (!setpag(acred, -1, &pag, 1)) {
#endif
#endif
afs_InitReq(&treq, *acred);
areq = &treq;
}
} /* } } */
tu = afs_GetUser(areq->uid, i, WRITE_LOCK); /* Index i has the cell # */
/* If the user has creds, discard */
if (tu->stp != NULL) {
afs_osi_Free(tu->stp, tu->stLen);
}
tu->stLen = 0;
tu->stp = 0;
#ifdef AFS_RXK5
if(tu->rxk5creds != NULL) {
rxk5_free_creds(k5context, (rxk5_creds*) tu->rxk5creds);
tu->rxk5creds = NULL;
}
#endif
memset((char *)&tu->ct, 0, sizeof(struct ClearToken));
switch(a_token->cu->cu_type) {
case CU_KAD:
/* rxkad token */
if(kad_token->token.kvno == -1)
tu->ct.AuthHandle = 999;
else
tu->ct.AuthHandle = kad_token->token.kvno;
memcpy(tu->ct.HandShakeKey, kad_token->token.m_key, 8);
tu->ct.ViceId = kad_token->token.viceid;
tu->ct.BeginTimestamp = kad_token->token.begintime;
tu->ct.EndTimestamp = kad_token->token.endtime;
tu->vid = tu->ct.ViceId;
/* and the ticket */
tu->stLen = kad_token->ticket.ticket_len;
tu->stp = (char *) afs_osi_Alloc(tu->stLen);
memcpy(tu->stp, kad_token->ticket.ticket_val, tu->stLen);
break;
#ifdef AFS_RXK5
case CU_K5:
/* rxk5 */
tu->vid = 555; /* ignore: rxk5creds->ViceId */
tu->rxk5creds = (rxk5_creds_opaque) rxk5creds;
rxk5creds = 0;
break;
#endif /* AFS_RXK5 */
case CU_NOAUTH:
tu->vid = UNDEFVID;
tu->states &= ~UHasTokens;
tu->tokenTime = 0;
goto Release;
}
#ifndef AFS_NOSTATS
afs_stats_cmfullperf.authent.TicketUpdates++;
afs_ComputePAGStats();
#endif /* AFS_NOSTATS */
rslt = 0;
tu->states |= UHasTokens;
tu->states &= ~UTokensBad;
afs_SetPrimary(tu, primflag);
tu->tokenTime = osi_Time();
Release:
afs_ResetUserConns(tu);
afs_PutUser(tu, WRITE_LOCK);
goto out;
nocell:
{
int t1;
t1 = afs_initState;
if (t1 < 101)
rslt = EIO;
else
rslt = ESRCH;
}
out:
if(a_token)
free_afs_token(a_token);
#ifdef AFS_RXK5
if(rxk5creds)
rxk5_free_creds(k5context, rxk5creds);
#endif
return rslt;
}

3
src/afs/afs_stats.h
View File

@ -639,6 +639,9 @@ struct afs_CMCallStats {
afs_int32 C_SRXAFSCB_GetCacheConfig; /* afs_callback.c */
afs_int32 C_SRXAFSCB_GetCE64; /* afs_callback.c */
afs_int32 C_SRXAFSCB_GetCellByNum; /* afs_callback.c */
afs_int32 C_PGetCapabilities; /* afs_pioctl.c */
afs_int32 C_PGetTokensNew; /* afs_pioctl.c */
afs_int32 C_PSetTokensNew; /* afs_pioctl.c */
};
struct afs_CMMeanStats {

52
src/afs/afs_user.c
View File

@ -45,6 +45,16 @@ RCSID
#include <inet/ip.h>
#endif
#ifdef AFS_RXK5
#ifdef USING_SSL
#include <k5ssl.h>
#else
#include <krb5.h>
#endif
#include <rx/rxk5.h>
#include <afs/rxk5_tkt.h>
#endif
/* Exported variables */
afs_rwlock_t afs_xuser;
@ -118,12 +128,24 @@ afs_GCUserData(int aforce)
/* Don't garbage collect users in use now (refCount) */
if (tu->refCount == 0) {
if (tu->states & UHasTokens) {
#ifdef AFS_RXK5
rxk5_creds *rxk5creds = (rxk5_creds*) tu->rxk5creds;
if( rxk5creds ? rxk5creds->k5creds->times.endtime < (now - NOTOKTIMEOUT):
tu->ct.EndTimestamp < (now - NOTOKTIMEOUT)) {
struct cell *tcell = afs_GetCell(tu->cell, READ_LOCK);
afs_warn
("afs: Tokens for user of AFS id %d for cell %s expired now\n",
tu->vid, tcell->cellName);
afs_PutCell(tcell, READ_LOCK);
#else
/*
* Give ourselves a little extra slack, in case we
* reauthenticate
*/
if (tu->ct.EndTimestamp < now - NOTOKTIMEOUT)
if (tu->ct.EndTimestamp < now - NOTOKTIMEOUT) {
#endif
delFlag = 1;
}
} else {
if (aforce || (tu->tokenTime < now - NOTOKTIMEOUT))
delFlag = 1;
@ -131,6 +153,16 @@ afs_GCUserData(int aforce)
}
nu = tu->next;
if (delFlag) {
#ifdef AFS_RXK5
if(tu->rxk5creds) {
krb5_context k5context;
k5context = rxk5_get_context(0);
afs_warn("Expired rxk5 connection found for user %d, and GC'd\n",
tu->vid);
rxk5_free_creds(k5context, (rxk5_creds*) tu->rxk5creds);
tu->rxk5creds = NULL;
}
#endif
*lu = tu->next;
#ifndef AFS_PAG_MANAGER
RemoveUserConns(tu);
@ -182,16 +214,26 @@ afs_CheckTokenCache(void)
* check expiration
*/
if (!(tu->states & UTokensBad) && tu->vid != UNDEFVID) {
#ifdef AFS_RXK5
rxk5_creds *rxk5creds = (rxk5_creds*) tu->rxk5creds;
if( rxk5creds ? rxk5creds->k5creds->times.endtime < now :
tu->ct.EndTimestamp < now) {
#else
if (tu->ct.EndTimestamp < now) {
#endif
/*
* This token has expired, warn users and reset access
* cache.
*/
#ifdef notdef
/* I really hate this message - MLK */
#ifdef AFS_RXK5
/* I really hate this message - MLK */
{
struct cell *tcell = afs_GetCell(tu->cell, READ_LOCK);
afs_warn
("afs: Tokens for user of AFS id %d for cell %s expired now\n",
tu->vid, afs_GetCell(tu->cell)->cellName);
("afs: Tokens for user of AFS id %d for cell %s expired now\n",
tu->vid, tcell->cellName);
afs_PutCell(tcell, READ_LOCK);
}
#endif
tu->states |= (UTokensBad | UNeedsReset);
}

11
src/afs/afs_vcache.c
View File

@ -47,6 +47,12 @@ RCSID
#include "afs/afs_cbqueue.h"
#include "afs/afs_osidnlc.h"
#ifdef AFS_AIX42_ENV /* I don't know why AIX exports freeVCList... */
#define STATIC_BUT_FOR_AIX /**/
#else
#define STATIC_BUT_FOR_AIX static
#endif
#if defined(AFS_OSF_ENV) || defined(AFS_LINUX22_ENV)
afs_int32 afs_maxvcount = 0; /* max number of vcache entries */
afs_int32 afs_vcount = 0; /* number of vcache in use now */
@ -65,7 +71,7 @@ afs_rwlock_t afs_xvcache; /*Lock: alloc new stat cache entries */
afs_rwlock_t afs_xvreclaim; /*Lock: entries reclaimed, not on free list */
afs_lock_t afs_xvcb; /*Lock: fids on which there are callbacks */
#if !defined(AFS_LINUX22_ENV)
static struct vcache *freeVCList; /*Free list for stat cache entries */
STATIC_BUT_FOR_AIX struct vcache *freeVCList; /*Free list for stat cache entries */
struct vcache *ReclaimedVCList; /*Reclaimed list for stat entries */
static struct vcache *Initial_freeVCList; /*Initial list for above */
#endif
@ -670,7 +676,6 @@ afs_NewVCache(struct VenusFid *afid, struct server *serverp)
#endif
{
int i;
char *panicstr;
i = 0;
for (tq = VLRU.prev; tq != &VLRU && anumber > 0; tq = uq) {
@ -2942,7 +2947,9 @@ afs_NFSFindVCache(struct vcache **avcp, struct VenusFid *afid)
void
afs_vcacheInit(int astatSize)
{
#if !defined(AFS_OSF_ENV) && !defined(AFS_LINUX22_ENV)
register struct vcache *tvp;
#endif
int i;
#if defined(AFS_OSF_ENV) || defined(AFS_LINUX22_ENV)
if (!afs_maxvcount) {

7
src/afsweb/Makefile.in
View File

@ -9,6 +9,7 @@ srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
UKSRCS=nsafs.h nsafs.c securehash.c
@ -157,8 +158,8 @@ LIBS=${kauthlib} ${TOP_LIBDIR}/libubik.a ${TOP_LIBDIR}/libprot.a \
${authlib} ${rxkadlib} ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a ${deslib} ${cmdlib} \
${TOP_LIBDIR}/libcom_err.a ${utilib} \
$(DBM) $(XLIBS)
${utilib} \
$(DBM)
AR=ar
ARFLAGS=rv
@ -172,7 +173,7 @@ OBJS=$(LIBOBJS) apache_afs_weblog.o weblog.o
weblog: weblog.o $(APACHE_AFS_COMMON_LIB) $(DCE_ADK_LIB)
$(CC) -o $@ weblog.o $(APACHE_AFS_COMMON_LIB) $(LIBS) $(DCE_ADK_LIB) $(XLIBS)
$(CC) -o $@ weblog.o $(APACHE_AFS_COMMON_LIB) $(LIBS) $(LIBCOM_ERR) $(DCE_ADK_LIB) $(XLIBS)
weblog_starter: apache_afs_weblog.o weblog_errors.h
$(CC) -o $@ apache_afs_weblog.o

11
src/afsweb/weblog.c
View File

@ -75,17 +75,6 @@ static char **zero_argv;
static int readPipe;
static int writePipe;
/*
* now I know why this was necessary! - it's a hokie thing -
* the call to ka_UserAuthenticateGeneral doesn't compile otherwise
*/
int
osi_audit()
{
return 0;
}
main(int argc, char **argv)
{
struct cmd_syndesc *ts;

1
src/aklog/.cvsignore
View File

@ -1,3 +1,4 @@
Makefile
aklog
asetkey
klog

51
src/aklog/Makefile.in
View File

@ -5,30 +5,45 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
OPTMZ = @KRB5CFLAGS@ -DALLOW_REGISTER
AKLIBS = ${LIBS} @KRB5LIBS@
AFSLIBS = ${TOP_LIBDIR}/libprot.a ${TOP_LIBDIR}/libubik.a \
${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/librxkad.a \
${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a \
${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/libafsutil.a
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
KRB5LIBS=@KRB5LIBS@
SRCS= aklog.c aklog_main.c krb_util.c linked_list.c
OBJS= aklog.o aklog_main.o krb_util.o linked_list.o
COMERR = ../comerr
OPTMZ = ${KRB5CFLAGS} -DALLOW_REGISTER
AKLIBS = ${LIBS}
AFSLIBS = ${TOP_LIBDIR}/libprot.a ${TOP_LIBDIR}/libauth.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libubik.a ${TOP_LIBDIR}/librxkad.a \
${RXK5} ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a \
${TOP_LIBDIR}/libdes.a ${TOP_LIBDIR}/libafsutil.a
all: aklog asetkey
SRCS= aklog.c aklog_main.c linked_list.c skipwrap.c krb_util.c
OBJS= aklog.o aklog_main.o linked_list.o afserror.o skipwrap.o krb_util.o
all: aklog asetkey klog
aklog: ${OBJS} ${AFSLIBS}
${CC} -o $@ ${CFLAGS} ${OBJS} ${AKLIBS} ${AFSLIBS} ${XLIBS}
${CC} -o $@ ${CFLAGS} ${OBJS} ${LIBS} ${AFSLIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
asetkey: asetkey.o ${AFSLIBS}
${CC} -o $@ ${CFLAGS} asetkey.o ${AKLIBS} ${AFSLIBS} ${XLIBS}
${CC} -o $@ ${CFLAGS} asetkey.o ${LIBS} ${AFSLIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
klog: klog.o skipwrap.o ${AFSLIBS}
${CC} -o $@ ${CFLAGS} klog.o skipwrap.o ${LIBS} ${AFSLIBS} \
${TOP_LIBDIR}/libcmd.a \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
afserror.o: $(COMERR)/afserror.c
$(CC) $(CFLAGS) -c $(COMERR)/afserror.c
#
# Installation targets
#
install: \
${DESTDIR}${bindir}/aklog ${DESTDIR}${afssrvbindir}/asetkey
${DESTDIR}${bindir}/aklog ${DESTDIR}${afssrvbindir}/asetkey ${DESTDIR}${bindir}/klog
${DESTDIR}${bindir}/aklog: aklog
${INSTALL} $? $@
@ -36,8 +51,11 @@ ${DESTDIR}${bindir}/aklog: aklog
${DESTDIR}${afssrvbindir}/asetkey: asetkey
${INSTALL} $? $@
${DESTDIR}${bindir}/klog: klog
${INSTALL} $? $@
dest: \
${DEST}/bin/aklog ${DEST}/root.server/usr/afs/bin/asetkey
${DEST}/bin/aklog ${DEST}/root.server/usr/afs/bin/asetkey ${DEST}/bin/klog
${DEST}/bin/aklog: aklog
${INSTALL} $? $@
@ -45,11 +63,14 @@ ${DEST}/bin/aklog: aklog
${DEST}/root.server/usr/afs/bin/asetkey: asetkey
${INSTALL} $? $@
${DEST}/bin/klog: klog
${INSTALL} $? $@
#
# Misc. targets
#
clean:
$(RM) -f *.o ${OBJS} aklog asetkey
$(RM) -f *.o ${OBJS} aklog asetkey klog
include ../config/Makefile.version

4
src/aklog/aklog.h
View File

@ -12,7 +12,7 @@
static char *rcsid_aklog_h = "$Id$";
#endif /* lint || SABER */
#include <krb5.h>
/* #include <krb5.h> */
#include "linked_list.h"
#include <afsconfig.h>
@ -104,4 +104,6 @@ struct afsconf_cell {
#endif /* WINDOWS */
int afs_krb5_skip_ticket_wrapper(char *, size_t, char **, size_t *);
#endif /* __AKLOG_H__ */

195
src/aklog/aklog_main.c
View File

@ -39,13 +39,11 @@ static char *rcsid =
#include <pwd.h>
#endif /* WINDOWS */
/* on AIX AFS has an unresolved reference to osi_audit. We will define
* it here as extern. It also trys to call the ntohl and htonl routines
* as routines rather then macros. We need a real routine here.
* We do this before the ntohl and htonl macros are defined in net/in.h
/* on AIX AFS trys to call the ntohl and htonl routines as routines
* rather then macros. We need a real routine here. We do this before
* the ntohl and htonl macros are defined in net/in.h
* XXX is this still true? If so should fix.
*/
int osi_audit()
{ return(0);}
#if 0
#ifdef _AIX
@ -61,7 +59,6 @@ u_long ntohl(u_long x)
#endif /* 0 */
#include <afs/stds.h>
#include <krb5.h>
#ifdef WINDOWS
@ -79,7 +76,6 @@ u_long ntohl(u_long x)
#include <sys/ioccom.h>
#endif
#include <afs/auth.h>
#include <afs/cellconfig.h>
#include <afs/vice.h>
#include <afs/venus.h>
#include <afs/ptserver.h>
@ -87,10 +83,18 @@ u_long ntohl(u_long x)
#include <afs/dirpath.h>
#endif /* WINDOWS */
#include <afs/cellconfig.h> /* XXX does windows have this? */
#ifdef AFS_RXK5
#include "rxk5_utilafs.h"
#else
#include <krb5.h>
#endif
#include "aklog.h"
#include "linked_list.h"
#define AFSKEY "afs"
#define AFS_K5_KEY "afs-k5"
#define AFSINST ""
#ifndef AFS_TRY_FULL_PRINC
@ -203,8 +207,10 @@ static int get_user_realm(krb5_context, char *);
#if !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC)
#define krb5_524_convert_creds krb524_convert_creds_kdc
#elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC)
#if 0
#error "You must have one of krb5_524_convert_creds or krb524_convert_creds_kdc available"
#endif
#endif
#endif /* WINDOWS */
@ -217,6 +223,10 @@ extern char *sys_errlist[];
#define strerror(x) sys_errlist[x]
#endif /* HAVE_STRERROR */
#define DO524_NO 1
#define DO524_YES 2
#define DO524_LOCAL 3
static char *progname = NULL; /* Name of this program */
static int dflag = FALSE; /* Give debugging information */
static int noauth = FALSE; /* If true, don't try to get tokens */
@ -226,7 +236,10 @@ static int noprdb = FALSE; /* Skip resolving name to id? */
static int linked = FALSE; /* try for both AFS nodes */
static int afssetpag = FALSE; /* setpag for AFS */
static int force = FALSE; /* Bash identical tokens? */
static int do524 = FALSE; /* Should we do 524 instead of rxkad2b? */
static int do524 = DO524_NO; /* Should we do 524 instead of rxkad2b? */
#ifdef AFS_RXK5
static int rxk5; /* Use rxk5 enctype selection and settoken behavior */
#endif
static linked_list zsublist; /* List of zephyr subscriptions */
static linked_list hostlist; /* List of host addresses */
static linked_list authedcells; /* List of cells already logged to */
@ -388,7 +401,6 @@ cm_SearchCellFile_CallBack(void *rock /* cellconfig */,
#endif /* WINDOWS */
/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
@ -532,7 +544,15 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
* a configure option.
*/
strcpy(name, AFSKEY);
#ifdef AFS_RXK5
if(rxk5) {
strcpy(name, AFS_K5_KEY);
} else {
#endif /* AFS_RXK5 */
strcpy(name, AFSKEY);
#ifdef AFS_RXK5
}
#endif
if (AFS_TRY_FULL_PRINC || strcasecmp(cell_to_use, realm_of_cell) != 0) {
strncpy(primary_instance, cell_to_use, sizeof(primary_instance));
@ -600,10 +620,15 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
/*
* The default is to use rxkad2b, which means we put in a full
* V5 ticket. If the user specifies -524, we talk to the
* 524 ticket converter.
* 524 ticket converter. If the user specifies -unwrap, we
* construct a encpart only 2b style ticket.
*/
if (! do524) {
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || defined(HAVE_KRB524_CONVERT_CREDS_KDC)
if (do524 != DO524_YES) {
#else
{
#endif
char *p;
int len;
@ -626,13 +651,32 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
}
memset(&atoken, 0, sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
if (do524 == DO524_NO)
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
else
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
atoken.startTime = v5cred->times.starttime;;
atoken.endTime = v5cred->times.endtime;
memcpy(&atoken.sessionKey, get_cred_keydata(v5cred),
get_cred_keylen(v5cred));
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
if (do524 == DO524_NO) {
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
} else {
krb5_data enc_part[1];
if (afs_krb5_skip_ticket_wrapper(v5cred->ticket.data,
v5cred->ticket.length,
&enc_part->data, &enc_part->length)) {
fprintf(stderr, "%s: Couldn't decode %s AFS tickets:\n",
progname, cell_to_use);
return(AKLOG_KERBEROS);
}
atoken.ticketLen = enc_part->length;
memcpy(atoken.ticket, enc_part->data, atoken.ticketLen);
}
#if !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC)
}
#else
} else {
CREDENTIALS cred;
@ -668,6 +712,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
atoken.ticketLen = cred.ticket_st.length;
memcpy(atoken.ticket, cred.ticket_st.dat, atoken.ticketLen);
}
#endif
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
@ -812,12 +857,25 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
*/
write(2,"",0); /* dummy write */
#ifndef WINDOWS
if ((status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag))) {
fprintf(stderr,
#ifdef AFS_RXK5
if(rxk5) {
if ((status = ktc_SetK5Token(context, &aserver, v5cred, viceId, afssetpag))) {
fprintf(stderr,
"%s: unable to obtain tokens for cell %s (status: %d).\n",
progname, cell_to_use, status);
status = AKLOG_TOKEN;
status = AKLOG_TOKEN;
}
} else {
#endif /* AFS_RXK5 */
if ((status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag))) {
fprintf(stderr,
"%s: unable to obtain tokens for cell %s (status: %d).\n",
progname, cell_to_use, status);
status = AKLOG_TOKEN;
}
#ifdef AFS_RXK5
}
#endif /* AFS_RXK5 */
#else /* WINDOWS */
/* Note switched 2nd and 3rd args */
if ((status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag))) {
@ -1189,7 +1247,15 @@ static void usage(void)
"[-d] [[-cell | -c] cell [-k krb_realm]] ",
"[[-p | -path] pathname]\n",
" [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] \n"
" [-linked] [-524]\n");
" [-linked]"
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || defined(HAVE_KRB524_CONVERT_CREDS_KDC)
" [-524]"
#endif
#ifdef AFS_RXK5
" [-k5]"
" [-k4]"
#endif
"\n");
fprintf(stderr, " -d gives debugging information.\n");
fprintf(stderr, " krb_realm is the kerberos realm of a cell.\n");
fprintf(stderr, " pathname is the name of a directory to which ");
@ -1201,7 +1267,14 @@ static void usage(void)
fprintf(stderr, " -force means replace identical tickets. \n");
fprintf(stderr, " -linked means if AFS node is linked, try both. \n");
fprintf(stderr, " -setpag set the AFS process authentication group.\n");
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || defined(HAVE_KRB524_CONVERT_CREDS_KDC)
fprintf(stderr, " -524 means use the 524 converter instead of V5 directly\n");
#endif
fprintf(stderr, " -unwrap means do the 524 conversion locally\n");
#ifdef AFS_RXK5
fprintf(stderr, " -k5 means do rxk5 (kernel uses V5 tickets)\n");
fprintf(stderr, " -k4 means do rxkad (kernel uses V4 or 2b tickets)\n");
#endif /* AFS_RXK5 */
fprintf(stderr, " No commandline arguments means ");
fprintf(stderr, "authenticate to the local cell.\n");
fprintf(stderr, "\n");
@ -1255,6 +1328,11 @@ void aklog(int argc, char *argv[])
initialize_ktc_error_table ();
#endif
#ifdef AFS_RXK5
/* Select for rxk5 unless AFS_RXK5_DEFAULT envvar is not 1|yes */
rxk5 = env_afs_rxk5_default() != FORCE_RXKAD;
#endif
/* Initialize list of cells to which we have authenticated */
(void)ll_init(&authedcells);
@ -1274,9 +1352,19 @@ void aklog(int argc, char *argv[])
linked++;
else if (strcmp(argv[i], "-force") == 0)
force++;
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || defined(HAVE_KRB524_CONVERT_CREDS_KDC)
else if (strcmp(argv[i], "-524") == 0)
do524++;
else if (strcmp(argv[i], "-setpag") == 0)
do524 = DO524_YES;
#endif
else if (strcmp(argv[i], "-unwrap") == 0)
do524 = DO524_LOCAL;
#ifdef AFS_RXK5
else if (strcmp(argv[i], "-k4") == 0)
rxk5 = 0;
else if (strcmp(argv[i], "-k5") == 0)
rxk5 = 1;
#endif /* AFS_RXK5 */
else if (strcmp(argv[i], "-setpag") == 0)
afssetpag++;
else if (((strcmp(argv[i], "-cell") == 0) ||
(strcmp(argv[i], "-c") == 0)) && !pmode)
@ -1522,23 +1610,6 @@ void aklog(int argc, char *argv[])
exit(status);
}
#ifndef HAVE_ADD_TO_ERROR_TABLE
#define error_table error_table_compat
#include <afs/error_table.h>
#undef error_table
#ifndef HAVE_ADD_ERROR_TABLE
void add_error_table (const struct error_table *);
#endif /* !HAVE_ADD_ERROR_TABLE */
void
add_to_error_table(struct et_list *new_table)
{
add_error_table((struct error_table *) new_table->table);
}
#endif /* HAVE_ADD_TO_ERROR_TABLE */
static int isdir(char *path, unsigned char *val)
{
struct stat statbuf;
@ -1585,10 +1656,48 @@ static krb5_error_code get_credv5(krb5_context context,
increds.client = client_principal;
increds.times.endtime = 0;
/* Ask for DES since that is what V4 understands */
get_creds_enctype((&increds)) = ENCTYPE_DES_CBC_CRC;
r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
#ifdef AFS_RXK5
if(rxk5) {
/* Get the strongest credentials this KDC can issue for the princ, and the
cache manager supports */
/* Todo: add pioctl GetCapabilities call to fetch the cache-manager supported
enctypes at runtime (skipping this for now, because we know which enctypes
K5SSL supports */
int enc_ix;
int enctypes_pref_order[6] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_DES3_CBC_SHA1,
#ifndef USING_HEIMDAL
#define ENCTYPE_ARCFOUR_HMAC_MD5 ENCTYPE_ARCFOUR_HMAC
#define ENCTYPE_ARCFOUR_HMAC_MD5_56 ENCTYPE_ARCFOUR_HMAC_EXP
#endif
ENCTYPE_ARCFOUR_HMAC_MD5,
ENCTYPE_ARCFOUR_HMAC_MD5_56,
ENCTYPE_DES_CBC_CRC };
for(enc_ix = 0; enc_ix < 6; ++enc_ix) {
get_creds_enctype((&increds)) = enctypes_pref_order[enc_ix];
/* odd name for the ccache var, but apparently, just the usual one */
r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
if(!r) {
if(dflag) {
printf("Successful get_greds_enctype with enctype == %d\n",
enctypes_pref_order[enc_ix]);
}
break;
}
}
} else {
#endif /* AFS_RXK5 */
/* Ask for DES since that is what V4 understands */
get_creds_enctype((&increds)) = ENCTYPE_DES_CBC_CRC;
r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
#ifdef AFS_RXK5
}
#endif /* AFS_RXK5 */
return r;
}

4
src/aklog/asetkey.c
View File

@ -29,7 +29,11 @@
#endif /* HAVE_STRING_H */
#include <afs/stds.h>
#ifdef USING_SSL
#include "k5ssl.h"
#else
#include <krb5.h>
#endif
#include <afs/com_err.h>
#include <afs/cellconfig.h>

734
src/aklog/klog.c Normal file
View File

@ -0,0 +1,734 @@
/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
*
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
*/
#include <afsconfig.h>
#include <afs/param.h>
#include <afs/stds.h>
#include <sys/types.h>
#include <rx/xdr.h>
#ifdef AFS_AIX32_ENV
#include <signal.h>
#endif
#ifdef HAVE_STRING_H
#include <string.h>
#else
#ifdef HAVE_STRINGS_H
#include <strings.h>
#endif
#endif
#include <errno.h>
#include <lock.h>
#include <ubik.h>
#include <stdio.h>
#include <pwd.h>
#if 0
#include <afs/com_err.h>
#endif
#include <afs/auth.h>
#include <afs/afsutil.h>
#include <afs/cellconfig.h>
#include <afs/ptclient.h>
#include <afs/cmd.h>
#ifdef AFS_RXK5
#include "rxk5_utilafs.h"
#else
#include <krb5.h>
#endif
#ifndef USING_HEIMDAL
extern krb5_cc_ops krb5_mcc_ops;
#endif
#include "assert.h"
/* This code borrowed heavily from the previous version of log. Here is the
intro comment for that program: */
/*
log -- tell the Andrew Cache Manager your password
5 June 1985
modified
February 1986
Further modified in August 1987 to understand cell IDs.
Further modified in October 2006 to understand kerberos 5.
*/
/* Current Usage:
klog [principal [password]] [-t] [-c cellname] [-k <k5realm>]
where:
principal is of the form 'name' or 'name@cell' which provides the
cellname. See the -c option below.
password is the user's password. This form is NOT recommended for
interactive users.
-t advises klog to write a Kerberos style ticket file in /tmp.
-c identifies cellname as the cell in which authentication is to take
place.
-k identifies an alternate kerberos realm to use provide
authentication services for the cell.
*/
#define KLOGEXIT(code) rx_Finalize(); \
(exit(!!code))
extern int CommandProc(struct cmd_syndesc *as, char *arock);
static int zero_argc;
static char **zero_argv;
static krb5_context k5context;
static struct afsconf_dir *tdir;
static int always_evil = 2; /* gcc optimizes 0 into bss. fools. */
int
main(int argc, char *argv[])
{
struct cmd_syndesc *ts;
afs_int32 code;
#ifdef AFS_AIX32_ENV
/*
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
struct sigaction nsa;
sigemptyset(&nsa.sa_mask);
nsa.sa_handler = SIG_DFL;
nsa.sa_flags = SA_FULLDUMP;
sigaction(SIGABRT, &nsa, NULL);
sigaction(SIGSEGV, &nsa, NULL);
#endif
zero_argc = argc;
zero_argv = argv;
ts = cmd_CreateSyntax(NULL, CommandProc, 0,
"obtain Kerberos authentication");
#define aXFLAG 0
#define aPRINCIPAL 1
#define aPASSWORD 2
#define aCELL 3
#define aKRBREALM 4
#define aPIPE 5
#define aSILENT 6
#define aLIFETIME 7
#define aSETPAG 8
#define aTMP 9
#define aNOPRDB 10
#define aUNWRAP 11
#define aK5 12
#define aK4 13
/* in afs 3.0; -x disabled lookups in /etc/passwd.
* that's always true now.
*/
cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
cmd_Seek(ts, aPRINCIPAL);
cmd_AddParm(ts, "-principal", CMD_SINGLE, CMD_OPTIONAL, "user name");
cmd_AddParm(ts, "-password", CMD_SINGLE, CMD_OPTIONAL, "user's password");
cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
cmd_AddParm(ts, "-k", CMD_SINGLE, CMD_OPTIONAL, "krb5 realm");
cmd_AddParm(ts, "-pipe", CMD_FLAG, CMD_OPTIONAL,
"read password from stdin");
cmd_AddParm(ts, "-silent", CMD_FLAG, CMD_OPTIONAL, "silent operation");
cmd_AddParm(ts, "-lifetime", CMD_SINGLE, CMD_OPTIONAL,
"ticket lifetime in hh[:mm[:ss]]");
cmd_AddParm(ts, "-setpag", CMD_FLAG, CMD_OPTIONAL,
"Create a new setpag before authenticating");
cmd_AddParm(ts, "-tmp", CMD_FLAG, CMD_OPTIONAL,
"write Kerberos-style ticket file in /tmp");
cmd_AddParm(ts, "-noprdb", CMD_FLAG, CMD_OPTIONAL, "don't consult pt");
cmd_AddParm(ts, "-unwrap", CMD_FLAG, CMD_OPTIONAL, "perform 524d conversion");
#ifdef AFS_RXK5
cmd_AddParm(ts, "-k5", CMD_FLAG, CMD_OPTIONAL, "get rxk5 credentials");
cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL, "get rxkad credentials");
#else
++ts->nParms; /* skip -k5 */
cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
#endif
code = cmd_Dispatch(argc, argv);
KLOGEXIT(code);
}
static char *
getpipepass(void)
{
static char gpbuf[BUFSIZ];
/* read a password from stdin, stop on \n or eof */
register int i, tc;
memset(gpbuf, 0, sizeof(gpbuf));
for (i = 0; i < (sizeof(gpbuf) - 1); i++) {
tc = fgetc(stdin);
if (tc == '\n' || tc == EOF)
break;
gpbuf[i] = tc;
}
return gpbuf;
}
void
silent_errors(const char *who,
afs_int32 code,
const char *fmt,
va_list ap)
{
/* ignore and don't print error */
}
#if defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
#define get_princ_str(c, p, n) krb5_princ_component(c, p, n)->data
#define get_princ_len(c, p, n) krb5_princ_component(c, p, n)->length
#define num_comp(c, p) (krb5_princ_size(c, p))
#define realm_data(c, p) krb5_princ_realm(c, p)->data
#define realm_len(c, p) krb5_princ_realm(c, p)->length
#elif defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING)
#define get_princ_str(c, p, n) krb5_principal_get_comp_string(c, p, n)
#define get_princ_len(c, p, n) strlen(krb5_principal_get_comp_string(c, p, n))
#define num_comp(c, p) ((p)->name.name_string.len)
#define realm_data(c, p) krb5_realm_data(krb5_principal_get_realm(c, p))
#define realm_len(c, p) krb5_realm_length(krb5_principal_get_realm(c, p))
#else
#error "Must have either krb5_princ_size or krb5_principal_get_comp_string"
#endif
#if defined(HAVE_KRB5_CREDS_KEYBLOCK)
#define get_cred_keydata(c) c->keyblock.contents
#define get_cred_keylen(c) c->keyblock.length
#define get_creds_enctype(c) c->keyblock.enctype
#elif defined(HAVE_KRB5_CREDS_SESSION)
#define get_cred_keydata(c) c->session.keyvalue.data
#define get_cred_keylen(c) c->session.keyvalue.length
#define get_creds_enctype(c) c->session.keytype
#else
#error "Must have either keyblock or session member of krb5_creds"
#endif
static int
whoami(struct ktc_token *atoken,
struct afsconf_cell *cellconfig,
struct ktc_principal *aclient,
int *vicep)
{
int scIndex;
int code;
int i;
struct ubik_client *ptconn = 0;
struct rx_securityClass *sc;
struct rx_connection *conns[MAXSERVERS+1];
idlist lids[1];
namelist lnames[1];
char tempname[PR_MAXNAMELEN + 1];
memset(lnames, 0, sizeof *lnames);
memset(lids, 0, sizeof *lids);
scIndex = 2;
sc = rxkad_NewClientSecurityObject(rxkad_auth,
&atoken->sessionKey, atoken->kvno,
atoken->ticketLen, atoken->ticket);
for (i = 0; i < cellconfig->numServers; ++i)
conns[i] = rx_NewConnection(cellconfig->hostAddr[i].sin_addr.s_addr,
cellconfig->hostAddr[i].sin_port, PRSRV, sc, scIndex);
conns[i] = 0;
ptconn = 0;
if ((code = ubik_ClientInit(conns, &ptconn)))
goto Failed;
if (*aclient->instance)
snprintf (tempname, sizeof tempname, "%s.%s",
aclient->name, aclient->instance);
else
snprintf (tempname, sizeof tempname, "%s", aclient->name);
lnames->namelist_len = 1;
lnames->namelist_val = (prname *) tempname;
code = ubik_PR_NameToID(ptconn, 0, lnames, lids);
if (lids->idlist_val) {
*vicep = *lids->idlist_val;
}
Failed:
if (lids->idlist_val) free(lids->idlist_val);
if (ptconn) ubik_ClientDestroy(ptconn);
return code;
}
static void
k5_to_k4_name(krb5_context k5context,
krb5_principal k5princ,
struct ktc_principal *ktcprinc)
{
int i;
switch(num_comp(k5context, k5princ)) {
default:
/* case 2: */
i = get_princ_len(k5context, k5princ, 1);
if (i > MAXKTCNAMELEN-1) i = MAXKTCNAMELEN-1;
memcpy(ktcprinc->instance, get_princ_str(k5context, k5princ, 1), i);
/* fall through */
case 1:
i = get_princ_len(k5context, k5princ, 0);
if (i > MAXKTCNAMELEN-1) i = MAXKTCNAMELEN-1;
memcpy(ktcprinc->name, get_princ_str(k5context, k5princ, 0), i);
/* fall through */
case 0:
break;
}
}
/* save and reuse password. This is necessary to make
* "direct to service" authentication work with most
* flavors of kerberos, when the afs principal has no instance.
*/
struct kp_arg {
char **pp, *pstore;
};
krb5_error_code
klog_prompter(krb5_context context,
void *a,
const char *name,
const char *banner,
int num_prompts,
krb5_prompt prompts[])
{
krb5_error_code code;
int i, type;
#ifdef USING_MIT
krb5_prompt_type *types;
#endif
struct kp_arg *kparg = (struct kp_arg *) a;
code = krb5_prompter_posix(context, a, name, banner, num_prompts, prompts);
if (code) return code;
#ifdef USING_MIT
if ((types = krb5_get_prompt_types(context)))
#endif
for (i = 0; i < num_prompts; ++i) {
#ifndef USING_MIT
type = prompts[i].type;
#else
type = types[i];
#endif
#if 0
printf ("i%d t%d <%.*s>\n", i,
type,
prompts[i].reply->length,
prompts[i].reply->data);
#endif
switch(type) {
case KRB5_PROMPT_TYPE_PASSWORD:
case KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:
memcpy(kparg->pstore, prompts[i].reply->data, prompts[i].reply->length);
kparg->pstore[prompts[i].reply->length] = 0;
*kparg->pp = kparg->pstore;
}
}
return 0;
}
int
CommandProc(struct cmd_syndesc *as, char *arock)
{
krb5_principal princ = 0;
char *cell, *pname, **hrealms, *service;
char service_temp[MAXKTCREALMLEN + 20];
char realm[MAXKTCREALMLEN];
char lrealm[MAXKTCREALMLEN]; /* uppercase copy of local cellname */
krb5_creds incred[1], mcred[1], *outcred = 0, *afscred;
krb5_ccache cc = 0;
krb5_get_init_creds_opt gic_opts[1];
char *tofree, *outname;
int code;
char *what;
int i, dosetpag, evil, noprdb, id;
#ifdef AFS_RXK5
int authtype;
#endif
krb5_data enc_part[1];
time_t lifetime; /* requested ticket lifetime */
krb5_prompter_fct pf = NULL;
char *pass = 0;
char *pa = 0;
struct kp_arg klog_arg[1];
char passwd[BUFSIZ];
struct afsconf_cell cellconfig[1];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int local; /* explicit cell is same a local one */
int writeTicketFile = 0; /* write ticket file to /tmp */
char *reason; /* string describing errors */
tofree = 0;
service = 0;
memset(incred, 0, sizeof *incred);
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
memset(klog_arg, 0, sizeof *klog_arg);
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
if (Silent) {
set_com_err_hook(silent_errors);
}
if ((code = krb5_init_context(&k5context))) {
com_err(rn, code, "while initializing Kerberos 5 library");
KLOGEXIT(code);
}
if ((code = rx_Init(0))) {
com_err(rn, code, "while initializing rx");
KLOGEXIT(code);
}
initialize_U_error_table();
initialize_krb5_error_table();
initialize_RXK_error_table();
initialize_KTC_error_table();
initialize_ACFG_error_table();
initialize_rx_error_table();
if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))",
rn, AFSDIR_CLIENT_ETC_DIRPATH);
KLOGEXIT(1);
}
/* Parse remaining arguments. */
dosetpag = !! as->parms[aSETPAG].items;
Pipe = !! as->parms[aPIPE].items;
writeTicketFile = !! as->parms[aTMP].items;
noprdb = !! as->parms[aNOPRDB].items;
evil = (always_evil&1) || !! as->parms[aUNWRAP].items;
#ifdef AFS_RXK5
authtype = 0;
if (as->parms[aK5].items)
authtype |= FORCE_RXK5;
if (as->parms[aK4].items)
authtype |= FORCE_RXKAD;
if (!authtype)
authtype |= env_afs_rxk5_default();
#endif
cell = as->parms[aCELL].items ? cell = as->parms[aCELL].items->data : 0;
if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) {
if (cell)
com_err(rn, code, "Can't get cell information for '%s'", cell);
else
com_err(rn, code, "Can't get determine local cell!");
KLOGEXIT(code);
}
if (as->parms[aKRBREALM].items) {
code = krb5_set_default_realm(k5context,
(const char *) as->parms[aKRBREALM].items);
if (code) {
com_err(rn, code, "Can't make <%s> the default realm",
as->parms[aKRBREALM].items);
KLOGEXIT(code);
}
}
else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) {
com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n",
cellconfig->hostName[0], cellconfig->name);
KLOGEXIT(code);
} else {
if (hrealms && *hrealms) {
code = krb5_set_default_realm(k5context,
*hrealms);
if (code) {
com_err(rn, code, "Can't make <%s> the default realm",
*hrealms);
KLOGEXIT(code);
}
}
if (hrealms) krb5_free_host_realm(k5context, hrealms);
}
id = getuid();
if (as->parms[aPRINCIPAL].items) {
pname = as->parms[aPRINCIPAL].items->data;
} else {
/* No explicit name provided: use Unix uid. */
struct passwd *pw;
pw = getpwuid(id);
if (pw == 0) {
com_err(rn, 0,
"Can't figure out your name from your user id (%d).", id);
if (!Silent)
fprintf(stderr, "%s: Try providing the user name.\n", rn);
KLOGEXIT(1);
}
pname = pw->pw_name;
}
code = krb5_parse_name(k5context, pname, &princ);
if (code) {
com_err(rn, code, "Can't parse principal <%s>", pname);
KLOGEXIT(code);
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
pass = passwd;
}
if (as->parms[aLIFETIME].items) {
char *life = as->parms[aLIFETIME].items->data;
char *sp; /* string ptr to rest of life */
lifetime = 3600 * strtol(life, &sp, 0); /* hours */
if (sp == life) {
bad_lifetime:
if (!Silent)
fprintf(stderr, "%s: translating '%s' to lifetime failed\n",
rn, life);
return 1;
}
if (*sp == ':') {
life = sp + 1; /* skip the colon */
lifetime += 60 * strtol(life, &sp, 0); /* minutes */
if (sp == life)
goto bad_lifetime;
if (*sp == ':') {
life = sp + 1;
lifetime += strtol(life, &sp, 0); /* seconds */
if (sp == life)
goto bad_lifetime;
if (*sp)
goto bad_lifetime;
} else if (*sp)
goto bad_lifetime;
} else if (*sp)
goto bad_lifetime;
} else
lifetime = 0;
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
strncpy(passwd, getpipepass(), sizeof(passwd));
pass = passwd;
} else {
pf = klog_prompter;
pa = klog_arg;
}
}
service = 0;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
tofree = get_afs_krb5_svc_princ(cellconfig);
snprintf(service_temp, sizeof service_temp, "%s", tofree);
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
if (writeTicketFile)
service = 0;
else
service = service_temp;
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
/* XXX should allow k5 to prompt in most cases -- what about expired pw?*/
krb5_get_init_creds_opt_init(gic_opts);
for (;;) {
code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
service, /* in_tkt_service */
gic_opts);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) break;
#endif
service = "afs";
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
if (service)
com_err(rn, code, "Unable to authenticate to use %s", service);
else if (r)
com_err(rn, code, "Unable to authenticate in realm %s", r);
else
com_err(rn, code, "Unable to authenticate to use cell %s",
cellconfig->name);
if (r) free(r);
KLOGEXIT(code);
}
if (service) {
afscred = incred;
} else {
for (;;writeTicketFile = 0) {
if (writeTicketFile) {
what = "getting default ccache";
code = krb5_cc_default(k5context, &cc);
} else {
what = "krb5_cc_register";
code = krb5_cc_register(k5context, &krb5_mcc_ops, FALSE);
if (code && code != KRB5_CC_TYPE_EXISTS) goto Failed;
what = "krb5_cc_resolve";
code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
if (code) goto Failed;
}
what = "initializing ccache";
code = krb5_cc_initialize(k5context, cc, princ);
if (code) goto Failed;
what = "writing Kerberos ticket file";
code = krb5_cc_store_cred(k5context, cc, incred);
if (code) goto Failed;
if (writeTicketFile)
fprintf(stderr,
"Wrote ticket file to %s\n",
krb5_cc_get_name(k5context, cc));
break;
Failed:
if (code)
com_err(rn, code, what);
if (writeTicketFile) {
if (cc) {
krb5_cc_close(k5context, cc);
cc = 0;
}
continue;
}
KLOGEXIT(code);
}
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
com_err(rn, code, "Unable to parse service <%s>\n", service);
KLOGEXIT(code);
}
if (tofree) { free(tofree); tofree = 0; }
if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
tofree = outname;
else outname = service;
code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
krb5_free_principal(k5context, mcred->server);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) break;
#endif
}
afscred = outcred;
}
if (code) {
com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
struct ktc_principal aserver[1];
int viceid = 555;
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag);
if (code) {
com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
} else
#endif
{
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
memset(atoken, 0, sizeof *atoken);
if (evil) {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data,
afscred->ticket.length, &enc_part->data,
&enc_part->length)) {
com_err(rn, 0, "Can't unwrap %s AFS credential",
cellconfig->name);
KLOGEXIT(1);
}
} else {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
*enc_part = afscred->ticket;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
memcpy(&atoken->sessionKey, get_cred_keydata(afscred),
get_cred_keylen(afscred));
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->name, "afs", 4);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
memset(aclient, 0, sizeof *aclient);
i = realm_len(k5context, afscred->client);
if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1;
memcpy(aclient->cell, realm_data(k5context, afscred->client), i);
if (!noprdb) {
int viceid;
k5_to_k4_name(k5context, afscred->client, aclient);
code = whoami(atoken, cellconfig, aclient, &viceid);
if (code) {
com_err(rn, code, "Can't get your viceid", cellconfig->name);
*aclient->name = 0;
} else
snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid);
}
if (!*aclient->name)
k5_to_k4_name(k5context, afscred->client, aclient);
code = ktc_SetToken(aserver, atoken, aclient, dosetpag);
if (code) {
com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
}
krb5_free_principal(k5context, princ);
krb5_free_cred_contents(k5context, incred);
if (outcred) krb5_free_creds(k5context, outcred);
if (cc)
krb5_cc_close(k5context, cc);
if (tofree) free(tofree);
return 0;
}

11
src/aklog/krb_util.c
View File

@ -19,7 +19,12 @@ static char rcsid_send_to_kdc_c[] =
#endif
#include <afs/stds.h>
#include "aklog.h"
#include "afsconfig.h"
#if USING_SSL
#include "k5ssl/k5ssl.h"
#else
#include <krb5.h>
#endif
#ifndef MAX_HSTNM
#define MAX_HSTNM 100
@ -32,7 +37,12 @@ static char rcsid_send_to_kdc_c[] =
#else /* !WINDOWS */
#include <afs/param.h>
#if 0
#include <afs/cellconfig.h>
#else
/* hack so this builds in clean environment */
#include <auth/cellconfig.p.h>
#endif
#endif /* WINDOWS */
@ -40,6 +50,7 @@ static char rcsid_send_to_kdc_c[] =
#define S_AD_SZ sizeof(struct sockaddr_in)
/* XXX returns static storage, so not thread safe. */
char *afs_realm_of_cell(krb5_context context, struct afsconf_cell *cellconfig)
{
static char krbrlm[REALM_SZ+1];

119
src/aklog/skipwrap.c Normal file
View File

@ -0,0 +1,119 @@
/*
* Copyright (c) 2006
* The Regents of the University of Michigan
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the University of
* Michigan is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the University of Michigan as to its fitness for any
* purpose, and without warranty by the University of
* Michigan of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the University of Michigan shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <afsconfig.h>
#include <afs/param.h>
#include <stdio.h>
#include <aklog.h> /* only for the prototypes */
/* evil hack */
#define SEQUENCE 16
#define CONSTRUCTED 32
#define APPLICATION 64
#define CONTEXT_SPECIFIC 128
static int skip_get_number(char **pp, size_t *lp, int *np)
{
unsigned l;
int r, n, i;
char *p;
l = *lp;
if (l < 1) {
printf ("skip_bad_number: missing number\n");
return -1;
}
p = *pp;
r = (unsigned char)*p;
++p; --l;
if (r & 0x80) {
n = (r&0x7f);
if (l < n) {
printf ("skip_bad_number: truncated number\n");
return -1;
}
r = 0;
for (i = n; --i >= 0; ) {
r <<= 8;
r += (unsigned char)*p;
++p; --l;
}
}
*np = r;
*pp = p;
*lp = l;
return 0;
}
int
afs_krb5_skip_ticket_wrapper(char *tix, size_t tixlen, char **enc, size_t *enclen)
{
char *p = tix;
unsigned l = tixlen;
int code;
int num;
if (l < 1) return -1;
if (*p != (char) (CONSTRUCTED+APPLICATION+1)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l != num) return -1;
if (l < 1) return -1;
if (*p != (char)(CONSTRUCTED+SEQUENCE)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l != num) return -1;
if (l < 1) return -1;
if (*p != (char)(CONSTRUCTED+CONTEXT_SPECIFIC+0)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l < num) return -1;
l -= num; p += num;
if (l < 1) return -1;
if (*p != (char)(CONSTRUCTED+CONTEXT_SPECIFIC+1)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l < num) return -1;
l -= num; p += num;
if (l < 1) return -1;
if (*p != (char)(CONSTRUCTED+CONTEXT_SPECIFIC+2)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l < num) return -1;
l -= num; p += num;
if (l < 1) return -1;
if (*p != (char)(CONSTRUCTED+CONTEXT_SPECIFIC+3)) return -1;
++p; --l;
if ((code = skip_get_number(&p, &l, &num))) return code;
if (l != num) return -1;
*enc = p;
*enclen = l;
return 0;
}

2
src/audit/Makefile.in
View File

@ -15,7 +15,7 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
CFLAGS=-I. -I${srcdir} ${OPTMZ} -I${TOP_OBJDIR}/src/config -I${TOP_INCDIR} ${XCFLAGS} ${ARCHFLAGS}
CFLAGS=-I. -I${srcdir} ${OPTMZ} -I${TOP_OBJDIR}/src/config -I${TOP_INCDIR} -I${TOP_SRCDIR} $(KRB5CFLAGS) ${XCFLAGS} ${ARCHFLAGS}
all: ${TOP_LIBDIR}/libaudit.a ${TOP_INCDIR}/afs/audit.h

32
src/audit/audit.c
View File

@ -30,6 +30,12 @@ RCSID
#include "afs/afsint.h"
#include <rx/rx.h>
#include <rx/rxkad.h>
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include <rx/rxk5errors.h>
#include <auth/cellconfig.p.h>
#include <afs/rxk5_utilafs.h>
#endif
#include "audit.h"
#include "lock.h"
#ifdef AFS_AIX32_ENV
@ -324,6 +330,9 @@ osi_audit_internal(char *audEvent, /* Event name (15 chars or less) */
break;
case KANOAUTH: /* kautils.h */
case RXKADNOAUTH: /* rxkad.h */
#ifdef AFS_RXK5
case RXK5NOAUTH: /* rxk5errors.h*/
#endif
result = AUDIT_FAIL_AUTH;
break;
case EPERM: /* errno.h */
@ -493,7 +502,28 @@ osi_auditU(struct rx_call *call, char *audEvent, int errCode, ...)
}
strcpy(afsName, vname);
}
} else { /* Unauthenticated & unknown */
}
#ifdef AFS_RXK5
else if (secClass == 5) { /* authenticated rxk5 */
/* TODO: review this */
char *rxk5_princ;
int lvl, expires, kvno, enctype;
afs_int32 rxk5_auth_r = 0;
if (code = rxk5_GetServerInfo(conn, &lvl,
&expires, &rxk5_princ, &kvno,
&enctype)) {
osi_audit("AFS_Aud_NoAFSId (rxk5)", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--NoName--");
} else {
memset(afsName, 0, MAXKTCNAMELEN);
strncpy(afsName, rxk5_princ, MAXKTCNAMELEN);
}
}
#endif
else { /* Unauthenticated & unknown */
osi_audit("AFS_Aud_UnknSec", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--Unknown--");
}

2
src/auth/.cvsignore
View File

@ -6,3 +6,5 @@ cellconfig.h
copyauth
ktc_errors.c
setkey
afs_token.h
afs_token.xdr.c

96
src/auth/Makefile.in
View File

@ -8,19 +8,30 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
CFLAGS=$(COMMON_CFLAGS) $(KRB5CFLAGS) $(XCFLAGS)
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
KRB5LIBS=@KRB5LIBS@
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
@ENABLE_RXK5@K5OBJS=rxk5_utilafs.o rxk5_tkt.o
KADOBJS=rxkad_tkt.o
OBJS= cellconfig.o ktc.o userok.o writeconfig.o authcon.o \
acfg_errors.o ktc_errors.o
acfg_errors.o ktc_errors.o afs_token.xdr.o $(K5OBJS) $(KADOBJS)
KOBJS= cellconfig.o ktc.krb.o userok.o writeconfig.o authcon.o \
acfg_errors.o ktc_errors.o
acfg_errors.o ktc_errors.o afs_token.xdr.o $(K5OBJS) $(KADOBJS)
LIBS=libauth.a ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librxkad.a ${RXK5} ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/util.a
INCLS=cellconfig.h auth.h keys.h
${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/util.a \
${RXK5} ${TOP_LIBDIR}/librx.a
INCLS=cellconfig.h auth.h keys.h afs_token.h afs_token_protos.h
KSRCS=auth.h
UKSRCS=${KSRCS} cellconfig.h acfg_errors.c keys.h cellconfig.c \
ktc.c authcon.c ktc_errors.c
ktc.c authcon.c ktc_errors.c afs_token.xdr.c afs_token.h \
afs_token_protos.h
all: \
${TOP_LIBDIR}/libauth.a \
@ -30,7 +41,12 @@ all: \
setkey
depinstall: \
${TOP_INCDIR}/afs/rxk5_tkt.h \
${TOP_INCDIR}/afs/rxk5_utilafs.h \
${TOP_INCDIR}/afs/keys.h \
${TOP_INCDIR}/afs/afs_token.h \
${TOP_INCDIR}/afs/afs_token_protos.h \
afs_token.xdr.c \
${TOP_INCDIR}/afs/cellconfig.h \
${TOP_INCDIR}/afs/auth.h \
${TOP_INCDIR}/afs/ktc.h
@ -58,7 +74,8 @@ libauth.krb.a: $(KOBJS) AFS_component_version_number.o
$(RANLIB) $@
copyauth: copyauth.o ${LIBS}
$(CC) $(CFLAGS) -o copyauth copyauth.o ${LIBS} ${XLIBS}
$(CC) $(CFLAGS) -o copyauth copyauth.o ${LIBS} \
${KRB5LIBS} $(LIBCOM_ERR) $(XLIBS)
setkey: setkey.o ${LIBS}
${CC} $(CFLAGS) -o setkey setkey.o ${LIBS} ${XLIBS}
@ -75,13 +92,27 @@ ktc_errors.c auth.h: ktc_errors.et auth.p.h
$(RM) -f auth.h ktc_errors.c
${COMPILE_ET} -p ${srcdir} ktc_errors -h auth
@ENABLE_RXK5@AFS_TOKEN_RXK5_DEFINE=-DAFS_RXK5
afs_token.xdr.c: afs_token.xg
$(RXGEN) -c -o afs_token.xdr.c afs_token.xg $(AFS_TOKEN_RXK5_DEFINE)
afs_token.h: afs_token.xg
$(RXGEN) -h -o afs_token.h afs_token.xg $(AFS_TOKEN_RXK5_DEFINE)
afs_token.xdr.o: afs_token.h afs_token.xdr.c
#
# Install targets
#
install: \
${DESTDIR}${libdir}/afs/libauth.a \
${DESTDIR}${libdir}/afs/libauth.krb.a \
${DESTDIR}${includedir}/afs/rxk5_utilafs.h \
${DESTDIR}${includedir}/afs/rxk5_tkt.h \
${DESTDIR}${includedir}/afs/keys.h \
${DESTDIR}${includedir}/afs/afs_token.h \
${DESTDIR}${includedir}/afs/afs_token_protos.h \
${DESTDIR}${includedir}/afs/cellconfig.h \
${DESTDIR}${includedir}/afs/auth.h \
${DESTDIR}${includedir}/afs/ktc.h \
@ -93,8 +124,19 @@ install: \
test:
cd test; $(MAKE)
k5forgetest: k5forgetest.o libauth.a
$(CC) -o k5forgetest k5forgetest.o ${KRB5LIBS} libauth.a
t_unit: t_unit.o libauth.a
$(CC) -o t_unit t_unit.o ${KRB5LIBS} libauth.a
t_name: t_name.o libauth.a
$(CC) -o t_name t_name.o libauth.a ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/libafsutil.a ${KRB5LIBS}
clean:
$(RM) -f *.o *.a copyauth setkey auth.h cellconfig.h acfg_errors.c ktc_errors.c core \
afs_token.xdr.c afs_token.h \
k5forgetest t_unit t_name \
AFS_component_version_number.c
include ../config/Makefile.version
@ -127,6 +169,24 @@ ${TOP_INCDIR}/afs/keys.h: keys.h
${DEST}/include/afs/keys.h: keys.h
${INSTALL} $? $@
${DESTDIR}${includedir}/afs/afs_token.h: afs_token.h
${INSTALL} $? $@
${TOP_INCDIR}/afs/afs_token.h: afs_token.h
${INSTALL} $? $@
${DEST}/include/afs/afs_token.h: afs_token.h
${INSTALL} $? $@
${DESTDIR}${includedir}/afs/afs_token_protos.h: afs_token_protos.h
${INSTALL} $? $@
${TOP_INCDIR}/afs/afs_token_protos.h: afs_token_protos.h
${INSTALL} $? $@
${DEST}/include/afs/afs_token_protos.h: afs_token_protos.h
${INSTALL} $? $@
${DESTDIR}${includedir}/afs/cellconfig.h: cellconfig.h
${INSTALL} $? $@
@ -154,6 +214,24 @@ ${TOP_INCDIR}/afs/ktc.h: ktc.h
${DEST}/include/afs/ktc.h: ktc.h
${INSTALL} $? $@
${DESTDIR}${includedir}/afs/rxk5_tkt.h: rxk5_tkt.h
${INSTALL} $? $@
${TOP_INCDIR}/afs/rxk5_tkt.h: rxk5_tkt.h
${INSTALL} $? $@
${DEST}/include/afs/rxk5_tkt.h: rxk5_tkt.h
${INSTALL} $? $@
${DESTDIR}${includedir}/afs/rxk5_utilafs.h: rxk5_utilafs.h
${INSTALL} $? $@
${TOP_INCDIR}/afs/rxk5_utilafs.h: rxk5_utilafs.h
${INSTALL} $? $@
${DEST}/include/afs/rxk5_utilafs.h: rxk5_utilafs.h
${INSTALL} $? $@
${DESTDIR}${sbindir}/copyauth: copyauth
${INSTALL} $? $@
@ -163,7 +241,11 @@ ${DEST}/etc/copyauth: copyauth
dest: \
${DEST}/lib/afs/libauth.a \
${DEST}/lib/afs/libauth.krb.a \
${DEST}/include/afs/rxk5_utilafs.h \
${DEST}/include/afs/rxk5_tkt.h \
${DEST}/include/afs/keys.h \
${DEST}/include/afs/afs_token.h \
${DEST}/include/afs/afs_token_protos.h \
${DEST}/include/afs/cellconfig.h \
${DEST}/include/afs/auth.h \
${DEST}/include/afs/ktc.h \

136
src/auth/afs_token.xg Normal file
View File

@ -0,0 +1,136 @@
/*
* Copyright (c) 2006
* The Regents of the University of Michigan
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the University of
* Michigan is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the University of Michigan as to its fitness for any
* purpose, and without warranty by the University of
* Michigan of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the University of Michigan shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#if 1 /* AFS_RXKAD */
/*
* this is an rx grammar that looks something
* like the thing afs uses to store clear tokens
* into the kernel.
*/
/* since this is a const, it will show up in rxkad_token.h */
const MAX_TICKET = 12000; /* not 344 */
/* since this is a define, it won't get copied into rxkad_token.h */
#define MAX_CELL 64
/* this structure was probably used with rxvab */
struct n_clear_token {
int kvno;
opaque m_key[8];
int viceid;
int begintime;
int endtime;
};
/* and here is all but the cellnumber machinery of what
* rxkad gettoken/settoken handle
* note that ticket & cell_name are variable sized so will
* contain pointers to allocated storage. (look at old.hy to
* see what happens.)
* clear_token is not a primitive type but uses the immediately
* preceeding logic to handle it; maybe that's what you
* really meant by 'stackable'.
*/
struct rxkad_token {
opaque ticket<MAX_TICKET>;
n_clear_token token;
int primary_flag;
string cell_name<MAX_CELL>;
};
#endif /* AFS_RXKAD */
#ifdef AFS_RXK5
/* these turn into #defines */
const MAX_COMPONENTS = 16;
const MAX_NAME = 128;
const MAX_REALM = 64;
const MAX_STRING = 256;
const MAX_K5_TICKET = 16384;
const MAX_KEY_LENGTH = 64;
/* new token flags */
const KTC_EX_SETPAG = 0x00000001; /* set tokens in new pag */
/* some things that look like heimdal/mit/... */
/* we could use the real heimdal/mit types in core yet use the same
* wire format when serialized -- if we wanted to write xdr by hand.
* look at fun.xdr.c xdr_k5_principal to see what xdr calls we have to make
* to get the same wire format; the rest is just munging field names & stuff.
* but careful if you do this! krb5_principal is a pointer and that has
* a number of subtle but important implications. "k5_principal" here is
* really much more like MIT's "krb5_principal_data" type.
*/
typedef string component<MAX_STRING>;
struct rxk5_principal {
component name<MAX_COMPONENTS>;
string realm<MAX_REALM>;
};
struct rxk5_key {
int keytype;
opaque m_key<MAX_KEY_LENGTH>;
};
/* this is the data format_afs_krb5_creds_buf handles */
struct rxk5_token {
int viceid;
rxk5_principal server;
rxk5_principal client;
rxk5_key session;
int authtime;
int starttime;
int endtime;
int flags;
opaque k5ticket<MAX_K5_TICKET>;
};
#endif
const CU_NOAUTH = 0;
const CU_KAD = 2;
const CU_K5 = 5;
const MAX_CELL_CHARS = 64;
union cu switch (int cu_type) {
case CU_KAD:
rxkad_token cu_kad;
#ifdef AFS_RXK5
case CU_K5:
rxk5_token cu_rxk5;
#endif
default:
int cu_dummy;
};
struct afs_token {
int flags;
int nextcellnumber;
string cell<MAX_CELL_CHARS>;
cu cu[1];
};

55
src/auth/afs_token_protos.h Normal file
View File

@ -0,0 +1,55 @@
#ifndef AFS_TOKEN_PROTOS_H
#define AFS_TOKEN_PROTOS_H
#ifdef KERNEL
/*
* Format new-style afs_token using rxkad credentials
* as stored in the cache manager. Caller frees returned memory
* (of size bufsize).
*/
int make_afs_token_rxkad_k(
char *cell,
n_clear_token *pct,
char* stp,
afs_int32 stLen,
afs_int32 primary_flag,
afs_token **a_token /* out */);
#else /* !KERNEL */
/*
* Format new-style afs_token using rxkad credentials,
* caller frees returned memory (of size bufsize).
*/
int make_afs_token_rxkad(
char *cell,
afs_int32 viceid,
struct ktc_token *k_token,
afs_int32 primary_flag,
afs_token **a_token /* out */);
#endif /* !KERNEL */
/*
* Convert afs_token to XDR-encoded token stream, which is returned
* in buf (at most of size bufsize).
*/
int encode_afs_token(
afs_token *a_token,
void *buf /* in */,
int *bufsize /* inout */);
/*
* Converts encoded token stream to an afs_token, which is returned
* in a_token. Caller must free.
*/
int parse_afs_token(
void* token_buf,
int token_size,
afs_token **a_token);
/*
* Free afs_token variant using XDR logic
*/
int free_afs_token(
afs_token *a_token);
#endif /* AFS_TOKEN_PROTOS_H */

120
src/auth/authcon.c
View File

@ -48,6 +48,13 @@ RCSID
#include "keys.h"
#include "auth.h"
#endif /* defined(UKERNEL) */
#include <errno.h>
#ifdef AFS_RXK5
#include <rxk5_utilafs.h>
#undef u
#include <rx/rxk5.h>
#endif
/* return a null security object if nothing else can be done */
static afs_int32
@ -63,36 +70,50 @@ QuickAuth(astr, aindex)
}
#if !defined(UKERNEL)
/* Return an appropriate security class and index */
/* Return an appropriate set of security classes and indexes */
/* this is mainly for use by ubik servers */
afs_int32
afsconf_ServerAuth(adir, astr, aindex)
register struct afsconf_dir *adir;
struct rx_securityClass **astr;
afs_int32 *aindex;
afsconf_ServerAuth(struct afsconf_dir *adir,
struct rx_securityClass **sc,
afs_int32 maxindex)
{
register struct rx_securityClass *tclass;
int i, r;
LOCK_GLOBAL_MUTEX;
tclass = (struct rx_securityClass *)
rxkad_NewServerSecurityObject(0, adir, afsconf_GetKey, NULL);
if (tclass) {
*astr = tclass;
*aindex = 2; /* kerberos security index */
UNLOCK_GLOBAL_MUTEX;
return 0;
} else {
UNLOCK_GLOBAL_MUTEX;
return 2;
r = 0;
if (maxindex
&& (sc[0] = rxnull_NewServerSecurityObject())) {
if (!r) r = 1;
}
#ifdef AFS_RXK5
if (maxindex > 5
&& have_afs_rxk5_keytab(adir->name)
&& (sc[5] = rxk5_NewServerSecurityObject(rxk5_auth,
get_afs_rxk5_keytab(adir->name),
rxk5_default_get_key, 0, 0))) {
if (r < 6) r = 6;
} else
#endif
if (maxindex > 2
#ifdef AFS_RXK5
&& have_afs_keyfile(adir)
#endif
&& (sc[2] = rxkad_NewServerSecurityObject(0, (char *) adir,
afsconf_GetKey, NULL))) {
if (r < 3) r = 3;
}
UNLOCK_GLOBAL_MUTEX;
return r;
}
#endif /* !defined(UKERNEL) */
static afs_int32
GenericAuth(adir, astr, aindex, enclevel)
GenericAuth(adir, astr, aindex, flags)
struct afsconf_dir *adir;
struct rx_securityClass **astr;
afs_int32 *aindex;
rxkad_level enclevel;
afs_int32 flags;
{
char tbuffer[256];
struct ktc_encryptionKey key, session;
@ -100,9 +121,45 @@ GenericAuth(adir, astr, aindex, enclevel)
afs_int32 kvno;
afs_int32 ticketLen;
register afs_int32 code;
rxkad_level enclevel;
#ifdef AFS_RXK5
krb5_creds *k5_creds, in_creds[1];
krb5_context k5context;
#endif
enclevel = (flags & FORCE_SECURE) ? rxkad_crypt : rxkad_clear;
if (!(flags & (FORCE_RXK5|FORCE_RXKAD)))
flags |= (FORCE_RXK5|FORCE_RXKAD);
#ifdef AFS_RXK5
if((flags & FORCE_RXK5) && have_afs_rxk5_keytab(adir->name)) {
k5context = rxk5_get_context(0);
/* forge credentials using the k5 key of afs */
memset(in_creds, 0, sizeof *in_creds);
code = default_afs_rxk5_forge(k5context, adir, 0, in_creds);
if(code) {
return code;
}
k5_creds = in_creds;
/* enclevel could be 0 or 2. set output to be auth or crypt. */
tclass = rxk5_NewClientSecurityObject(rxk5_auth + (enclevel==rxkad_crypt),
k5_creds, 0);
*astr = tclass;
*aindex = 5;
goto out;
}
#endif
/* first, find the right key and kvno to use */
code = afsconf_GetLatestKey(adir, &kvno, &key);
if (flags & FORCE_RXKAD)
code = afsconf_GetLatestKey(adir, &kvno, &key);
else code = EDOM;
if (code) {
return QuickAuth(astr, aindex);
}
@ -136,6 +193,8 @@ GenericAuth(adir, astr, aindex, enclevel)
tbuffer);
*astr = tclass;
*aindex = 2; /* kerberos security index */
out:
return 0;
}
@ -149,7 +208,7 @@ afsconf_ClientAuth(struct afsconf_dir * adir, struct rx_securityClass ** astr,
afs_int32 rc;
LOCK_GLOBAL_MUTEX;
rc = GenericAuth(adir, astr, aindex, rxkad_clear);
rc = GenericAuth(adir, astr, aindex, 0);
UNLOCK_GLOBAL_MUTEX;
return rc;
}
@ -167,7 +226,26 @@ afsconf_ClientAuthSecure(adir, astr, aindex)
afs_int32 rc;
LOCK_GLOBAL_MUTEX;
rc = GenericAuth(adir, astr, aindex, rxkad_crypt);
rc = GenericAuth(adir, astr, aindex, FORCE_SECURE);
UNLOCK_GLOBAL_MUTEX;
return rc;
}
/* build a fake ticket for 'afs' using keys from adir, returning an
* appropriate security class and index. This one, unlike the above,
* tells rxkad to encrypt the data, too.
*/
afs_int32
afsconf_ClientAuthEx(adir, astr, aindex, flags)
struct afsconf_dir *adir;
struct rx_securityClass **astr;
afs_int32 *aindex;
afs_int32 flags;
{
afs_int32 rc;
LOCK_GLOBAL_MUTEX;
rc = GenericAuth(adir, astr, aindex, flags);
UNLOCK_GLOBAL_MUTEX;
return rc;
}

36
src/auth/cellconfig.c
View File

@ -18,6 +18,7 @@ RCSID
#ifdef UKERNEL
#include "afs/sysincludes.h"
#include "afsincludes.h"
#include "rx/rxkad.h"
#else /* UKERNEL */
#include <sys/types.h>
#ifdef AFS_NT40_ENV
@ -59,6 +60,7 @@ RCSID
#endif
#endif /* UKERNEL */
#include <afs/afsutil.h>
#include <rx/rxkad.h>
#include "cellconfig.h"
#include "keys.h"
#ifdef AFS_NT40_ENV
@ -251,7 +253,6 @@ afsconf_FindService(register const char *aname)
static int
TrimLine(char *abuffer)
{
char tbuffer[256];
register char *tp;
register int tc;
@ -261,8 +262,8 @@ TrimLine(char *abuffer)
break;
tp++;
}
strcpy(tbuffer, tp);
strcpy(abuffer, tbuffer);
if (tp != abuffer)
memmove(abuffer, tp, strlen(tp) + 1);
return 0;
}
@ -1282,7 +1283,9 @@ afsconf_GetKeys(struct afsconf_dir *adir, struct afsconf_keys *astr)
/* get latest key */
afs_int32
afsconf_GetLatestKey(struct afsconf_dir * adir, afs_int32 * avno, char *akey)
afsconf_GetLatestKey(struct afsconf_dir * adir,
afs_int32 * avno,
struct ktc_encryptionKey *akey)
{
register int i;
int maxa;
@ -1311,7 +1314,7 @@ afsconf_GetLatestKey(struct afsconf_dir * adir, afs_int32 * avno, char *akey)
}
if (bestk) { /* found any */
if (akey)
memcpy(akey, bestk->key, 8); /* copy out latest key */
memcpy(akey->data, bestk->key, 8); /* copy out latest key */
if (avno)
*avno = bestk->kvno; /* and kvno to caller */
UNLOCK_GLOBAL_MUTEX;
@ -1321,13 +1324,32 @@ afsconf_GetLatestKey(struct afsconf_dir * adir, afs_int32 * avno, char *akey)
return AFSCONF_NOTFOUND; /* didn't find any keys */
}
/* see if we have a keyfile (so should still do rxkad on the server) */
int
have_afs_keyfile(struct afsconf_dir *adir)
{
register int maxa;
register afs_int32 code;
LOCK_GLOBAL_MUTEX;
if ((code = afsconf_Check(adir))) {
UNLOCK_GLOBAL_MUTEX;
return 0;
}
maxa = adir->keystr->nkeys;
UNLOCK_GLOBAL_MUTEX;
return !!maxa;
}
/* get a particular key */
int
afsconf_GetKey(struct afsconf_dir *adir, afs_int32 avno, char *akey)
afsconf_GetKey(void *rock, afs_int32 avno, struct ktc_encryptionKey *akey)
{
register int i, maxa;
register struct afsconf_key *tk;
register afs_int32 code;
struct afsconf_dir *adir = rock;
LOCK_GLOBAL_MUTEX;
code = afsconf_Check(adir);
@ -1339,7 +1361,7 @@ afsconf_GetKey(struct afsconf_dir *adir, afs_int32 avno, char *akey)
for (tk = adir->keystr->key, i = 0; i < maxa; i++, tk++) {
if (tk->kvno == avno) {
memcpy(akey, tk->key, 8);
memcpy(akey->data, tk->key, 8);
UNLOCK_GLOBAL_MUTEX;
return 0;
}

22
src/auth/cellconfig.p.h
View File

@ -28,6 +28,11 @@ Creation date:
#ifndef __CELLCONFIG_AFS_INCL_
#define __CELLCONFIG_AFS_INCL_ 1
#define FORCE_NOAUTH 1
#define FORCE_SECURE 2
#define FORCE_RXKAD 256
#define FORCE_RXK5 512
#ifndef IPPROTO_MAX
/* get sockaddr_in */
#ifdef AFS_NT40_ENV
@ -124,10 +129,11 @@ extern int afsconf_Close(struct afsconf_dir *adir);
extern int afsconf_IntGetKeys(struct afsconf_dir *adir);
extern int afsconf_GetKeys(struct afsconf_dir *adir,
struct afsconf_keys *astr);
struct ktc_encryptionKey;
extern afs_int32 afsconf_GetLatestKey(struct afsconf_dir *adir,
afs_int32 * avno, char *akey);
extern int afsconf_GetKey(struct afsconf_dir *adir, afs_int32 avno,
char *akey);
afs_int32 * avno, struct ktc_encryptionKey *akey);
extern int afsconf_GetKey(void *adir, afs_int32 avno,
struct ktc_encryptionKey *akey);
extern int afsconf_AddKey(struct afsconf_dir *adir, afs_int32 akvno,
char akey[8], afs_int32 overwrite);
extern int afsconf_DeleteKey(struct afsconf_dir *adir, afs_int32 akvno);
@ -136,8 +142,18 @@ struct rx_securityClass;
extern afs_int32 afsconf_ClientAuth(struct afsconf_dir *adir,
struct rx_securityClass **astr,
afs_int32 * aindex);
extern afs_int32 afsconf_ClientAuthEx(struct afsconf_dir *adir,
struct rx_securityClass **astr,
afs_int32 * aindex,
afs_int32 flags);
extern afs_int32 afsconf_ServerAuth(struct afsconf_dir *,
struct rx_securityClass **,
afs_int32);
struct rx_call;
extern int afsconf_CheckAuth(void *,
struct rx_call *);
/* some well-known ports and their names; new additions to table in cellconfig.c, too */
#define AFSCONF_FILESERVICE "afs"

92
src/auth/k5forgetest.c Normal file
View File

@ -0,0 +1,92 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <time.h>
#include <string.h>
#include "rxk5_utilafs.h"
int main(int argc, char **argv)
{
int code;
char keytab[512];
krb5_context k5context;
krb5_creds *k5creds;
struct stat st;
int stop_here;
int allowed_enctypes[6] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_DES3_CBC_SHA1,
#ifndef USING_HEIMDAL
#define ENCTYPE_ARCFOUR_HMAC_MD5 ENCTYPE_ARCFOUR_HMAC
#define ENCTYPE_ARCFOUR_HMAC_MD5_56 ENCTYPE_ARCFOUR_HMAC_EXP
#endif
ENCTYPE_ARCFOUR_HMAC_MD5,
ENCTYPE_ARCFOUR_HMAC_MD5_56,
ENCTYPE_DES_CBC_CRC };
memset(keytab, 0, 512);
strcpy(keytab, "/usr/local/etc/openafs/server/afs.keytab");
code = stat(keytab, &st);
if((code != 0) || (!S_ISREG(st.st_mode))) {
printf("Can't stat keytab %s\n", keytab);
exit(1);
}
code = krb5_init_context(&k5context);
if(code) {
printf("Error krb5_init_context\n");
exit(2);
}
code = afs_rxk5_k5forge(
k5context,
keytab, "afs-k5@MONKIUS.COM",
"afs-k5@MONKIUS.COM",
time(NULL),
time(NULL),
allowed_enctypes,
0 /* paddress */,
&k5creds /* out */);
krb5_free_creds(k5context, k5creds);
krb5_free_context(k5context);
return 0;
}

321
src/auth/ktc.c
View File

@ -16,6 +16,14 @@
#include <afs/param.h>
#endif
#include "cellconfig.h"
#ifdef AFS_RXK5
/* this code uses u. ugh. */
#include "rxk5_utilafs.h"
#include "rxk5_tkt.h"
#endif
#include "afs_token.h"
RCSID
("$Header$");
@ -36,6 +44,8 @@ RCSID
#else /* defined(UKERNEL) */
#define afs_osi_Alloc(n) malloc(n)
#define afs_osi_Free(n) free(n)
#ifdef AFS_SUN5_ENV
#include <unistd.h>
#endif
@ -81,7 +91,6 @@ RCSID
#ifdef AFS_KERBEROS_ENV
#include <fcntl.h>
#include <sys/file.h>
#include "cellconfig.h"
static char lcell[MAXCELLCHARS];
#define TKT_ROOT "/tmp/tkt"
@ -250,7 +259,7 @@ static struct {
/* new interface routines to the ticket cache. Only handle afs service right
* now. */
static int
/* static */ int
NewSetToken(aserver, atoken, aclient, flags)
struct ktc_principal *aserver;
struct ktc_principal *aclient;
@ -266,7 +275,7 @@ NewSetToken(aserver, atoken, aclient, flags)
#define MAXPIOCTLTOKENLEN \
(3*sizeof(afs_int32)+MAXKTCTICKETLEN+sizeof(struct ClearToken)+MAXKTCREALMLEN)
static int
/* static */ int
OldSetToken(aserver, atoken, aclient, flags)
struct ktc_principal *aserver, *aclient;
struct ktc_token *atoken;
@ -414,6 +423,123 @@ OldSetToken(aserver, atoken, aclient, flags)
return 0;
}
int
ktc_SetTokenEx(afs_token *a_token)
{
#ifndef MAX_RXK5_TOKEN_LEN
#define MAX_RXK5_TOKEN_LEN 4096
#endif
struct ViceIoctl iob;
register afs_int32 code;
char creds[MAX_RXK5_TOKEN_LEN];
afs_int32 creds_len;
creds_len = MAX_RXK5_TOKEN_LEN;
code = encode_afs_token(
a_token,
creds,
&creds_len);
if (code) return code;
/* now setup for the pioctl */
iob.in = creds;
iob.in_size = creds_len;
iob.out = creds;
iob.out_size = creds_len;
code = PIOCTL(0, VIOC_SETTOKNEW , &iob, 0);
if (code == -1 && errno == EINVAL && a_token->cu->cu_type == CU_KAD) {
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
afs_int32 flags;
memset(aserver, 0, sizeof *aserver);
memset(aclient, 0, sizeof *aclient);
memset(atoken, 0, sizeof *atoken);
code = afstoken_to_token(a_token, atoken, sizeof *atoken);
flags = a_token->cu->cu_u.cu_kad.primary_flag & ~0x8000;
strcpy(aserver->name, "afs");
strcpy(aserver->cell, a_token->cell);
strcpy(aclient->cell, a_token->cu->cu_u.cu_kad.cell_name);
if ((atoken->kvno == 999) || /* old style bcrypt ticket */
(atoken->startTime && /* new w/ prserver lookup */
(((atoken->endTime - atoken->startTime) & 1) == 1))) {
sprintf(aclient->name, "AFS ID %d", a_token->cu->cu_u.cu_kad.token.viceid);
} else {
sprintf(aclient->name, "Unix UID %d", a_token->cu->cu_u.cu_kad.token.viceid);
}
return ktc_SetToken(aserver, atoken, aclient, flags);
}
if (code)
return KTC_PIOCTLFAIL;
return 0;
}
#ifdef AFS_RXK5
/* Set a K5 token (internal) */
/* static */ int
OldSetK5Token(krb5_context context, struct ktc_principal *aserver,
krb5_creds *v5cred, afs_int32 viceId, afs_int32 flags)
{
struct ViceIoctl iob;
register afs_int32 code;
register char *tp;
afs_token *a_token;
code = make_afs_token_rxk5(
context,
aserver->cell,
viceId, /* deprecated */
v5cred,
&a_token);
if(code) return code;
code = ktc_SetTokenEx(a_token);
free_afs_token(a_token);
return code;
}
/* Set a K5 token */
afs_int32 ktc_SetK5Token(context, aserver, v5cred, viceId, flags)
krb5_context context;
struct ktc_principal *aserver;
krb5_creds* v5cred;
afs_int32 viceId;
afs_int32 flags;
{
int ncode, ocode;
/* ncode = NewSetToken(aserver, atoken, aclient, flags); */
if ( 1 || ncode || /* new style failed */
(strcmp(aserver->name, "afs") == 0)) { /* for afs tokens do both */
ocode = OldSetK5Token(context, aserver, v5cred, viceId, flags);
} else
ocode = 0;
if (ncode && ocode) {
UNLOCK_GLOBAL_MUTEX;
if (ocode == -1)
ocode = errno;
else if (ocode == KTC_PIOCTLFAIL)
ocode = errno;
if (ocode == ESRCH)
return KTC_NOCELL;
if (ocode == EINVAL)
return KTC_NOPIOCTL;
if (ocode == EIO)
return KTC_NOCM;
return KTC_PIOCTLFAIL;
}
UNLOCK_GLOBAL_MUTEX;
return 0;
}
#endif /* AFS_RXK5 */
ktc_SetToken(aserver, atoken, aclient, flags)
struct ktc_principal *aserver;
@ -484,6 +610,195 @@ ktc_SetToken(aserver, atoken, aclient, flags)
return 0;
}
/*
* Get AFS token at index ix, using new kernel token interface.
*/
int
ktc_GetTokenEx(afs_int32 index, char *cell,
afs_token **a_token)
{
struct ViceIoctl iob;
char tbuffer[MAXPIOCTLTOKENLEN];
afs_int32 code;
register char *tp;
afs_token *r = 0;
LOCK_GLOBAL_MUTEX;
if (cell) {
int len;
len = strlen(cell) + 1;
tp = tbuffer;
memcpy(tp, (char*)&index, sizeof(afs_int32));
tp += sizeof(afs_int32);
memcpy(tp, cell, len);
tp += len;
iob.in = tbuffer;
iob.in_size = tp - tbuffer;
} else {
iob.in = (char *)&index;
iob.in_size = sizeof(afs_int32);
}
iob.out = tbuffer;
iob.out_size = sizeof(tbuffer);
code = PIOCTL(0, VIOC_GETTOKNEW , &iob, 0);
if (code == -1 && errno == EINVAL) {
char *stp, *cellp; /* secret token ptr */
afs_int32 temp, primflag;
int tktLen; /* server ticket length */
struct ClearToken ct;
/* new interace isn't in kernel? fall back to old */
iob.in = (char *)&index;
iob.in_size = sizeof(afs_int32);
for (;;) {
code = PIOCTL(0, VIOCGETTOK, &iob, 0);
if (code) goto Failed;
/* token retrieved; parse buffer */
tp = tbuffer;
/* get ticket length */
memcpy(&temp, tp, sizeof(afs_int32));
tktLen = temp;
tp += sizeof(afs_int32);
/* remember where ticket is and skip over it */
stp = tp;
tp += tktLen;
/* get size of clear token and verify */
memcpy(&temp, tp, sizeof(afs_int32));
if (temp != sizeof(struct ClearToken)) {
code = KTC_ERROR;
goto Done;
}
tp += sizeof(afs_int32);
/* copy clear token */
memcpy(&ct, tp, temp);
tp += temp;
/* copy primary flag */
memcpy(&primflag, tp, sizeof(afs_int32));
tp += sizeof(afs_int32);
/* remember where cell name is */
cellp = tp;
if (!cell || !strcmp(cellp, cell))
break;
if (++index >= 200) {
code = KTC_PIOCTLFAIL;
goto Done;
}
}
/* set return values */
/* got token for cell; check that it will fit */
if (tktLen > (unsigned) MAXKTCTICKETLEN) {
code = KTC_TOOBIG;
goto Done;
}
code = ENOMEM;
if (!(r = malloc(sizeof *r)))
goto Done;
memset(r, 0, sizeof *r);
if (!(r->cell = strdup(cellp)))
goto Done;
r->cu->cu_type = CU_KAD;
r->cu->cu_u.cu_kad.primary_flag = primflag;
if (!(r->cu->cu_u.cu_kad.cell_name = strdup(cellp)))
goto Done;
if (!(r->cu->cu_u.cu_kad.ticket.ticket_val = malloc(tktLen)))
goto Done;
r->cu->cu_u.cu_kad.ticket.ticket_len = tktLen;
memcpy(r->cu->cu_u.cu_kad.ticket.ticket_val, stp, tktLen);
r->cu->cu_u.cu_kad.token.kvno = ct.AuthHandle;
r->cu->cu_u.cu_kad.token.viceid = ct.ViceId;
memcpy(r->cu->cu_u.cu_kad.token.m_key, ct.HandShakeKey, 8);
r->cu->cu_u.cu_kad.token.begintime = ct.BeginTimestamp;
r->cu->cu_u.cu_kad.token.endtime = ct.EndTimestamp;
*a_token = r;
r = 0;
code = 0;
goto Done;
}
if (code) {
Failed:
/* failed to retrieve specified token */
if (code < 0) switch(code = errno) {
case EDOM:
case ENOTCONN:
code = KTC_NOENT;
break;
case EIO:
code = KTC_NOCM;
break;
}
} else {
/* now we're cookin with gas */
code = parse_afs_token(iob.out, iob.out_size, a_token);
}
Done:
UNLOCK_GLOBAL_MUTEX;
if (r) {
if (r->cell)
free(r->cell);
if (r->cu->cu_u.cu_kad.ticket.ticket_val)
free (r->cu->cu_u.cu_kad.ticket.ticket_val);
if (r->cu->cu_u.cu_kad.cell_name)
free (r->cu->cu_u.cu_kad.cell_name);
free(r);
}
return code;
}
/* copy bits of an rxkad token into a ktc_token */
int
afstoken_to_token(afs_token *afstoken, struct ktc_token *ttoken, int ttoksize)
{
if (afstoken->cu->cu_type != CU_KAD) return KTC_INVAL;
ttoken->kvno = afstoken->cu->cu_u.cu_kad.token.kvno;
memcpy(ttoken->sessionKey.data,
afstoken->cu->cu_u.cu_kad.token.m_key,
8);
ttoken->startTime=afstoken->cu->cu_u.cu_kad.token.begintime;
ttoken->endTime=afstoken->cu->cu_u.cu_kad.token.endtime;
ttoken->ticketLen=afstoken->cu->cu_u.cu_kad.ticket.ticket_len;
if (ttoken->ticketLen >
(unsigned) (ttoksize - (sizeof *ttoken - MAXKTCTICKETLEN))) {
return KTC_TOOBIG;
}
memcpy(ttoken->ticket,
afstoken->cu->cu_u.cu_kad.ticket.ticket_val,
ttoken->ticketLen);
return 0;
}
#ifdef AFS_RXK5
/* copy bits of an rxkad token into a k5 credential */
int
afstoken_to_v5cred(afs_token *afstoken, krb5_creds *v5cred)
{
if (afstoken->cu->cu_type != CU_K5) return KTC_INVAL;
#if USING_HEIMDAL
v5cred->session.keytype = afstoken->cu->cu_u.cu_rxk5.session.keytype;
v5cred->session.keyvalue.length = afstoken->cu->cu_u.cu_rxk5.session.m_key.m_key_len;
v5cred->session.keyvalue.data = afstoken->cu->cu_u.cu_rxk5.session.m_key.m_key_val;
#else
v5cred->keyblock.enctype = afstoken->cu->cu_u.cu_rxk5.session.keytype;
v5cred->keyblock.length = afstoken->cu->cu_u.cu_rxk5.session.m_key.m_key_len;
v5cred->keyblock.contents = afstoken->cu->cu_u.cu_rxk5.session.m_key.m_key_val;
#endif
v5cred->ticket.length = afstoken->cu->cu_u.cu_rxk5.k5ticket.k5ticket_len;
v5cred->ticket.data = afstoken->cu->cu_u.cu_rxk5.k5ticket.k5ticket_val;
return 0;
}
#endif
/* get token, given server we need and token buffer. aclient will eventually
* be set to our identity to the server.
*/

417
src/auth/rxk5_tkt.c Normal file
View File

@ -0,0 +1,417 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <afsconfig.h>
#if defined(KERNEL)
# include "afs/param.h"
# include "afs/sysincludes.h"
# include "afsincludes.h"
# include "afs_stats.h"
# if !defined(UKERNEL) || defined(USING_SSL)
# include "k5ssl.h"
# else /* UKERNEL && !USING_SSL && KERNEL */
# undef u
# include <krb5.h>
# endif /* UKERNEL && !USING_SSL && KERNEL */
#else /* !KERNEL */
#define afs_osi_Alloc(n) malloc(n)
#define afs_osi_Free(p,n) free(p)
#define afs_strdup(p) strdup(p)
# include <afs/afsutil.h>
# include <auth/cellconfig.h>
# include <stdlib.h>
# include <syslog.h>
# include <stdarg.h>
# include <string.h>
# include <stdio.h>
# include <sys/types.h>
# include <sys/stat.h>
# include <unistd.h>
# include <errno.h>
# if defined(USING_SSL)
# include "k5ssl.h"
# else /* !USING_SSL && !KERNEL */
# include <krb5.h>
# endif /* !USING_SSL && !KERNEL */
#endif /* !KERNEL */
#include "rx/rx.h"
#include "rx/rxk5.h"
#include "rxk5_tkt.h"
#include "afs/afs_token.h"
static
char* expand_principal_name(
krb5_context context,
krb5_principal princ,
int *bufsize /* out */)
{
char* buf;
#if !defined(USING_SHISHI)
int code;
code = krb5_unparse_name(context, princ, &buf);
if(code == 0) {
*bufsize = strlen(buf) + 1;
} else {
*bufsize = 0;
}
#endif
return buf;
}
/*
* Free rxk5_creds structure
*/
void rxk5_free_creds(
krb5_context k5context,
rxk5_creds *creds)
{
krb5_free_creds(k5context, creds->k5creds);
rxk5_free_str(creds->cell);
afs_osi_Free(creds, sizeof(rxk5_creds));
}
#define MAX_RXK5_TOKEN_LEN 32000
#define MAX_RXKAD_TOKEN_LEN 12000
/*
* Free a structure using clever xdr logic. Most of xdrs is never initialized. If x_op is
* XDR_FREE, the rest of it is just ignored.
*/
#if 0
static
int free_rxk5_princ(
rxk5_principal *princ)
{
XDR xdrs[1];
xdrs->x_op = XDR_FREE;
if (!xdr_rxk5_principal(xdrs, princ)) {
return 1;
}
return 0;
}
#endif
static
void parse_rxk5_princ(
char *str,
rxk5_principal *x)
{
int i;
char *cp, *ep, *cep, *np;
memset(x, 0, sizeof *x);
if ((cp = strchr(str, '@'))) {
x->realm = afs_strdup(cp+1);
ep = cp;
} else {
x->realm = afs_strdup("");
ep = str + strlen(str);
}
if(ep > str)
x->name.name_len = 1;
/* count instances --saves one alloc */
cep = ep;
for(cp = str; cp < cep; ) {
np = memchr(cp, '/', cep-cp);
if (!np)
break;
x->name.name_len++;
cp = np + 1;
}
x->name.name_val = afs_osi_Alloc(
x->name.name_len * sizeof *x->name.name_val);
for (i = 0, cp = str; cp < ep; ++i) {
np = memchr(cp, '/', ep-cp);
if (!np)
np = ep;
memcpy(x->name.name_val[i] = afs_osi_Alloc(1 + np - cp), cp, np - cp);
x->name.name_val[i][np-cp] = 0;
cp = np + 1;
}
}
/*
* Format an rxk5_principal structure as a krb5 name. The equivalent
* of krb_unparse_name. Caller must free.
*/
static
int rxk5_unparse_name(
rxk5_principal *x,
char** s,
int *sz)
{
char *p;
int ix, len, nlen;
len = 1 /* @, nul */ + strlen(x->realm);
for(ix = 0; ix < x->name.name_len; ++ix) {
len += strlen(x->name.name_val[ix]) + 1 /* / */;
}
*sz = len + 1;
p = *s = afs_osi_Alloc(*sz);
for(ix = 0; ix < x->name.name_len; ++ix) {
char* pv = x->name.name_val[ix];
nlen = strlen(pv);
memcpy(p, pv, nlen);
p += nlen;
if(ix != (x->name.name_len - 1))
*p++ = '/';
}
*p++ = '@';
nlen = strlen(x->realm);
memcpy(p, x->realm, nlen);
p += nlen;
*p++ = 0;
return 0;
}
void rxk5_principal_to_krb5_principal(
krb5_principal *k5_princ,
rxk5_principal *rxk5_princ)
{
char *name;
int code, sz;
code = rxk5_unparse_name(rxk5_princ, &name, &sz);
code = krb5_parse_name(rxk5_get_context(0), name, k5_princ);
afs_osi_Free(name, sz);
}
#if 1 && !defined(KERNEL)
print_rxk5_princ(
struct rxk5_principal *princ)
{
int i;
for (i = 0; i < princ->name.name_len; ++i)
printf ("/%s"+!i, princ->name.name_val[i]);
printf ("@%s", princ->realm);
}
print_rxk5_key(struct rxk5_key *key)
{
int i;
printf ("type=%d length=%d data=", key->keytype, key->m_key.m_key_len);
for (i = 0; i < key->m_key.m_key_len; ++i)
printf ("%02x", i[(unsigned char*)key->m_key.m_key_val]);
}
print_rxk5_token(
struct rxk5_token *token)
{
int i;
printf (" client=");
print_rxk5_princ(&token->client);
printf ("\n server=");
print_rxk5_princ(&token->server);
printf ("\n session=");
print_rxk5_key(&token->session);
printf ("\n authtime=%#x starttime=%#x endtime=%#x\n",
token->authtime, token->starttime, token->endtime);
printf (" flags=%#x\n", token->flags);
printf (" ticket=");
for (i = 0; i < token->k5ticket.k5ticket_len; ++i)
printf ("%02x", i[(unsigned char*)token->k5ticket.k5ticket_val]);
printf ("\n");
}
#endif /* debug tokens */
/*
* Format new-style afs_token using kerberos 5 credentials (rxk5),
* caller frees returned memory (of size bufsize).
*/
int
make_afs_token_rxk5(
krb5_context context,
char *cell,
int viceid,
krb5_creds *creds,
afs_token **a_token /* out */)
{
rxk5_token *k5_token;
char *cp_name, *sp_name;
int cpname_size, spname_size;
(*a_token) = (afs_token*) afs_osi_Alloc(sizeof(afs_token));
memset((*a_token), 0, sizeof(afs_token)); /* skip? */
(*a_token)->nextcellnumber = 0;
(*a_token)->cell = afs_strdup(cell);
(*a_token)->cu->cu_type = CU_K5;
k5_token = &((*a_token)->cu->cu_u.cu_rxk5);
k5_token->viceid = viceid;
cp_name = expand_principal_name(context,
creds->client, &cpname_size);
parse_rxk5_princ(cp_name, &k5_token->client);
sp_name = expand_principal_name(context,
creds->server, &spname_size);
parse_rxk5_princ(sp_name, &k5_token->server);
k5_token->authtime = (creds->times).authtime;
k5_token->starttime = (creds->times).starttime;
k5_token->endtime = (creds->times).endtime;
k5_token->k5ticket.k5ticket_len = (creds->ticket).length;
k5_token->k5ticket.k5ticket_val = afs_osi_Alloc(k5_token->k5ticket.k5ticket_len);
memcpy(k5_token->k5ticket.k5ticket_val, (creds->ticket).data,
k5_token->k5ticket.k5ticket_len);
#if USING_HEIMDAL
k5_token->session.keytype = (creds->session).keytype;
k5_token->session.m_key.m_key_len = (creds->session).keyvalue.length;
k5_token->session.m_key.m_key_val =
afs_osi_Alloc(k5_token->session.m_key.m_key_len);
memcpy(k5_token->session.m_key.m_key_val, (creds->session).keyvalue.data,
k5_token->session.m_key.m_key_len);
k5_token->flags = (creds->flags.i);
#else
k5_token->session.keytype = (creds->keyblock).enctype;
k5_token->session.m_key.m_key_len = (creds->keyblock).length;
k5_token->session.m_key.m_key_val =
afs_osi_Alloc(k5_token->session.m_key.m_key_len);
memcpy(k5_token->session.m_key.m_key_val, (creds->keyblock).contents,
k5_token->session.m_key.m_key_len);
k5_token->flags = (creds->ticket_flags);
#endif
afs_osi_Free(cp_name, cpname_size);
afs_osi_Free(sp_name, spname_size);
return 0;
}
/*
* Converts afs_token structure to an rxk5_creds structure, which is returned
* in creds. Caller must free.
*/
int afs_token_to_rxk5_creds(
afs_token *a_token,
rxk5_creds **creds)
{
int code;
rxk5_token *k5_token;
switch(a_token->cu->cu_type) {
case CU_K5:
break;
default:
/* bad credential type */
return -1;
}
*creds = afs_osi_Alloc(sizeof(rxk5_creds));
if(!*creds)
return ENOMEM;
code = afs_token_to_k5_creds(a_token, &((*creds)->k5creds));
if(code)
return code;
k5_token = &(a_token->cu->cu_u.cu_rxk5);
(*creds)->ViceId = k5_token->viceid;
(*creds)->cell = afs_strdup(a_token->cell);
return 0;
}
/*
* Converts afs_token structure to a native krb5_creds structure, which is returned
* in creds. Caller must free.
*/
int afs_token_to_k5_creds(
afs_token *a_token,
krb5_creds **creds)
{
rxk5_token *k5_token;
krb5_creds *k5_creds;
switch(a_token->cu->cu_type) {
case CU_K5:
break;
default:
/* bad credential type */
return -1;
}
/* already asserted */
k5_token = &(a_token->cu->cu_u.cu_rxk5);
k5_creds = afs_osi_Alloc(sizeof(krb5_creds));
memset(k5_creds, 0, sizeof(krb5_creds));
rxk5_principal_to_krb5_principal(&(k5_creds->client), &k5_token->client);
rxk5_principal_to_krb5_principal(&(k5_creds->server), &k5_token->server);
(k5_creds->times).authtime = k5_token->authtime;
(k5_creds->times).starttime = k5_token->starttime;
(k5_creds->times).endtime = k5_token->endtime;
(k5_creds->ticket).length = k5_token->k5ticket.k5ticket_len;
(k5_creds->ticket).data = afs_osi_Alloc((k5_creds->ticket).length);
memcpy((k5_creds->ticket).data, k5_token->k5ticket.k5ticket_val,
(k5_creds->ticket).length);
#if USING_HEIMDAL
(k5_creds->session).keytype = k5_token->session.keytype;
(k5_creds->session).keyvalue.length = k5_token->session.m_key.m_key_len;
(k5_creds->session).keyvalue.data =
afs_osi_Alloc((k5_creds->session).keyvalue.length);
memcpy((k5_creds->session).keyvalue.data,
k5_token->session.m_key.m_key_val, (k5_creds->session).keyvalue.length);
(k5_creds->flags.i) = k5_token->flags;
/* omit addresses */
(k5_creds->addresses).len = 0;
(k5_creds->addresses).val = (krb5_address*) afs_osi_Alloc(sizeof(krb5_address*));
memset((k5_creds->addresses).val, 0, sizeof(krb5_address*));
#else
(k5_creds->keyblock).enctype = k5_token->session.keytype;
(k5_creds->keyblock).length = k5_token->session.m_key.m_key_len;
(k5_creds->keyblock).contents = afs_osi_Alloc((k5_creds->keyblock).length);
memcpy((k5_creds->keyblock).contents, k5_token->session.m_key.m_key_val,
(k5_creds->keyblock).length);
(k5_creds->ticket_flags) = k5_token->flags;
/* omit addresses */
(k5_creds->addresses) = afs_osi_Alloc(sizeof(krb5_address*));
*(k5_creds->addresses) = 0;
#endif
*creds = k5_creds;
return 0;
}

100
src/auth/rxk5_tkt.h Normal file
View File

@ -0,0 +1,100 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#ifndef RXK5_TKT_H
#define RXK5_TKT_H
#include "afs_token.h"
#ifndef KERNEL
#include "auth.h" /* ktc_token */
#include "afs_token_protos.h"
#else
#include <afs/afs_token_protos.h>
#endif /* !KERNEL */
#ifdef AFS_RXK5
/* In-kernel creds */
typedef struct _rxk5_creds
{
krb5_creds *k5creds;
afs_int32 ViceId; /* rxkad has always had this in ClearToken */
char *cell;
} rxk5_creds;
void rxk5_free_creds(
krb5_context k5context,
rxk5_creds *creds);
/*
* Does what afs_osi_FreeStr(x) does, but a macro and frankly, looks safer
*/
#define rxk5_free_str(x) \
do { \
int s; \
s = strlen(x) + 1; \
afs_osi_Free(x, s); \
} while (0) \
#endif
/* Interoperable credentials stuff */
#ifdef AFS_RXK5
/*
* Format new-style afs_token using kerberos 5 credentials (rxk5),
* caller frees returned memory (of size bufsize).
*/
int
make_afs_token_rxk5(
krb5_context context,
char *cell,
int viceid,
krb5_creds *creds,
afs_token **a_token /* out */);
#endif
#ifdef AFS_RXK5
/*
* Converts afs_token structure to an rxk5_creds structure, which is returned
* in creds. Caller must free.
*/
int afs_token_to_rxk5_creds(
afs_token *a_token,
rxk5_creds **creds);
/*
* Converts afs_token structure to a native krb5_creds structure, which is returned
* in creds. Caller must free.
*/
int afs_token_to_k5_creds(
afs_token *a_token,
krb5_creds **creds);
#endif
#endif /* RXK5_TKT_H */

774
src/auth/rxk5_utilafs.c Normal file
View File

@ -0,0 +1,774 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <afsconfig.h>
#include <afs/afsutil.h>
#include <auth/cellconfig.h>
#include <stdlib.h>
#include <syslog.h>
#include <stdarg.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include "rxk5_utilafs.h"
#include <rx/rxk5.h>
#define START_OF_TIME 300 /* must be nz */
#define END_OF_TIME ((~0U)>>1)
int have_afs_rxk5_keytab(char *confdir_name)
{
int r, code;
struct stat st;
char *keytab;
r = 0;
keytab = get_afs_rxk5_keytab(confdir_name);
code = stat(keytab, &st);
if((code == 0) && (S_ISREG(st.st_mode))) {
r = 1;
}
free(keytab);
return r;
}
char* get_afs_rxk5_keytab(char *confdir_name)
{
/* Format a full path to the AFS keytab, caller must free */
int len;
char* rxk5_keytab;
len = 12 + strlen(confdir_name);
rxk5_keytab = (char*) malloc(len * sizeof(char));
memset(rxk5_keytab, 0, len);
sprintf(rxk5_keytab, "%s/afs.keytab", confdir_name);
return rxk5_keytab;
}
char* get_afs_krb5_localauth_svc_princ(struct afsconf_dir *confdir)
{
/* Returns the AFS service principal that should be sent by afs-k5
-localauth.
The afs-k5 service principal is created as follows:
afs-k5/cell@REALM
cell == what afsconf considers to be the local cell
REALM == 1st realm in krb.conf, else UPPER(cell)
The client must free.
*/
int code, plen;
char* princ = 0;
struct afsconf_cell info;
krb5_context k5context = 0;
char the_realm[AFS_REALM_SZ];
code = krb5_init_context(&k5context);
if(code) {
com_err("rxk5_utilafs", code, "error krb5_init_context");
goto cleanup;
}
code = afsconf_GetCellInfo(confdir, NULL, NULL, &info);
if (code) {
com_err("rxk5_utilafs", code, " --unable to resolve local cell");
goto cleanup;
}
if (afs_krb_get_lrealm(the_realm, 0) != 0) {
/* not found, so upcase the local cell */
ucstring(the_realm, info.name, AFS_REALM_SZ);
}
plen = 9 + strlen(info.name) + strlen(the_realm);
princ = (char*) malloc(plen * sizeof(char));
if (!princ) goto cleanup;
sprintf(princ, "afs-k5/%s@%s", info.name, the_realm);
cleanup:
if(k5context)
krb5_free_context(k5context);
return princ;
}
/*
* get_afs_krb5_svc_princ
*
* Returns the AFS service principal for the chosen cell/realm,
* as used by AFS programs (eg, pts)--what aklog does.
*
* The caller must free.
*/
char*
get_afs_krb5_svc_princ(struct afsconf_cell *info)
{
int code, plen;
char *princ = 0, **hrealms = 0;
krb5_context k5context;
k5context = rxk5_get_context(0);
if (!k5context)
goto cleanup;
if ((code = krb5_get_host_realm(k5context, info->hostName[0], &hrealms))
|| !hrealms || !*hrealms) {
com_err("rxk5_utilafs", code,
"no realms for afsdb host <%s>", info->hostName[0]);
goto cleanup;
}
plen = 9 + strlen(info->name) + strlen(*hrealms); /* afs-k5/cell@REALM */
princ = malloc(plen);
if (!princ)
goto cleanup;
snprintf(princ, plen, "afs-k5/%s@%s", info->name, *hrealms);
cleanup:
if (hrealms) krb5_free_host_realm(k5context, hrealms);
return princ;
}
int env_afs_rxk5_default(void)
{
char* ev = (char*) getenv("AFS_RXK5_DEFAULT");
if (!ev) return FORCE_RXKAD|FORCE_RXK5;
if ((strcasecmp(ev, "YES") == 0) || (strcasecmp(ev, "1") == 0)) {
return FORCE_RXK5;
} else {
return FORCE_RXKAD;
}
}
static int
afs_rxk5_is_local_realm(struct afsconf_dir *adir, char *avrealm)
{
int i;
char afs_realm[AFS_REALM_SZ];
for (i = 0; !afs_krb_get_lrealm(afs_realm, i); ++i) {
if (!strcmp(afs_realm, avrealm))
return 1;
}
if (!i && adir && adir->cellName) {
ucstring(afs_realm, adir->cellName, sizeof afs_realm);
i = !strcmp(avrealm, afs_realm);
}
return i;
}
#ifdef USING_HEIMDAL
#define krb5_princ_size(c,p) ((p)->name.name_string.len)
#endif
int
afs_rxk5_parse_name_k5(struct afsconf_dir *adir,
const char *princ,
char **name,
int downcase)
{
/* if princ is in local realm, strip @REALM from princ and return
as *name, else strdup princ */
krb5_context k5context = 0;
krb5_principal parsed_princ = 0;
krb5_principal_data work[1];
int ncomp, code, len;
char *first = 0, *instance = 0, *realm = 0;
char *cp;
k5context = rxk5_get_context(0);
*name = 0;
if (!k5context)
return EDOM; /* XXX */
code = krb5_parse_name(k5context, princ, &parsed_princ);
if (code) goto Failed;
code = EDOM; /* XXX */
switch(ncomp = krb5_princ_size(k5context, parsed_princ)) {
case 2:
case 1:
break;
default:
goto Failed;
}
memset(work, 0, sizeof *work);
#ifdef USING_HEIMDAL
work->name.name_string.val = parsed_princ->name.name_string.val;
work->name.name_string.len = 1;
work->realm = "";
#else
work->data = krb5_princ_component(k5context, parsed_princ, 0);
work->length = 1;
#endif
code = krb5_unparse_name(k5context, work, &first);
if (code) goto Failed;
cp = first + strlen(first);
if (cp > first && *--cp == '@') *cp = 0;
code = EDOM; /* XXX */
if (cp - first > 64
|| strchr(first, '.')
|| strchr(first, '@')) goto Failed;
if (ncomp > 1) {
#ifdef USING_HEIMDAL
++ work->name.name_string.val;
#else
work->data = krb5_princ_component(k5context, parsed_princ, 1);
#endif
code = krb5_unparse_name(k5context, work, &instance);
if (code) goto Failed;
cp = instance + strlen(instance);
if (cp > instance && *--cp == '@') *cp = 0;
code = EDOM; /* XXX */
if (cp == instance || cp - instance > 64
|| strchr(instance, '@')) goto Failed;
}
#ifdef USING_HEIMDAL
work->name.name_string.len = 0;
#else
work->length = 0;
#endif
work->realm = parsed_princ->realm;
code = krb5_unparse_name(k5context, work, &realm);
if (code) goto Failed;
code = EDOM; /* XXX */
if (strlen(realm) > 64+1) goto Failed;
if (adir && afs_rxk5_is_local_realm(adir, realm+1)) {
free(realm);
realm = 0;
}
len = 1+strlen(first);
if (instance) len += 1+strlen(instance);
if (realm) len += 1+strlen(realm);
*name = malloc(len);
code = ENOMEM;
if (!*name) goto Failed;
strcpy(*name, first);
cp = *name + strlen(*name);
if (instance) {
*cp++ = '.';
strcpy(cp, instance);
cp += strlen(cp);
}
if (realm) {
if (downcase)
lcstring(cp, realm, 64);
else
strcpy(cp, realm);
}
code = 0;
Failed:
if (first) free(first);
if (instance) free(instance);
if (realm) free(realm);
if (parsed_princ) krb5_free_principal(k5context, parsed_princ);
return code;
}
int
afs_rxk5_split_name_instance(char* k5name, char** k4name, char** k4instance)
{
/* this is crap, but... */
int code, k5len, nlen, ilen;
char *inst_pos, *dot_pos;
code = 0;
dot_pos = strchr(k5name, '.');
if(!dot_pos) {
*k4name = strdup(k5name);
*k4instance = strdup("");
goto out;
}
k5len = strlen(k5name);
nlen = dot_pos - k5name;
inst_pos = dot_pos + 1;
ilen = strlen(inst_pos);
*k4name = (char*) malloc((nlen+1) * sizeof(char));
memset(*k4name, 0, (nlen+1));
strncpy(*k4name, k5name, nlen);
*k4instance = (char*) malloc((ilen+1) * sizeof(char));
memset(*k4instance, 0, (ilen+1));
strncpy(*k4instance, inst_pos, ilen);
out:
return code;
}
#define K5FORGE_IGNORE_ENCTYPE 0
#define K5FORGE_IGNORE_VNO 0
int Dflag;
#define k5forge_progname "afs_rxk5_k5forge"
int exitcode;
#if USING_HEIMDAL
#define deref_keyblock_enctype(kb) \
((kb)->keytype)
#define deref_entry_keyblock(entry) \
entry->keyblock
#define deref_session_key(creds) \
creds->session
#define deref_enc_tkt_addrs(tkt) \
tkt->caddr
#define deref_enc_length(enc) \
((enc)->cipher.length)
#define deref_enc_data(enc) \
((enc)->cipher.data)
#define krb5_free_keytab_entry_contents krb5_kt_free_entry
#else
#define deref_keyblock_enctype(kb) \
((kb)->enctype)
#define deref_entry_keyblock(entry) \
entry->key
#define deref_session_key(creds) \
creds->keyblock
#define deref_enc_tkt_addrs(tkt) \
tkt->caddrs
#define deref_enc_length(enc) \
((enc)->ciphertext.length)
#define deref_enc_data(enc) \
((enc)->ciphertext.data)
#endif
#define deref_entry_enctype(entry) \
deref_keyblock_enctype(&deref_entry_keyblock(entry))
/* Forge a krb5 ticket from a keytab entry, return it in creds, which caller
must free */
int afs_rxk5_k5forge(krb5_context context,
char* keytab,
char* service,
char* client,
time_t starttime,
time_t endtime,
int *allowed_enctypes,
int *paddress,
krb5_creds** out_creds /* out */ )
{
int code;
krb5_keytab kt = 0;
krb5_kt_cursor cursor[1];
krb5_keytab_entry entry[1];
krb5_principal service_principal = 0, client_principal = 0;
krb5_ccache cc = 0;
krb5_creds *creds = 0;
krb5_enctype enctype;
krb5_kvno kvno;
krb5_keyblock session_key[1];
#if USING_HEIMDAL
Ticket ticket_reply[1];
EncTicketPart enc_tkt_reply[1];
krb5_address address[30];
krb5_addresses faddr[1];
int temp_vno[1];
time_t temp_time[2];
#else
krb5_ticket ticket_reply[1];
krb5_enc_tkt_part enc_tkt_reply[1];
krb5_address address[30], *faddr[30];
#endif
krb5_data * temp;
int i;
static int any_enctype[] = {0};
*out_creds = 0;
if (!(creds = malloc(sizeof *creds))) {
code = ENOMEM;
goto cleanup;
}
if (!allowed_enctypes)
allowed_enctypes = any_enctype;
client_principal = service_principal = 0;
cc = 0;
enctype = K5FORGE_IGNORE_ENCTYPE;
kvno = K5FORGE_IGNORE_VNO;
memset((char*)creds, 0, sizeof *creds);
memset((char*)entry, 0, sizeof *entry);
memset((char*)session_key, 0, sizeof *session_key);
memset((char*)ticket_reply, 0, sizeof *ticket_reply);
memset((char*)enc_tkt_reply, 0, sizeof *enc_tkt_reply);
if (service && (code = krb5_parse_name(context, service,
&service_principal))) {
com_err(k5forge_progname, code, "when parsing name <%s>", service);
goto cleanup;
}
if (client && (code = krb5_parse_name(context, client,
&client_principal))) {
com_err(k5forge_progname, code, "when parsing name <%s>", client);
goto cleanup;
}
code = krb5_kt_resolve(context, keytab, &kt);
if (code) {
if (keytab)
com_err(k5forge_progname, code, "while resolving keytab %s", keytab);
else
com_err(k5forge_progname, code, "while resolving default keytab");
goto cleanup;
}
if (service) {
for (i = 0; (enctype = allowed_enctypes[i]) || !i; ++i) {
code = krb5_kt_get_entry(context,
kt,
service_principal,
kvno,
enctype,
entry);
if (!code) {
if (allowed_enctypes[i])
deref_keyblock_enctype(session_key) = allowed_enctypes[i];
break;
}
}
if (code) {
com_err(k5forge_progname, code,"while scanning keytab entries for %s", service);
goto cleanup;
}
} else {
krb5_keytab_entry new[1];
int best = -1;
memset(new, 0, sizeof *new);
if ((code == krb5_kt_start_seq_get(context, kt, cursor))) {
com_err(k5forge_progname, code, "while starting keytab scan");
goto cleanup;
}
while (!(code = krb5_kt_next_entry(context, kt, new, cursor))) {
for (i = 0;
allowed_enctypes[i] && allowed_enctypes[i]
!= deref_entry_enctype(new); ++i)
;
if ((!i || allowed_enctypes[i]) &&
(best < 0 || best > i)) {
krb5_free_keytab_entry_contents(context, entry);
*entry = *new;
memset(new, 0, sizeof *new);
} else krb5_free_keytab_entry_contents(context, new);
}
if ((i = krb5_kt_end_seq_get(context, kt, cursor))) {
com_err(k5forge_progname, i, "while ending keytab scan");
code = i;
goto cleanup;
}
if (best < 0) {
com_err(k5forge_progname, code, "while scanning keytab");
goto cleanup;
}
deref_keyblock_enctype(session_key) = deref_entry_enctype(entry);
}
/* Make Ticket */
#if USING_HEIMDAL
if ((code = krb5_generate_random_keyblock(context,
deref_keyblock_enctype(session_key), session_key))) {
com_err(k5forge_progname, code, "while making session key");
goto cleanup;
}
enc_tkt_reply->flags.initial = 1;
enc_tkt_reply->transited.tr_type = DOMAIN_X500_COMPRESS;
enc_tkt_reply->cname = client_principal->name;
enc_tkt_reply->crealm = client_principal->realm;
enc_tkt_reply->key = *session_key;
{
static krb5_data empty_string;
enc_tkt_reply->transited.contents = empty_string;
}
enc_tkt_reply->authtime = starttime;
enc_tkt_reply->starttime = temp_time;
*enc_tkt_reply->starttime = starttime;
#if 0
enc_tkt_reply->renew_till = temp_time + 1;
*enc_tkt_reply->renew_till = endtime;
#endif
enc_tkt_reply->endtime = endtime;
#else
if ((code = krb5_c_make_random_key(context,
deref_keyblock_enctype(session_key), session_key))) {
com_err(k5forge_progname, code, "while making session key");
goto cleanup;
}
#if !USING_SSL
enc_tkt_reply->magic = KV5M_ENC_TKT_PART;
#define DATACAST (unsigned char *)
#else
#define DATACAST /**/
#endif
enc_tkt_reply->flags |= TKT_FLG_INITIAL;
enc_tkt_reply->transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply->session = session_key;
enc_tkt_reply->client = client_principal;
{
static krb5_data empty_string;
enc_tkt_reply->transited.tr_contents = empty_string;
}
enc_tkt_reply->times.authtime = starttime;
enc_tkt_reply->times.starttime = starttime; /* krb524init needs this */
enc_tkt_reply->times.endtime = endtime;
#endif /* USING_HEIMDAL */
/* NB: We will discard address for now--rxk5 will ignore caddr field
in any case. MIT branch does what it always did. */
if (paddress && *paddress) {
deref_enc_tkt_addrs(enc_tkt_reply) = faddr;
#if USING_HEIMDAL
faddr->len = 0;
faddr->val = address;
#endif
for (i = 0; paddress[i]; ++i) {
#if USING_HEIMDAL
address[i].addr_type = KRB5_ADDRESS_INET;
address[i].address.data = (void*)(paddress+i);
address[i].address.length = sizeof(paddress[i]);
#else
#if !USING_SSL
address[i].magic = KV5M_ADDRESS;
address[i].addrtype = ADDRTYPE_INET;
#else
address[i].addrtype = AF_INET;
#endif
address[i].contents = (void*)(paddress+i);
address[i].length = sizeof(int);
faddr[i] = address+i;
#endif
}
#if USING_HEIMDAL
faddr->len = i;
#else
faddr[i] = 0;
#endif
}
#if USING_HEIMDAL
ticket_reply->sname = service_principal->name;
ticket_reply->realm = service_principal->realm;
{ /* crypto block */
krb5_crypto crypto = 0;
unsigned char *buf = 0;
size_t buf_size, buf_len;
char *what;
ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size,
enc_tkt_reply, &buf_len, code);
if(code) {
com_err(k5forge_progname, code, "while encoding ticket");
goto cleanup;
}
if(buf_len != buf_size) {
com_err(k5forge_progname, code,
"%d != %d while encoding ticket (internal ASN.1 encoder error",
buf_len, buf_size);
goto cleanup;
}
what = "krb5_crypto_init";
code = krb5_crypto_init(context,
&deref_entry_keyblock(entry),
deref_entry_enctype(entry),
&crypto);
if(!code) {
what = "krb5_encrypt";
code = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_TICKET,
buf, buf_len, entry->vno, &(ticket_reply->enc_part));
}
if (buf) free(buf);
if (crypto) krb5_crypto_destroy(context, crypto);
if(code) {
com_err(k5forge_progname, code, "while %s", what);
goto cleanup;
}
} /* crypto block */
ticket_reply->enc_part.etype = deref_entry_enctype(entry);
ticket_reply->enc_part.kvno = temp_vno;
*ticket_reply->enc_part.kvno = entry->vno;
ticket_reply->tkt_vno = 5;
#else
ticket_reply->server = service_principal;
ticket_reply->enc_part2 = enc_tkt_reply;
if ((code = krb5_encrypt_tkt_part(context, &deref_entry_keyblock(entry), ticket_reply))) {
com_err(k5forge_progname, code, "while making ticket");
goto cleanup;
}
ticket_reply->enc_part.kvno = entry->vno;
#endif
/* Construct Creds */
if ((code = krb5_copy_principal(context, service_principal,
&creds->server))) {
com_err(k5forge_progname, code, "while copying service principal");
goto cleanup;
}
if ((code = krb5_copy_principal(context, client_principal,
&creds->client))) {
com_err(k5forge_progname, code, "while copying client principal");
goto cleanup;
}
if ((code = krb5_copy_keyblock_contents(context, session_key,
&deref_session_key(creds)))) {
com_err(k5forge_progname, code, "while copying session key");
goto cleanup;
}
#if USING_HEIMDAL
creds->times.authtime = enc_tkt_reply->authtime;
creds->times.starttime = *(enc_tkt_reply->starttime);
creds->times.endtime = enc_tkt_reply->endtime;
#if 0
creds->times.renew_till = *(enc_tkt_reply->renew_till);
#endif
creds->flags.b = enc_tkt_reply->flags;
#else
creds->times = enc_tkt_reply->times;
creds->ticket_flags = enc_tkt_reply->flags;
#endif
if (!deref_enc_tkt_addrs(enc_tkt_reply))
;
else if ((code = krb5_copy_addresses(context,
deref_enc_tkt_addrs(enc_tkt_reply), &creds->addresses))) {
com_err(k5forge_progname, code, "while copying addresses");
goto cleanup;
}
#if USING_HEIMDAL
{
size_t creds_tkt_len;
ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
ticket_reply, &creds_tkt_len, code);
if(code) {
com_err(k5forge_progname, code, "while encoding ticket");
goto cleanup;
}
}
#else
if ((code = encode_krb5_ticket(ticket_reply, &temp))) {
com_err(k5forge_progname, code, "while encoding ticket");
goto cleanup;
}
creds->ticket = *temp;
free(temp);
#endif
/* return creds */
*out_creds = creds;
creds = 0;
cleanup:
if (deref_enc_data(&ticket_reply->enc_part))
free(deref_enc_data(&ticket_reply->enc_part));
krb5_free_keytab_entry_contents(context, entry);
if (client_principal)
krb5_free_principal(context, client_principal);
if (service_principal)
krb5_free_principal(context, service_principal);
if (cc)
krb5_cc_close(context, cc);
if (kt)
krb5_kt_close(context, kt);
if (creds) krb5_free_creds(context, creds);
krb5_free_keyblock_contents(context, session_key);
out:
return code;
}
int
default_afs_rxk5_forge(krb5_context context,
struct afsconf_dir *adir,
char* service,
krb5_creds* in_creds)
{
struct afsconf_dir x[1];
int code;
char *afs_keytab;
krb5_creds *k5creds;
char *confdir_name = adir->name;
char *to_free = 0;
int allowed_enctypes[] = {
/* XXX needs work... */
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_DES3_CBC_SHA1,
#ifndef USING_HEIMDAL
#define ENCTYPE_ARCFOUR_HMAC_MD5 ENCTYPE_ARCFOUR_HMAC
#endif
ENCTYPE_ARCFOUR_HMAC_MD5,
ENCTYPE_DES_CBC_CRC, 0
};
if(!have_afs_rxk5_keytab(confdir_name)) {
code = EDOM; /* XXX */
goto out;
}
if (!service) {
to_free = service = get_afs_krb5_localauth_svc_princ(adir);
}
afs_keytab = get_afs_rxk5_keytab(confdir_name);
code = afs_rxk5_k5forge(context,
afs_keytab,
service,
service,
START_OF_TIME, END_OF_TIME,
allowed_enctypes,
0 /* paddress */,
&k5creds /* out */);
if (code) goto out;
memcpy(in_creds, k5creds, sizeof(krb5_creds));
free(k5creds);
out:
if (to_free) free(to_free);
return code;
}

94
src/auth/rxk5_utilafs.h Normal file
View File

@ -0,0 +1,94 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#ifndef RXK5_UTILAFS_H
#define RXK5_UTILAFS_H
#ifdef USING_SSL
#include "k5ssl.h"
#else
#if USING_SHISHI
#include <shishi.h>
#else
#ifdef private
#undef private
#if HAVE_PARSE_UNITS_H
#include "parse_units.h"
#endif
#endif
#include <krb5.h>
#endif
#endif
/* Format a full path to the AFS keytab, caller must free */
char* get_afs_rxk5_keytab(char *confdir_name);
/* Returns the default krb5 realm, or a realm specified with the -k option,
if applicable, caller must free */
char* get_afs_krb5_realm();
/* Returns the AFS service principal for the chosen cell/realm (currently the default realm),
the caller must free */
char* get_afs_krb5_svc_princ(struct afsconf_cell *);
/* Returns
FORCE_RXK5|FORCE_RXKAD if AFS_RXK5_DEFAULT is not set,
FORCE_RXK5 if AFS_RXK5_DEFAULT is 1 or UPPER('yes')
FORCE_RXKAD otherwise
*/
int env_afs_rxk5_default();
#if 0
/* Forge a krb5 ticket from a keytab entry, return it in creds, which caller
must free */
int afs_rxk5_k5forge(krb5_context context,
char* keytab,
char* service,
char* client,
time_t starttime,
time_t endtime,
int *allowed_enctypes,
int *paddress,
krb5_creds** out_creds /* out */ );
int default_afs_rxk5_forge( krb5_context context, struct afsconf_dir *adir,
char* service, krb5_creds* in_creds );
#endif
int have_afs_rxk5_keytab(char *);
char* get_afs_rxk5_keytab(char *);
char* get_afs_krb5_svc_princ(struct afsconf_cell *);
int env_afs_rxk5_default(void);
int afs_rxk5_parse_name_k5(struct afsconf_dir *, const char *, char **, int);
int afs_rxk5_split_name_instance(char *, char **, char **);
int afs_rxk5_parse_name_realm(const char*, char**, char**);
#endif /* RXK5_UTILAFS_H */

200
src/auth/rxkad_tkt.c Normal file
View File

@ -0,0 +1,200 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <afsconfig.h>
#if defined(KERNEL)
# include "afs/param.h"
# include "afs/sysincludes.h"
# include "afsincludes.h"
# include "afs_stats.h"
#else /* !KERNEL */
#define afs_osi_Alloc(n) malloc(n)
#define afs_osi_Free(p,n) free(p)
#define afs_strdup(p) strdup(p)
# include <afs/afsutil.h>
# include "cellconfig.h"
# include "auth.p.h"
# include <stdlib.h>
# include <syslog.h>
# include <stdarg.h>
# include <string.h>
# include <stdio.h>
# include <sys/types.h>
# include <sys/stat.h>
# include <unistd.h>
# include <errno.h>
#endif /* !KERNEL */
#include "rx/rx.h"
#include "afs/afs_token.h"
#ifndef KERNEL
/*
* Format new-style afs_token using rxkad credentials,
* caller frees returned memory (of size bufsize).
*/
int make_afs_token_rxkad(
char *cell,
afs_int32 viceid,
struct ktc_token *k_token,
afs_int32 primary_flag,
afs_token **a_token /* out */)
{
rxkad_token *kad_token;
(*a_token) = (afs_token*) afs_osi_Alloc(sizeof(afs_token));
memset((*a_token), 0, sizeof(afs_token)); /* skip? */
(*a_token)->nextcellnumber = 0;
(*a_token)->cell = afs_strdup(cell);
(*a_token)->cu->cu_type = CU_KAD;
kad_token = &((*a_token)->cu->cu_u.cu_kad);
kad_token->primary_flag = primary_flag;
kad_token->cell_name = afs_strdup(cell);
kad_token->ticket.ticket_len = k_token->ticketLen;
kad_token->ticket.ticket_val = afs_osi_Alloc(kad_token->ticket.ticket_len);
memcpy(kad_token->ticket.ticket_val, k_token->ticket,
kad_token->ticket.ticket_len);
kad_token->token.kvno = k_token->kvno;
memcpy(kad_token->token.m_key, &(k_token->sessionKey), 8);
kad_token->token.viceid = viceid;
kad_token->token.begintime = k_token->startTime;
kad_token->token.endtime = k_token->endTime;
return 0;
}
#else /* KERNEL */
/*
* Format new-style afs_token using rxkad credentials
* as stored in the cache manager. Caller frees returned memory
* (of size bufsize).
*/
int make_afs_token_rxkad_k(
char *cell,
n_clear_token *pct,
char* stp,
afs_int32 stLen,
afs_int32 primary_flag,
afs_token **a_token /* out */)
{
rxkad_token *kad_token;
(*a_token) = (afs_token*) afs_osi_Alloc(sizeof(afs_token));
memset((*a_token), 0, sizeof(afs_token)); /* skip? */
(*a_token)->nextcellnumber = 0;
(*a_token)->cell = afs_strdup(cell);
(*a_token)->cu->cu_type = CU_KAD;
kad_token = &((*a_token)->cu->cu_u.cu_kad);
kad_token->primary_flag = primary_flag;
kad_token->cell_name = afs_strdup(cell);
kad_token->ticket.ticket_len = stLen;
kad_token->ticket.ticket_val = afs_osi_Alloc(kad_token->ticket.ticket_len);
memcpy(kad_token->ticket.ticket_val, stp, kad_token->ticket.ticket_len);
kad_token->token.kvno = pct->kvno;
memcpy(kad_token->token.m_key, pct->m_key, 8);
kad_token->token.viceid = pct->viceid;
kad_token->token.begintime = pct->begintime ;
kad_token->token.endtime = pct->endtime ;
return 0;
}
#endif /* KERNEL */
/* XXX need a better home for the following 3... */
/*
* Convert afs_token to XDR-encoded token stream, which is returned
* in buf (at most of size bufsize). Caller must pass a sufficiently
* large buffer.
*/
int
encode_afs_token(afs_token *a_token,
void *buf /* in */,
int *bufsize /* inout */)
{
XDR xdrs[1];
int r = -1;
/* XDR encode afs_token into xdr_buf */
xdrmem_create(xdrs, buf, *bufsize, XDR_ENCODE);
if (!xdr_afs_token(xdrs, a_token))
goto Done;
/* and return a copy from the free store one */
*bufsize = xdr_getpos(xdrs);
r = 0;
Done:
if (r) *bufsize = 0;
return r;
}
/*
* Convert XDR-encoded token stream to an afs_token, which is returned
* in a_token. Caller must free.
*/
int
parse_afs_token(void* token_buf,
int token_size,
afs_token **a_token)
{
XDR xdrs[1];
*a_token = afs_osi_Alloc(sizeof(afs_token));
if(!*a_token)
return ENOMEM;
memset(*a_token, 0, sizeof(afs_token)); /* not optional */
/* XDR decode token_buf into a_token */
xdrmem_create(xdrs, token_buf, token_size, XDR_DECODE);
if (!xdr_afs_token(xdrs, *a_token)) {
return -1;
}
return 0;
}
/*
* Free afs_token variant using XDR logic
*/
int
free_afs_token(afs_token *a_token)
{
XDR xdrs[1];
xdrs->x_op = XDR_FREE;
if (!xdr_afs_token(xdrs, a_token)) {
return 1;
}
return 0;
}

53
src/auth/t_name.c Normal file
View File

@ -0,0 +1,53 @@
#include <afsconfig.h>
#include <afs/afsutil.h>
#include <auth/cellconfig.h>
#include <stdlib.h>
#include <syslog.h>
#include <stdarg.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include "rxk5_utilafs.h"
krb5_context
rxk5_get_context(krb5_context x)
{
int code;
if (x) return x;
code = krb5_init_context(&x);
if (code) x = 0;
return x;
}
main(int argc, char **argv)
{
struct afsconf_dir *tdir;
char buffer[8192];
krb5_context k5context;
char *cp, *name;
int code;
tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH);
if (!tdir) {
fprintf (stderr,"Cannot open %s\n", AFSDIR_CLIENT_ETC_DIRPATH);
exit(0);
}
while (fgets(buffer, sizeof buffer, stdin))
{
cp = strchr(buffer, '\n');
if (cp) *cp = 0;
code = afs_rxk5_parse_name_k5(tdir, buffer, &name, argc > 1);
if (code) {
printf ("error %d parsing <%s>\n", code, buffer);
continue;
}
printf ("Parsed <%s> as <%s>\n", buffer, name);
free(name);
}
k5context = rxk5_get_context(0);
if (k5context) krb5_free_context(k5context);
exit(0);
}

103
src/auth/t_tkt.c Normal file
View File

@ -0,0 +1,103 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "k5s_tkt.h"
int main(int argc, char **argv)
{
int code;
krb5_creds* creds;
krb5_context ctxt;
char* princ, *inst;
char* realm;
int clen;
int fd;
struct stat st;
FILE *credfile;
void *credsbuf;
printf("Starting Up\n");
code = krb5_init_context(&ctxt);
clen = 0;
fd = open("creds.out", O_RDONLY);
if(fd == -1) {
printf("Can't open creds file\n");
goto out;
}
credfile = fdopen(fd, "r");
if(!credfile) {
printf("Problem converting fd to FILE*\n");
goto out;
}
code = fstat(fd, &st);
if(code == -1) {
printf("Can't stat creds.out\n");
goto out;
}
credsbuf = malloc(st.st_size * sizeof(char));
code = fread(credsbuf, 1, st.st_size, credfile);
if(code != st.st_size) {
printf("Failed reading %d bytes from creds.out\n", st.st_size);
}
creds = parse_afs_krb5_creds_buf(ctxt, credsbuf);
free(credsbuf);
princ = osi_Alloc((creds->client->data[0].length + 1)* sizeof(char));
memcpy(princ, creds->client->data[0].data, creds->client->data[0].length);
princ[creds->client->data[0].length] = 0;
inst = osi_Alloc((creds->client->data[1].length + 1)* sizeof(char));
memcpy(inst, creds->client->data[1].data, creds->client->data[1].length);
inst[creds->client->data[1].length] = 0;
realm = osi_Alloc((creds->client->realm.length + 1) * sizeof(char));
memcpy(realm, creds->client->realm.data, creds->client->realm.length);
realm[creds->client->realm.length] = 0;
afs_warn("PSetK5tokens sees (princ, (inst), realm): %s (%s) %s\n", princ, inst, realm);
osi_Free(princ, creds->client->data[0].length + 1);
osi_Free(inst, creds->client->data[1].length + 1);
osi_Free(realm, creds->client->realm.length + 1);
krb5_free_creds(ctxt, creds);
out:
return 0;
}

126
src/auth/t_unit.c Normal file
View File

@ -0,0 +1,126 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "afs_token.h"
#include "rxk5_tkt.c"
#define afs_osi_Alloc(n) malloc(n)
#define afs_osi_Free(p,n) free(p)
#define afs_strdup(p) strdup(p)
void pp(rxk5_principal *p) {
int ix;
for(ix = 0; ix < p->name.name_len; ++ix) {
printf("%s\n", p->name.name_val[ix]);
}
}
void t_parse_rxk5_princ()
{
int code;
char *b_rapper;
rxk5_principal k5_rapper;
b_rapper = afs_strdup("its/vanilla/with/a/nine@ICE.COM");
parse_rxk5_princ(b_rapper, &k5_rapper);
pp(&k5_rapper);
free_rxk5_princ(&k5_rapper);
free(b_rapper);
b_rapper = afs_strdup("@LINUXBOX.COM");
parse_rxk5_princ(b_rapper, &k5_rapper);
pp(&k5_rapper);
free_rxk5_princ(&k5_rapper);
free(b_rapper);
b_rapper = afs_strdup("matt");
parse_rxk5_princ(b_rapper, &k5_rapper);
pp(&k5_rapper);
free_rxk5_princ(&k5_rapper);
free(b_rapper);
}
void t_afs_token()
{
/* If user has a credential cached, use it as input to test token
logic */
int code;
krb5_creds *k5_creds = 0, in_creds[1];
krb5_context k5context = 0;
krb5_ccache cc = 0;
char *afs_k5_princ = 0;
afs_k5_princ = afs_strdup("afs-k5/monkius.com@MONKIUS.COM");
code = krb5_init_context(&k5context);
if(code) goto Failed;
/* use cached credentials, if any */
code = krb5_cc_default(k5context, &cc);
if (code) goto Failed;
code = krb5_cc_get_principal(k5context, cc, &in_creds->client);
if (code) goto Failed;
code = krb5_parse_name(k5context, afs_k5_princ, &in_creds->server);
if (code) goto Failed;
/* 0 is cc flags */
code = krb5_get_credentials(k5context, 0, cc, in_creds, &k5_creds);
if (code) goto Failed;
/* fails with bad enctype, but AFS linked binaries don't */
printf("Ready to make token\n");
Failed:
printf("Code: %d\n", code);
free(afs_k5_princ);
return;
}
int main(int argc, char **argv)
{
t_parse_rxk5_princ();
t_afs_token();
out:
return 0;
}

80
src/auth/test.c Normal file
View File

@ -0,0 +1,80 @@
/*
* Copyright (c) 2005, 2006
* The Linux Box Corporation
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of the Linux Box
* Corporation is not used in any advertising or publicity
* pertaining to the use or distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* Linux Box Corporation is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* This software is provided as is, without representation
* from the Linux Box Corporation as to its fitness for any
* purpose, and without warranty by the Linux Box Corporation
* of any kind, either express or implied, including
* without limitation the implied warranties of
* merchantability and fitness for a particular purpose. The
* regents of the Linux Box Corporation shall not be liable
* for any damages, including special, indirect, incidental, or
* consequential damages, with respect to any claim arising
* out of or in connection with the use of the software, even
* if it has been or is hereafter advised of the possibility of
* such damages.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include "rxk5_utilafs.h"
int main(int argc, char **argv)
{
int code;
char keytab[512];
krb5_context k5context;
krb5_creds *k5creds;
struct stat st;
int stop_here;
int allowed_enctypes[6] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC_MD5,
ENCTYPE_ARCFOUR_HMAC_MD5_56,
ENCTYPE_DES_CBC_CRC };
memset(keytab, 0, 512);
strcpy(keytab, "/usr/local/etc/openafs/server/afs.keytab");
code = stat(keytab, &st);
if((code != 0) || (!S_ISREG(st.st_mode))) {
printf("Can't stat keytab %s\n", keytab);
exit(1);
}
code = krb5_init_context(&k5context);
if(code) {
printf("Error krb5_init_context\n");
exit(2);
}
code = afs_rxk5_k5forge(k5context, keytab, "afs-k5@MONKIUS.COM",
"afs-k5@MONKIUS.COM",
allowed_enctypes, 0 /* paddress */,
&k5creds /* out */,
1 /* stash creds, please */);
return 0;
}

55
src/auth/userok.c
View File

@ -43,6 +43,10 @@ RCSID
#include "auth.h"
#include "cellconfig.h"
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include "rxk5_utilafs.h"
#endif
#include "keys.h"
#include "afs/audit.h"
@ -50,10 +54,10 @@ afs_int32 afsconf_SuperUser();
#if !defined(UKERNEL)
int
afsconf_CheckAuth(adir, acall)
register struct rx_call *acall;
register struct afsconf_dir *adir;
afsconf_CheckAuth(void *rock,
struct rx_call *acall)
{
register struct afsconf_dir *adir = rock;
LOCK_GLOBAL_MUTEX;
return ((afsconf_SuperUser(adir, acall, NULL) == 0) ? 10029 : 0);
UNLOCK_GLOBAL_MUTEX;
@ -368,6 +372,7 @@ afsconf_SuperUser(adir, acall, namep)
register struct rx_connection *tconn;
register afs_int32 code;
int flag;
static char LocalAuth[] = "<LocalAuth>";
LOCK_GLOBAL_MUTEX;
if (!adir) {
@ -422,6 +427,7 @@ afsconf_SuperUser(adir, acall, namep)
#else
if (exp < FT_ApproxTime()) {
#endif
/* } */
UNLOCK_GLOBAL_MUTEX;
return 0; /* expired tix */
}
@ -484,7 +490,7 @@ afsconf_SuperUser(adir, acall, namep)
/* localauth special case */
if (strlen(tinst) == 0 && strlen(tcell) == 0
&& !strcmp(tname, AUTH_SUPERUSER)) {
strcpy(uname, "<LocalAuth>");
strcpy(uname, LocalAuth);
flag = 1;
/* cell of connection matches local cell or one of the realms */
@ -523,7 +529,46 @@ afsconf_SuperUser(adir, acall, namep)
strcpy(namep, uname);
UNLOCK_GLOBAL_MUTEX;
return flag;
} else { /* some other auth type */
} /* code==2 */
#ifdef AFS_RXK5
else if(code == 5) {
char *client, *server;
int lvl, expires, kvno, enctype;
char *avname = 0;
flag = 0;
if (code = rxk5_GetServerInfo2(acall->conn, &lvl,
&expires,
&client, &server, &kvno,
&enctype)) {
goto done;
} else {
code = afs_rxk5_parse_name_k5(adir, client, &avname, 0);
if(code)
goto done;
if (!strcmp(client, server)) {
/* localauth */
free(avname);
avname = LocalAuth;
flag = 1;
} else {
/* listed user */
if(FindUser(adir, avname)) {
flag = 1;
}
}
}
done:
if (namep)
strcpy(namep, avname);
if (avname && avname != LocalAuth)
free(avname);
UNLOCK_GLOBAL_MUTEX;
return flag;
}
#endif
else { /* some other auth type */
UNLOCK_GLOBAL_MUTEX;
return 0; /* mysterious, just say no */
}

22
src/bozo/Makefile.in
View File

@ -8,6 +8,12 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
CFLAGS=$(COMMON_CFLAGS) $(KRB5CFLAGS) $(XCFLAGS)
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
KRB5LIBS=@KRB5LIBS@
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
RPCINCLS=${TOP_INCDIR}/lwp.h ${TOP_INCDIR}/rx/rx.h bosint.h
INCLS=bnode.h \
@ -28,14 +34,15 @@ LIBS=${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/libauth.a \
${TOP_LIBDIR}/librxstat.a \
${TOP_LIBDIR}/librxkad.a \
${RXK5} \
${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/libubik.a \
${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/libcom_err.a \
${TOP_LIBDIR}/util.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libprocmgmt.a
OBJS=bosserver.o bnode.o ezbnodeops.o fsbnodeops.o bosint.ss.o bosint.xdr.o \
bosoprocs.o cronbnodeops.o
@ -78,12 +85,13 @@ bosoprocs.o: bosoprocs.c ${INCLS}
bos.o: bos.c ${INCLS} AFS_component_version_number.o
bos: bos.o $(LIBS) libbos.a
${CC} ${CFLAGS} -o bos bos.o libbos.a $(LIBS) ${XLIBS}
${CC} ${CFLAGS} -o bos bos.o libbos.a $(LIBS) \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
bos_util.o: bos_util.c ${INCLS} AFS_component_version_number.o
bos_util: bos_util.o $(LIBS)
${CC} ${CFLAGS} -o bos_util bos_util.o $(LIBS) ${XLIBS}
${CC} ${CFLAGS} -o bos_util bos_util.o $(LIBS) $(LIBCOM_ERR) ${XLIBS}
ezbnodeops.o: ezbnodeops.c ${INCLS}
@ -95,7 +103,13 @@ libbos.a: bosint.xdr.o bosint.cs.o boserr.o AFS_component_version_number.o
$(RANLIB) $@
bosserver: $(OBJS) $(LIBS)
${CC} $(CFLAGS) -o bosserver $(OBJS) ${TOP_LIBDIR}/libaudit.a $(LIBS) ${XLIBS}
${CC} $(CFLAGS) -o bosserver $(OBJS) ${TOP_LIBDIR}/libaudit.a \
$(LIBS) ${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
depinstall: \
boserr.c \
${TOP_INCDIR}/afs/bnode.h ${TOP_INCDIR}/afs/bosint.h \
bosint.xdr.c bosint.cs.c
#
# Install targets

252
src/bozo/bos.c
View File

@ -1,7 +1,7 @@
/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
*
*
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
@ -40,6 +40,11 @@ RCSID
#include <rx/xdr.h>
#include <afs/auth.h>
#include <rx/rxkad.h>
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include "rxk5_utilafs.h"
#endif
#include "afs_token.h"
#include <afs/cellconfig.h>
#include <stdio.h>
#include <afs/cmd.h>
@ -78,13 +83,6 @@ struct MRAFSSalvageParms {
afs_uint32 OptResidencies;
};
/* dummy routine for the audit work. It should do nothing since audits */
/* occur at the server level and bos is not a server. */
osi_audit()
{
return 0;
}
/* keep those lines small */
static char *
em(acode)
@ -158,8 +156,6 @@ DateOf(atime)
}
/* global stuff from main for communicating with GetConn */
static struct rx_securityClass *sc[3];
static int scIndex;
/* use the syntax descr to get a connection, authenticated appropriately.
* aencrypt is set if we want to encrypt the data on the wire.
@ -176,10 +172,18 @@ GetConn(as, aencrypt)
afs_int32 addr;
register struct afsconf_dir *tdir;
int encryptLevel;
struct ktc_principal sname;
struct ktc_token ttoken;
int localauth;
int force_flags, localauth;
const char *confdir;
struct afsconf_cell info;
int say_noauth = 0;
#ifdef AFS_RXK5
krb5_creds *k5_creds = 0, in_creds[1];
krb5_context k5context = 0;
krb5_ccache cc = 0;
char *afs_k5_princ = 0;
#endif
struct rx_securityClass *sc;
int scIndex;
hostname = as->parms[0].items->data;
th = hostutil_GetHostByName(hostname);
@ -191,11 +195,24 @@ GetConn(as, aencrypt)
/* get tokens for making authenticated connections */
localauth = (as->parms[ADDPARMOFFSET + 2].items != 0);
force_flags = (FORCE_SECURE & -(!!aencrypt));
#ifdef AFS_RXK5
memset(in_creds, 0, sizeof *in_creds);
/* -k5 */
force_flags |= (FORCE_RXK5 & -(as->parms[ADDPARMOFFSET + 3].items != 0));
/* -k4 */
force_flags |= (FORCE_RXKAD & -(as->parms[ADDPARMOFFSET + 4].items != 0));
if (!(force_flags & (FORCE_RXKAD|FORCE_RXK5)))
force_flags |= env_afs_rxk5_default();
#endif
confdir =
(localauth ? AFSDIR_SERVER_ETC_DIRPATH : AFSDIR_CLIENT_ETC_DIRPATH);
tdir = afsconf_Open(confdir);
if (tdir) {
struct afsconf_cell info;
if (!tdir) {
printf("bos: can't open cell database (%s)\n", confdir);
exit(1);
}
{
char *tname;
if (as->parms[ADDPARMOFFSET].items)
@ -206,76 +223,141 @@ GetConn(as, aencrypt)
* local cell */
code = afsconf_GetCellInfo(tdir, tname, NULL, &info);
if (code) {
com_err("bos", code, "(can't find cell '%s' in cell database)",
(tname ? tname : "<default>"));
com_err("bos", code, "(can't find cell '%s' in cell database '%s')",
(tname ? tname : "<default>"), confdir);
exit(1);
} else
strcpy(sname.cell, info.name);
} else {
printf("bos: can't open cell database (%s)\n", confdir);
exit(1);
}
}
sname.instance[0] = 0;
strcpy(sname.name, "afs");
sc[0] = rxnull_NewClientSecurityObject();
sc[1] = 0;
sc[2] = 0;
scIndex = 0;
sc = 0;
scIndex = 1;
if (as->parms[ADDPARMOFFSET + 1].items) { /* not -noauth */
scIndex = 0;
} else if (localauth) { /* -localauth */
code = afsconf_ClientAuthEx(tdir, &sc, &scIndex, force_flags);
if (code)
com_err("bos", code, "(calling ClientAuth)");
say_noauth = !scIndex;
#ifdef AFS_RXK5
} else if (force_flags & FORCE_RXK5) {
/* Because rxgk has claimed indexes 3 and 4, the next available index
for rxk5 is 5 */
char *what;
if (!as->parms[ADDPARMOFFSET + 1].items) { /* not -noauth */
if (as->parms[ADDPARMOFFSET + 2].items) { /* -localauth */
code = afsconf_GetLatestKey(tdir, 0, 0);
if (code)
com_err("bos", code, "(getting key from local KeyFile)");
else {
if (aencrypt)
code = afsconf_ClientAuthSecure(tdir, &sc[2], &scIndex);
else
code = afsconf_ClientAuth(tdir, &sc[2], &scIndex);
if (code)
com_err("bos", code, "(calling ClientAuth)");
else if (scIndex != 2) /* this shouldn't happen */
sc[scIndex] = sc[2];
scIndex = 5;
code = ENOMEM;
what = "get_afs_krb5_svc_princ";
afs_k5_princ = get_afs_krb5_svc_princ(&info);
if (!afs_k5_princ) goto Failed;
what = "krb5_init_context";
code = krb5_init_context(&k5context);
if(code) goto Failed;
/* use cached credentials, if any */
what = "krb5_cc_default";
code = krb5_cc_default(k5context, &cc);
if (code) goto Failed;
what = "krb5_cc_get_principal";
code = krb5_cc_get_principal(k5context, cc, &in_creds->client);
if (code) goto Failed;
what = "krb5_parse_name";
code = krb5_parse_name(k5context, afs_k5_princ, &in_creds->server);
if (code) goto Failed;
what = "krb5_get_credentials";
/* 0 is cc flags */
code = krb5_get_credentials(k5context, 0, cc, in_creds, &k5_creds);
if (code) goto Failed;
sc = rxk5_NewClientSecurityObject(rxk5_auth + !!aencrypt,
k5_creds, 0);
Failed:
if(code) {
if (afs_k5_princ)
com_err("bos", code, "in %s for %s", what, afs_k5_princ);
else
com_err("bos", code, "in %s", what);
}
#endif
} else { /* not -localauth, check for tickets */
struct ktc_token ttoken;
struct afs_token *atoken = 0;
code = ktc_GetTokenEx(0, info.name, &atoken);
if (code) {
com_err("bos", code, "(getting tickets)");
#ifdef AFS_RXK5
} else if (atoken->cu->cu_type == CU_K5) {
scIndex = 5;
code = afstoken_to_v5cred(atoken, in_creds);
if (!code)
sc = rxk5_NewClientSecurityObject(rxk5_auth, in_creds, 0);
#endif
} else if (atoken->cu->cu_type == CU_KAD) {
scIndex = 2;
code = afstoken_to_token(atoken, &ttoken, sizeof ttoken);
if (code) goto SkipSc;
/* have tickets, will travel */
if (ttoken.kvno < 0 && ttoken.kvno > 256) {
/* formerly vab */
fprintf(stderr,
"bos: funny kvno (%d) in ticket, proceeding\n",
ttoken.kvno);
}
} else { /* not -localauth, check for tickets */
code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
if (code == 0) {
/* have tickets, will travel */
if (ttoken.kvno >= 0 && ttoken.kvno <= 256);
else {
fprintf(stderr,
"bos: funny kvno (%d) in ticket, proceeding\n",
ttoken.kvno);
}
/* kerberos tix */
if (aencrypt)
encryptLevel = rxkad_crypt;
else
encryptLevel = rxkad_clear;
sc[2] = (struct rx_securityClass *)
rxkad_NewClientSecurityObject(encryptLevel,
&ttoken.sessionKey,
ttoken.kvno,
ttoken.ticketLen,
ttoken.ticket);
scIndex = 2;
} else
com_err("bos", code, "(getting tickets)");
}
if ((scIndex == 0) || (sc[scIndex] == 0)) {
fprintf(stderr, "bos: running unauthenticated\n");
scIndex = 0;
/* kerberos tix */
if (aencrypt)
encryptLevel = rxkad_crypt;
else
encryptLevel = rxkad_clear;
sc = rxkad_NewClientSecurityObject(encryptLevel,
&ttoken.sessionKey,
ttoken.kvno,
ttoken.ticketLen,
ttoken.ticket);
say_noauth = !scIndex;
} else {
fprintf(stderr,
"bos: unknown token type %d\n",
atoken->cu->cu_type);
}
SkipSc:
if (atoken) free_afs_token(atoken);
}
if (!sc) {
say_noauth = !!scIndex;
scIndex = 0;
sc = rxnull_NewClientSecurityObject();
}
afsconf_Close(tdir);
if (say_noauth)
fprintf(stderr, "bos: running unauthenticated\n");
tconn =
rx_NewConnection(addr, htons(AFSCONF_NANNYPORT), 1, sc[scIndex],
rx_NewConnection(addr, htons(AFSCONF_NANNYPORT), 1, sc,
scIndex);
if (!tconn) {
fprintf(stderr, "bos: could not create rx connection\n");
exit(1);
}
rxs_Release(sc[scIndex]);
rxs_Release(sc);
#ifdef AFS_RXK5
if (afs_k5_princ) free(afs_k5_princ);
if (k5context) {
if (cc)
krb5_cc_close(k5context, cc);
if (k5_creds)
krb5_free_creds(k5context, k5_creds);
krb5_free_principal(k5context, in_creds->client);
krb5_free_principal(k5context, in_creds->server);
krb5_free_context(k5context);
}
#endif
return tconn;
}
@ -1227,9 +1309,9 @@ StopServer(as)
#define PARMBUFFERSSIZE 32
static afs_int32
DoSalvage(struct rx_connection * aconn, char * aparm1, char * aparm2,
char * aoutName, afs_int32 showlog, char * parallel,
char * atmpDir, char * orphans, int dafs,
DoSalvage(struct rx_connection * aconn, char * aparm1, char * aparm2,
char * aoutName, afs_int32 showlog, char * parallel,
char * atmpDir, char * orphans, int dafs,
struct MRAFSSalvageParms * mrafsParm)
{
register afs_int32 code;
@ -1329,7 +1411,7 @@ DoSalvage(struct rx_connection * aconn, char * aparm1, char * aparm2,
/* For DAFS, specifying a single volume does not result in a standard
* salvager call. Instead, it simply results in a SALVSYNC call to the
* online salvager daemon. This interface does not give us the same rich
* set of call flags. Thus, we skip these steps for DAFS single-volume
* set of call flags. Thus, we skip these steps for DAFS single-volume
* calls */
if (!dafs || (*aparm2 == 0)) {
/* add the parallel option if given */
@ -1958,7 +2040,13 @@ add_std_args(ts)
/* + 1 */ cmd_AddParm(ts, "-noauth", CMD_FLAG, CMD_OPTIONAL,
"don't authenticate");
/* + 2 */ cmd_AddParm(ts, "-localauth", CMD_FLAG, CMD_OPTIONAL,
"create tickets from KeyFile");
"create tickets from KeyFile or keytab");
#ifdef AFS_RXK5
/* + 3 */ cmd_AddParm(ts, "-k5", CMD_FLAG, CMD_OPTIONAL,
"use rxk5 security");
/* + 4 */ cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL,
"use rxkad security");
#endif
}
#include "AFS_component_version_number.c"
@ -1973,8 +2061,8 @@ main(argc, argv)
#ifdef AFS_AIX32_ENV
/*
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
@ -2007,6 +2095,10 @@ main(argc, argv)
* system */
initialize_CMD_error_table();
initialize_BZ_error_table();
#ifdef AFS_RXK5
initialize_RXK5_error_table();
#endif
initialize_rx_error_table();
ts = cmd_CreateSyntax("start", StartServer, 0, "start running a server");
cmd_AddParm(ts, "-server", CMD_SINGLE, 0, "machine name");

10
src/bozo/bosoprocs.c
View File

@ -640,6 +640,11 @@ SBOZO_ListKeys(acall, an, akvno, akey, akeyinfo)
char caller[MAXKTCNAMELEN];
rxkad_level enc_level = rxkad_clear;
if(rx_SecurityClassOf(rx_ConnectionOf(acall)) > 2 /* not rxkad */) {
code = BZACCESS;
goto fail;
}
if (!afsconf_SuperUser(bozo_confdir, acall, caller)) {
code = BZACCESS;
goto fail;
@ -694,6 +699,11 @@ SBOZO_AddKey(acall, an, akey)
rxkad_level enc_level = rxkad_clear;
int noauth;
if(rx_SecurityClassOf(rx_ConnectionOf(acall)) > 2 /* not rxkad */) {
code = BZACCESS;
goto fail;
}
if (!afsconf_SuperUser(bozo_confdir, acall, caller)) {
code = BZACCESS;
goto fail;

33
src/bozo/bosserver.c
View File

@ -35,6 +35,10 @@ RCSID
#include <rx/rx.h>
#include <rx/xdr.h>
#include <rx/rx_globals.h>
#ifdef AFS_RXK5
#include "rxk5.h"
#include "rxk5errors.h"
#endif
#include "bosint.h"
#include "bnode.h"
#include <afs/auth.h>
@ -57,7 +61,12 @@ void bozo_Log();
struct afsconf_dir *bozo_confdir = 0; /* bozo configuration dir */
static char *bozo_pid;
struct rx_securityClass *bozo_rxsc[3];
#ifdef AFS_RXK5
#define RXSC_LEN 6
#else
#define RXSC_LEN 3
#endif
struct rx_securityClass *bozo_rxsc[RXSC_LEN];
const char *bozo_fileName;
FILE *bozo_logFile;
@ -720,7 +729,6 @@ main(int argc, char **argv, char **envp)
register afs_int32 code;
struct afsconf_dir *tdir;
int noAuth = 0;
struct ktc_encryptionKey tkey;
int i;
char namebuf[AFSDIR_PATH_MAX];
int rxMaxMTU = -1;
@ -1016,7 +1024,6 @@ main(int argc, char **argv, char **envp)
/* opened the cell databse */
bozo_confdir = tdir;
code = afsconf_GetKey(tdir, 999, &tkey);
/* allow super users to manage RX statistics */
rx_SetRxStatUserOk(bozo_rxstat_userok);
@ -1027,9 +1034,24 @@ main(int argc, char **argv, char **envp)
bozo_rxsc[0] = rxnull_NewServerSecurityObject();
bozo_rxsc[1] = (struct rx_securityClass *)0;
#ifdef AFS_RXK5
if (have_afs_keyfile(tdir))
#endif
bozo_rxsc[2] =
rxkad_NewServerSecurityObject(0, tdir, afsconf_GetKey, NULL);
#ifdef AFS_RXK5
/* rxk5 */
if(have_afs_rxk5_keytab(tdir->name)) {
bozo_rxsc[5] = rxk5_NewServerSecurityObject(rxk5_auth,
get_afs_rxk5_keytab(tdir->name),
rxk5_default_get_key,
0,
0);
/* rxk5 now owns the keytab filename memory */
}
#endif
/* Disable jumbograms */
rx_SetNoJumbo();
@ -1060,14 +1082,15 @@ main(int argc, char **argv, char **envp)
/*service name */ "bozo",
/* security classes */
bozo_rxsc,
/* numb sec classes */ 3, BOZO_ExecuteRequest);
RXSC_LEN,
BOZO_ExecuteRequest);
rx_SetMinProcs(tservice, 2);
rx_SetMaxProcs(tservice, 4);
rx_SetStackSize(tservice, BOZO_LWP_STACKSIZE); /* so gethostbyname works (in cell stuff) */
tservice =
rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", bozo_rxsc,
3, RXSTATS_ExecuteRequest);
RXSC_LEN, RXSTATS_ExecuteRequest);
rx_SetMinProcs(tservice, 2);
rx_SetMaxProcs(tservice, 4);
rx_StartServer(1); /* donate this process */

1
src/bubasics/bubasics.h
View File

@ -80,6 +80,7 @@
#define RX_SCINDEX_NULL 0 /* No security */
#define RX_SCINDEX_VAB 1 /* vice tokens, with bcrypt */
#define RX_SCINDEX_KAD 2 /* Kerberos/DES */
#define RX_SCINDEX_K5 5 /* Kerberos5 */
/* maximums for various text strings
* DON'T alter these values until all disk/tape structures can be handled

13
src/bucoord/Makefile.in
View File

@ -8,15 +8,21 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
CFLAGS=$(COMMON_CFLAGS) $(KRB5CFLAGS) $(XCFLAGS)
KRB5LIBS=@KRB5LIBS@
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
LIBS=${TOP_LIBDIR}/libbudb.a ${TOP_LIBDIR}/libbubasics.a \
${TOP_LIBDIR}/libbutm.a ${TOP_LIBDIR}/libvolser.a \
${TOP_LIBDIR}/libvldb.a ${TOP_LIBDIR}/vlib.a \
${TOP_LIBDIR}/libkauth.a ${TOP_LIBDIR}/libubik.a \
${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/librxkad.a \
${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/librxkad.a ${RXK5} \
${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libcmd.a \
${TOP_LIBDIR}/libcom_err.a ${TOP_LIBDIR}/util.a
${TOP_LIBDIR}/util.a
all: ${TOP_LIBDIR}/libbxdb.a backup
@ -52,7 +58,8 @@ main.o: AFS_component_version_number.c
$(BACKOBJS): bc.h ${TOP_INCDIR}/afs/butc.h
backup: $(BACKOBJS) ${LIBS}
${CC} ${CFLAGS} -o backup $(BACKOBJS) ${LIBS} ${XLIBS}
${CC} ${CFLAGS} -o backup $(BACKOBJS) ${LIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
bucoord_errs.c bc.h: bucoord_errs.et bc.p.h
$(RM) -f bc.h bucoord_errs.c

22
src/bucoord/commands.c
View File

@ -57,7 +57,7 @@ extern struct ubik_client *cstruct;
extern int bc_Dumper(); /* function to do dumps */
extern int bc_Restorer(); /* function to do restores */
extern char *whoami;
extern struct ktc_token ttoken;
extern Date token_exptime;
extern char *tailCompPtr();
extern statusP createStatusNode();
@ -998,11 +998,11 @@ bc_JobsCmd(as, arock)
}
/* Print token expiration time */
if ((ttoken.endTime > prevTime)
&& (ttoken.endTime <= youngest->scheduledDump) && as
&& (ttoken.endTime != NEVERDATE)) {
if (ttoken.endTime > time(0)) {
compactDateString(&ttoken.endTime, ds, 50);
if ((token_exptime > prevTime)
&& (token_exptime <= youngest->scheduledDump) && as
&& (token_exptime != NEVERDATE)) {
if (token_exptime > time(0)) {
compactDateString(&token_exptime, ds, 50);
printf(" %16s: TOKEN EXPIRATION\n", ds);
} else {
printf(" TOKEN HAS EXPIRED\n");
@ -1022,11 +1022,11 @@ bc_JobsCmd(as, arock)
}
/* Print token expiration time if havn't already */
if ((ttoken.endTime == NEVERDATE) && as)
if ((token_exptime == NEVERDATE) && as)
printf(" : TOKEN NEVER EXPIRES\n");
else if ((ttoken.endTime > prevTime) && as) {
if (ttoken.endTime > time(0)) {
compactDateString(&ttoken.endTime, ds, 50);
else if ((token_exptime > prevTime) && as) {
if (token_exptime > time(0)) {
compactDateString(&token_exptime, ds, 50);
printf(" %16s: TOKEN EXPIRATION\n", ds);
} else {
printf(" : TOKEN HAS EXPIRED\n");
@ -1817,7 +1817,7 @@ bc_DumpCmd(as, arock)
strcat(statusPtr->cmdLine, " -n");
printf("Add scheduled dump as job %d\n", statusPtr->jobNumber);
if ((atTime > ttoken.endTime) && (ttoken.endTime != NEVERDATE))
if ((atTime > token_exptime) && (token_exptime != NEVERDATE))
com_err(whoami, 0,
"Warning: job %d starts after expiration of AFS token",
statusPtr->jobNumber);

31
src/bucoord/main.c
View File

@ -47,7 +47,7 @@ RCSID
#include "bc.h" /*Backup Coordinator structs and defs */
int localauth, interact;
int authflags, interact;
char tcell[64];
extern int bc_AddDumpCmd();
@ -87,19 +87,12 @@ extern int bc_saveDbCmd();
struct bc_config *bc_globalConfig; /*Ptr to global BC configuration info */
struct ubik_client *cstruct; /* Ptr to Ubik client structure */
struct ktc_token ttoken; /* The token */
Date token_exptime; /* When the connection's ticket expires */
static const char *DefaultConfDir; /*Default backup config directory */
static int bcInit = 0; /* backupInit called yet ? */
char *whoami = "backup";
/* dummy routine for the audit work. It should do nothing since audits */
/* occur at the server level and bos is not a server. */
osi_audit()
{
return 0;
}
/*
* Initialize all the error tables that may be used by com_err
* in this module.
@ -119,6 +112,10 @@ InitErrTabs()
initialize_BUDB_error_table();
initialize_BUCD_error_table();
initialize_KTC_error_table();
#ifdef AFS_RXK5
initialize_RXK5_error_table();
#endif
initialize_rx_error_table();
}
/*
@ -282,12 +279,12 @@ backupInit()
rx_SetRxDeadTime(60);
/* VLDB initialization */
code = vldbClientInit(0, localauth, tcell, &cstruct, &ttoken);
code = vldbClientInit(authflags, tcell, &cstruct, &token_exptime);
if (code)
return (code);
/* Backup database initialization */
code = udbClientInit(0, localauth, tcell);
code = udbClientInit(authflags, tcell);
if (code)
return (code);
@ -333,11 +330,17 @@ MyBeforeProc(as)
/* Handling the command line opcode */
if (!bcInit) {
localauth = ((as && as->parms[14].items) ? 1 : 0);
authflags = ((as && as->parms[14].items) ? 2 : 1);
if (as && as->parms[15].items)
strcpy(tcell, as->parms[15].items->data);
else
tcell[0] = '\0';
#ifdef AFS_RXK5
if (as && as->parms[16].items) authflags |= FORCE_RXKAD;
if (as && as->parms[17].items) authflags |= FORCE_RXK5;
if (!(authflags & (FORCE_RXK5|FORCE_RXKAD)))
authflags |= env_afs_rxk5_default();
#endif
code = backupInit();
if (code) {
@ -478,6 +481,10 @@ add_std_args(ts)
cmd_AddParm(ts, "-localauth", CMD_FLAG, CMD_OPTIONAL,
"local authentication");
cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
#ifdef AFS_RXK5
cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL, "use rxkad security");
cmd_AddParm(ts, "-k5", CMD_FLAG, CMD_OPTIONAL, "use rxk5 security");
#endif
}

430
src/bucoord/ubik_db_if.c
View File

@ -26,6 +26,12 @@ RCSID
#endif
#include <afs/auth.h>
#include <afs/cellconfig.h>
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include <rx/rxk5errors.h>
#include <afs/rxk5_utilafs.h>
#endif
#include "afs_token.h"
#include <ubik.h>
#include <afs/volser.h>
#include <afs/afsutil.h>
@ -802,118 +808,168 @@ bc_CheckTextVersion(ctPtr)
/* vldbClientInit
* Initialize a client for the vl ubik database.
*/
vldbClientInit(noAuthFlag, localauth, cellName, cstruct, ttoken)
int noAuthFlag;
int localauth;
char *cellName;
struct ubik_client **cstruct;
struct ktc_token *ttoken;
afs_int32
vldbClientInit(int authflags,
char *cellName,
struct ubik_client **cstruct,
Date *good_until)
{
afs_int32 code = 0;
const char *confname = 0;
struct afsconf_dir *acdir;
struct rc_securityClass *sc;
struct rx_securityClass *sc = 0;
afs_int32 i, scIndex = 0; /* Index of Rx security object - noauth */
struct afsconf_cell info;
struct ktc_principal sname;
struct rx_connection *serverconns[VLDB_MAXSERVERS];
#ifdef AFS_RXK5
krb5_creds *k5_creds = 0, in_creds[1];
krb5_context k5_context = 0;
krb5_ccache cc = 0;
char *afs_k5_princ = 0;
#endif
int force_flags;
#ifdef AFS_RXK5
memset(in_creds, 0, sizeof *in_creds);
#endif
force_flags = authflags & ~15;
authflags &= 15;
if (authflags == 2)
confname = AFSDIR_SERVER_ETC_DIRPATH;
else
confname = AFSDIR_CLIENT_ETC_DIRPATH;
/* Find out about the given cell */
acdir =
afsconf_Open((localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH));
afsconf_Open(confname);
if (!acdir) {
com_err(whoami, 0, "Can't open configuration directory '%s'",
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH));
confname);
ERROR(BC_NOCELLCONFIG);
}
if (!cellName[0]) {
char cname[64];
code = afsconf_GetLocalCell(acdir, cname, sizeof(cname));
if (code) {
com_err(whoami, code,
"; Can't get the local cell name - check %s/%s",
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH), AFSDIR_THISCELL_FILE);
ERROR(code);
}
strcpy(cellName, cname);
}
if (cellName && !cellName[0])
cellName = 0; /* must mean local cell */
code = afsconf_GetCellInfo(acdir, cellName, AFSCONF_VLDBSERVICE, &info);
if (code) {
com_err(whoami, code, "; Can't find cell %s's hosts in %s/%s",
if (cellName)
com_err(whoami, code, "; Can't find cell %s's hosts in %s/%s",
cellName,
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH), AFSDIR_CELLSERVDB_FILE);
confname, AFSDIR_CELLSERVDB_FILE);
else
com_err(whoami, code, "; Can't find local cell's hosts in %s/%s",
confname, AFSDIR_CELLSERVDB_FILE);
ERROR(BC_NOCELLCONFIG);
}
/*
* Grab tickets if we care about authentication.
*/
ttoken->endTime = 0;
if (localauth) {
code = afsconf_GetLatestKey(acdir, 0, 0);
*good_until = 0;
scIndex = 1;
if (!authflags) {
scIndex = 0;
*good_until = NEVERDATE;
}
else if (authflags == 2) {
code = afsconf_ClientAuthEx(acdir, &sc, &scIndex, force_flags);
if (code) {
com_err(whoami, code, "; Can't get key from local key file");
com_err(whoami, code, "; Calling ClientAuth");
ERROR(code);
} else {
code = afsconf_ClientAuth(acdir, &sc, &scIndex);
if (code) {
com_err(whoami, code, "; Calling ClientAuth");
ERROR(code);
}
ttoken->endTime = NEVERDATE;
}
} else {
if (!noAuthFlag) {
strcpy(sname.cell, info.name);
sname.instance[0] = 0;
strcpy(sname.name, "afs");
code =
ktc_GetToken(&sname, ttoken, sizeof(struct ktc_token), NULL);
if (code) {
com_err(whoami, code, 0,
"; Can't get AFS tokens - running unauthenticated");
} else {
if ((ttoken->kvno < 0) || (ttoken->kvno > 255))
com_err(whoami, 0,
"Funny kvno (%d) in ticket, proceeding",
ttoken->kvno);
scIndex = 2;
}
*good_until = NEVERDATE;
if (!scIndex) {
com_err(whoami, 0,
"localauth failed - running unauthenticated");
}
#ifdef AFS_RXK5
} else if (force_flags & FORCE_RXK5) {
char *what;
scIndex = 5;
code = ENOMEM;
switch (scIndex) {
case 0:
sc = rxnull_NewClientSecurityObject();
break;
case 2:
sc = (struct rx_securityClass *)
what = "get_afs_krb5_svc_princ";
afs_k5_princ = get_afs_krb5_svc_princ(&info);
if (!afs_k5_princ) goto Failed;
what = "krb5_init_context";
code = krb5_init_context(&k5_context);
if(code) goto Failed;
what = "krb5_cc_default";
code = krb5_cc_default(k5_context, &cc); /* in MIT is pointer to ctxt? */
if(code) goto Failed;
what = "krb5_cc_get_principal";
code = krb5_cc_get_principal(k5_context, cc, &in_creds->client);
if(code) goto Failed;
what = "krb5_parse_name";
code = krb5_parse_name(k5_context, afs_k5_princ, &in_creds->server);
if(code) goto Failed;
what = "krb5_get_credentials";
/* 0 is cc flags */
code = krb5_get_credentials(k5_context, 0, cc, in_creds, &k5_creds);
if(code) goto Failed;
sc = rxk5_NewClientSecurityObject(rxk5_auth, k5_creds, 0);
if (sc)
*good_until = k5_creds->times.endtime;
Failed:
if (!code)
;
else if (afs_k5_princ)
com_err(whoami, code, "; %s for %s", what, afs_k5_princ);
else
com_err(whoami, code, "; %s", what);
#endif
} else if (authflags) {
struct ktc_token ttoken[1];
struct afs_token *atoken = 0;
code = ktc_GetTokenEx(0, info.name, &atoken);
if (code) {
com_err(whoami, code,
"; Can't get AFS tokens - running unauthenticated");
scIndex = 0;
#ifdef AFS_RXK5
} else if (atoken->cu->cu_type == CU_K5) {
scIndex = 5;
code = afstoken_to_v5cred(atoken, in_creds);
if (!code)
sc = rxk5_NewClientSecurityObject(rxk5_auth, in_creds, 0);
#endif
} else if (atoken->cu->cu_type == CU_KAD) {
scIndex = 2;
code = afstoken_to_token(atoken, &ttoken, sizeof ttoken);
if (code) goto SkipSc;
/* 999 meant vab. 256 means k5+des for rxkad. */
if ((ttoken->kvno < 0) || (ttoken->kvno > 256))
com_err(whoami, 0,
"Funny kvno (%d) in ticket, proceeding",
ttoken->kvno);
sc =
rxkad_NewClientSecurityObject(rxkad_clear,
&ttoken->sessionKey,
ttoken->kvno, ttoken->ticketLen,
ttoken->ticket);
break;
default:
com_err(whoami, 0, "Unsupported authentication type %d", scIndex);
ERROR(-1);
break;
if (sc)
*good_until = ttoken->endTime;
} else {
com_err(whoami, 0, "unknown token type %d", atoken->cu->cu_type);
}
SkipSc:
if (atoken) free_afs_token(atoken);
}
if (!sc) {
com_err(whoami, 0,
"Can't create a security object with security index %d",
scIndex);
ERROR(-1);
if (scIndex) {
com_err(whoami, code, "Unsupported authentication type %d", scIndex);
ERROR(-1);
}
sc = rxnull_NewClientSecurityObject();
}
/* tell UV module about default authentication */
@ -939,10 +995,24 @@ vldbClientInit(noAuthFlag, localauth, cellName, cstruct, ttoken)
com_err(whoami, code, "; Can't initialize ubik connection to vldb");
ERROR(code);
}
code = rxs_Release(sc);
sc = 0;
error_exit:
if (sc)
rxs_Release(sc);
if (acdir)
afsconf_Close(acdir);
#ifdef AFS_RXK5
if (afs_k5_princ) free(afs_k5_princ);
if (k5_context) {
if (cc) krb5_cc_close(k5_context, cc);
if (k5_creds) krb5_free_creds(k5_context, k5_creds);
krb5_free_principal(k5_context, in_creds->client);
krb5_free_principal(k5_context, in_creds->server);
krb5_free_context(k5_context);
}
#endif
return (code);
}
@ -951,113 +1021,150 @@ vldbClientInit(noAuthFlag, localauth, cellName, cstruct, ttoken)
*/
afs_int32
udbClientInit(noAuthFlag, localauth, cellName)
int noAuthFlag;
int localauth;
char *cellName;
udbClientInit(int authflags, char *cellName)
{
struct ktc_principal principal;
struct ktc_token token;
struct afsconf_cell info;
struct afsconf_dir *acdir;
struct afsconf_dir *acdir = 0;
int i;
afs_int32 code = 0;
int force_flags;
const char *confname;
#ifdef AFS_RXK5
krb5_creds *k5_creds = 0, in_creds[1];
krb5_context k5_context = 0;
krb5_ccache cc = 0;
char* afs_k5_princ = 0;
#endif
#ifdef AFS_RXK5
memset(in_creds, 0, sizeof *in_creds);
#endif
force_flags = authflags & ~15;
authflags &= 15;
if ((authflags & 15) == 2)
confname = AFSDIR_SERVER_ETC_DIRPATH;
else
confname = AFSDIR_CLIENT_ETC_DIRPATH;
acdir =
afsconf_Open((localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH));
afsconf_Open(confname);
if (!acdir) {
com_err(whoami, 0, "Can't open configuration directory '%s'",
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH));
confname);
ERROR(BC_NOCELLCONFIG);
}
if (!cellName[0]) {
char cname[64];
code = afsconf_GetLocalCell(acdir, cname, sizeof(cname));
if (code) {
com_err(whoami, code,
"; Can't get the local cell name - check %s/%s",
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH), AFSDIR_THISCELL_FILE);
ERROR(code);
}
strcpy(cellName, cname);
}
if (cellName && !cellName[0])
cellName = 0; /* NULL or "" => local cell */
code = afsconf_GetCellInfo(acdir, cellName, 0, &info);
if (code) {
com_err(whoami, code, "; Can't find cell %s's hosts in %s/%s",
cellName,
(localauth ? AFSDIR_SERVER_ETC_DIRPATH :
AFSDIR_CLIENT_ETC_DIRPATH), AFSDIR_CELLSERVDB_FILE);
if (cellName)
com_err(whoami, code, "; Can't find cell %s's hosts in %s/%s",
cellName, confname, AFSDIR_CELLSERVDB_FILE);
else
com_err(whoami, code, "; Can't find local cell's hosts in %s/%s",
confname, AFSDIR_CELLSERVDB_FILE);
ERROR(BC_NOCELLCONFIG);
}
udbHandle.uh_scIndex = RX_SCINDEX_NULL;
udbHandle.uh_scIndex = RX_SCINDEX_VAB;
udbHandle.uh_secobj = 0;
if (localauth) {
code = afsconf_GetLatestKey(acdir, 0, 0);
if (!authflags) {
udbHandle.uh_scIndex = RX_SCINDEX_NULL;
} else if (authflags == 2) {
code =
afsconf_ClientAuthEx(acdir, &udbHandle.uh_secobj,
&udbHandle.uh_scIndex, force_flags);
if (code) {
com_err(whoami, code, "; Can't get key from local key file");
com_err(whoami, code, "; Calling ClientAuth");
ERROR(-1);
} else {
code =
afsconf_ClientAuth(acdir, &udbHandle.uh_secobj,
&udbHandle.uh_scIndex);
if (code) {
com_err(whoami, code, "; Calling ClientAuth");
ERROR(-1);
}
}
if (!udbHandle.uh_scIndex) {
com_err(whoami, 0,
"localauth failed - running unauthenticated");
}
#ifdef AFS_RXK5
} else if (force_flags & FORCE_RXK5) {
/* Because rxgk has claimed indexes 3 and 4, the next available index
for rxk5 is 5 */
char *what;
udbHandle.uh_scIndex = RX_SCINDEX_K5; /* Kerberos 5 */
code = ENOMEM;
what = "get_afs_krb5_svc_princ";
afs_k5_princ = get_afs_krb5_svc_princ(&info);
if (!afs_k5_princ) goto Failed;
what = "krb5_init_context";
code = krb5_init_context(&k5_context);
if(code) goto Failed;
what = "krb5_cc_default";
code = krb5_cc_default(k5_context, &cc); /* in MIT is pointer to ctxt? */
if(code) goto Failed;
what = "krb5_cc_get_principal";
code = krb5_cc_get_principal(k5_context, cc, &in_creds->client);
if(code) goto Failed;
what = "krb5_parse_name";
code = krb5_parse_name(k5_context, afs_k5_princ, &in_creds->server);
if(code) goto Failed;
what = "krb5_get_credentials";
/* 0 is cc flags */
code = krb5_get_credentials(k5_context, 0, cc, in_creds, &k5_creds);
if(code) goto Failed;
udbHandle.uh_secobj = rxk5_NewClientSecurityObject(rxk5_auth, k5_creds, 0);
Failed:
if (code) {
if (afs_k5_princ)
com_err(whoami, code, "in %s for %s", what, afs_k5_princ);
else
com_err(whoami, code, "in %s", what);
}
#endif
} else {
if (!noAuthFlag) {
/* setup principal */
strcpy(principal.cell, info.name);
principal.instance[0] = 0;
strcpy(principal.name, "afs");
struct ktc_principal principal;
struct ktc_token token;
/* setup principal */
udbHandle.uh_scIndex = RX_SCINDEX_KAD; /* Kerberos */
strcpy(principal.cell, info.name);
principal.instance[0] = 0;
strcpy(principal.name, "afs");
/* get token */
code = ktc_GetToken(&principal, &token, sizeof(token), NULL);
if (code) {
com_err(whoami, code,
"; Can't get tokens - running unauthenticated");
} else {
if ((token.kvno < 0) || (token.kvno > 255))
com_err(whoami, 0,
"Unexpected kvno (%d) in ticket - proceeding",
token.kvno);
udbHandle.uh_scIndex = RX_SCINDEX_KAD; /* Kerberos */
}
}
/* get token */
code = ktc_GetToken(&principal, &token, sizeof(token), NULL);
if (code) {
com_err(whoami, code,
"; Can't get tokens - running unauthenticated");
udbHandle.uh_scIndex = RX_SCINDEX_NULL;
} else {
/* 999 = vab, 256 = rxkad.k5 */
if ((token.kvno < 0) || (token.kvno > 256))
com_err(whoami, 0,
"Unexpected kvno (%d) in ticket - proceeding",
token.kvno);
switch (udbHandle.uh_scIndex) {
case 0:
udbHandle.uh_secobj = rxnull_NewClientSecurityObject();
break;
case 2:
udbHandle.uh_secobj = (struct rx_securityClass *)
udbHandle.uh_secobj =
rxkad_NewClientSecurityObject(rxkad_clear, &token.sessionKey,
token.kvno, token.ticketLen,
token.ticket);
break;
default:
com_err(whoami, 0, "Unsupported authentication type %d",
udbHandle.uh_scIndex);
ERROR(-1);
break;
}
}
if (!udbHandle.uh_secobj) {
com_err(whoami, 0,
"Can't create a security object with security index %d",
udbHandle.uh_secobj);
ERROR(-1);
if (udbHandle.uh_scIndex) {
com_err(whoami, 0,
"Can't create a security object with security index %d",
udbHandle.uh_secobj);
ERROR(-1);
}
udbHandle.uh_secobj = rxnull_NewClientSecurityObject();
}
if (info.numServers > MAXSERVERS) {
@ -1105,8 +1212,21 @@ udbClientInit(noAuthFlag, localauth, cellName)
}
error_exit:
#if defined(AFS_RXK5)
if (afs_k5_princ) free(afs_k5_princ);
if (k5_context) {
if (cc)
krb5_cc_close(k5_context, cc);
if (k5_creds)
krb5_free_creds(k5_context, k5_creds);
krb5_free_principal(k5_context, in_creds->client);
krb5_free_principal(k5_context, in_creds->server);
krb5_free_context(k5_context);
}
#endif
if (acdir)
afsconf_Close(acdir);
/* no rxs_Release(udbHandle.uh_secobj) -- why else make it global? */
return (code);
}
@ -1295,7 +1415,8 @@ ubik_Call_SingleServer(aproc, aclient, aflags, p1, p2, p3, p4, p5, p6, p7, p8,
* n - error.
*/
udbLocalInit()
afs_int32
udbLocalInit(void)
{
afs_int32 serverList[MAXSERVERS];
char hostname[256];
@ -1318,8 +1439,7 @@ udbLocalInit()
}
udbHandle.uh_scIndex = RX_SCINDEX_NULL;
udbHandle.uh_secobj = (struct rx_securityClass *)
rxnull_NewClientSecurityObject();
udbHandle.uh_secobj = rxnull_NewClientSecurityObject();
for (i = 0; serverList[i] != 0; i++) {
udbHandle.uh_serverConn[i] =

12
src/budb/Makefile.in
View File

@ -9,6 +9,12 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
CFLAGS=$(COMMON_CFLAGS) $(KRB5CFLAGS) $(XCFLAGS)
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
KRB5LIBS=@KRB5LIBS@
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
INCLS=\
${TOP_INCDIR}/lock.h \
${TOP_INCDIR}/ubik.h \
@ -27,17 +33,16 @@ INCLS=\
LIBS=${TOP_LIBDIR}/libbubasics.a \
${TOP_LIBDIR}/libaudit.a \
${TOP_LIBDIR}/libprot.a \
${TOP_LIBDIR}/libkauth.a \
${TOP_LIBDIR}/libubik.a \
${TOP_LIBDIR}/libauth.a \
${TOP_LIBDIR}/librxkad.a \
${RXK5} \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a \
${TOP_LIBDIR}/libcmd.a \
${TOP_LIBDIR}/libcom_err.a \
${TOP_LIBDIR}/util.a
COMMON_OBJS = database.o db_alloc.o db_dump.o db_hash.o struct_ops.o ol_verify.o
@ -71,7 +76,8 @@ struct_ops.o: budb_errs.h
server.o: server.c budb_errs.h ${INCLS} AFS_component_version_number.c
budb_server: $(SERVER_OBJS) ${LIBS}
${CC} ${LDFLAGS} -o budb_server $(SERVER_OBJS) ${LIBS} ${XLIBS}
${CC} ${LDFLAGS} -o budb_server $(SERVER_OBJS) ${LIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS}
budb.cs.c: budb.rg
${RXGEN} -u -C -o $@ ${srcdir}/budb.rg

63
src/budb/procs.c
View File

@ -50,6 +50,11 @@ RCSID
#include <des.h>
#include <afs/cellconfig.h>
#include <afs/auth.h>
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include <rx/rxk5errors.h>
#include <afs/rxk5_utilafs.h>
#endif
#include <errno.h>
#include "budb.h"
#include "budb_errs.h"
@ -1416,6 +1421,8 @@ CreateDump(call, dump)
afs_int32 kvno;
Date expiration; /* checked by Security Module */
struct ktc_principal principal;
afs_int32 secClass;
afs_int32 authenticated = 0;
if (!callPermitted(call))
return BUDB_NOTPERMITTED;
@ -1427,20 +1434,66 @@ CreateDump(call, dump)
if (eval)
return eval;
eval =
secClass = rx_SecurityClassOf(rx_ConnectionOf(call));
if (secClass == 2) {
eval =
rxkad_GetServerInfo(rx_ConnectionOf(call), &level, &expiration,
principal.name, principal.instance,
principal.cell, &kvno);
if (eval) {
if (eval) {
if (eval != RXKADNOAUTH)
ABORT(eval);
ABORT(eval);
strcpy(principal.name, "");
strcpy(principal.instance, "");
strcpy(principal.cell, "");
expiration = 0;
} else {
} else {
authenticated = 1;
}
}
#ifdef AFS_RXK5
else if (secClass == 5) {
char *rxk5_princ;
int expires;
char *afsname = 0, *k4realm, *k4instance;
eval = rxk5_GetServerInfo(call->conn, 0,
&expires, &rxk5_princ, 0, 0);
if(eval)
goto out;
expiration = expires;
eval = afs_rxk5_parse_name_k5(BU_conf, rxk5_princ, &afsname, 1);
if(eval)
goto out;
k4realm = strchr(afsname, '@');
if (k4realm) *k4realm++ = 0;
k4instance = strchr(afsname, '.');
if (k4instance) *k4instance++ = 0;
memset(&principal, 0, sizeof principal);
strcpy(principal.name, afsname);
if(k4instance) strcpy(principal.instance, k4instance);
if(k4realm) strcpy(principal.cell, k4realm);
out:
if(afsname)
free(afsname);
if (eval && eval != RXK5NOAUTH)
ABORT(eval);
}
#endif
if(authenticated) {
/* authenticated. Take user supplied principal information */
if (strcmp(dump->dumper.name, "") != 0)
strncpy(principal.name, dump->dumper.name,

29
src/budb/server.c
View File

@ -45,6 +45,11 @@ RCSID
#include <rx/rxkad.h>
#include <rx/rx_globals.h>
#include <afs/cellconfig.h>
#ifdef AFS_RXK5
#include <rx/rxk5.h>
#include <rx/rxk5errors.h>
#include <afs/rxk5_utilafs.h>
#endif
#include <afs/auth.h>
#include <afs/bubasics.h>
#include <afs/afsutil.h>
@ -367,7 +372,12 @@ main(argc, argv)
char clones[MAXHOSTSPERCELL];
struct rx_service *tservice;
struct rx_securityClass *sca[3];
#ifdef AFS_RXK5
#define MAX_SC_LEN 6
#else
#define MAX_SC_LEN 3
#endif
struct rx_securityClass *sca[MAX_SC_LEN];
extern int afsconf_ServerAuth();
extern int afsconf_CheckAuth();
@ -403,6 +413,10 @@ main(argc, argv)
osi_audit(BUDB_StartEvent, 0, AUD_END);
initialize_BUDB_error_table();
#ifdef AFS_RXK5
initialize_RXK5_error_table();
#endif
initialize_rx_error_table();
initializeArgHandler();
/* Initialize dirpaths */
@ -555,17 +569,28 @@ main(argc, argv)
ERROR(code);
}
memset(sca, 0, MAX_SC_LEN * sizeof *sca);
sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
sca[RX_SCINDEX_VAB] = 0;
#ifdef AFS_RXK5
if (have_afs_keyfile(BU_conf))
#endif
sca[RX_SCINDEX_KAD] =
rxkad_NewServerSecurityObject(rxkad_clear, BU_conf, afsconf_GetKey,
NULL);
#ifdef AFS_RXK5
if (have_afs_rxk5_keytab(BU_conf->name))
sca[RX_SCINDEX_K5] =
rxk5_NewServerSecurityObject(rxk5_auth,
get_afs_rxk5_keytab(BU_conf->name),
rxk5_default_get_key, 0, 0);
#endif
/* Disable jumbograms */
rx_SetNoJumbo();
tservice =
rx_NewServiceHost(host, 0, BUDB_SERVICE, "BackupDatabase", sca, 3,
rx_NewServiceHost(host, 0, BUDB_SERVICE, "BackupDatabase", sca, MAX_SC_LEN,
BUDB_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
LogError(0, "Could not create backup database rx service\n");

17
src/butc/Makefile.in
View File

@ -10,6 +10,12 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
CFLAGS=$(COMMON_CFLAGS) $(KRB5CFLAGS) $(XCFLAGS)
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
KRB5LIBS=@KRB5LIBS@
@ENABLE_RXK5@RXK5=${TOP_LIBDIR}/librxk5.a
INCLS=${TOP_INCDIR}/afs/partition.h ${TOP_INCDIR}/afs/volume.h \
${TOP_INCDIR}/afs/vlserver.h ${TOP_INCDIR}/rx/rx.h \
${TOP_INCDIR}/rx/xdr.h ${TOP_INCDIR}/afs/keys.h \
@ -20,6 +26,7 @@ INCLS=${TOP_INCDIR}/afs/partition.h ${TOP_INCDIR}/afs/volume.h \
HACKS=${TOP_LIBDIR}/libdir.a
# NB: libkauth.a(kaerrors.o) is the only kauth dependency
LIBS=${TOP_LIBDIR}/libbudb.a \
$(TOP_LIBDIR)/libbxdb.a \
${TOP_LIBDIR}/libbubasics.a \
@ -33,13 +40,13 @@ LIBS=${TOP_LIBDIR}/libbudb.a \
${TOP_LIBDIR}/libubik.a \
${TOP_LIBDIR}/libauth.a \
${TOP_LIBDIR}/librxkad.a \
${RXK5} \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a \
${TOP_LIBDIR}/libcmd.a \
${TOP_LIBDIR}/libcom_err.a \
${TOP_LIBDIR}/util.a \
${TOP_LIBDIR}/libusd.a \
${TOP_LIBDIR}/libprocmgmt.a
@ -52,15 +59,17 @@ SOBJS=dbentries.o tcprocs.o lwps.o tcmain.o list.o recoverDb.o tcudbprocs.o \
all: butc read_tape
butc_test: ${TESTOBJS} ${LIBS} ${INCLS} ${HACKS}
${CC} ${CFLAGS} ${TESTOBJS} ${LIBS} ${XLIBS} -o butc_test
${CC} ${CFLAGS} ${TESTOBJS} ${LIBS} $(LIBCOM_ERR) ${XLIBS} -o butc_test
tdump: tdump.c AFS_component_version_number.c
${CC} ${CFLAGS} ${srcdir}/tdump.c -o tdump
butc: ${SOBJS} ${LIBS} ${INCLS} ${HACKS}
@case ${SYS_NAME} in \
rs_aix*) ${CC} ${CFLAGS} ${SOBJS} ${LIBS} ${XLIBS} /usr/lib/libc_r.a -o butc;; \
*) ${CC} ${CFLAGS} ${SOBJS} ${LIBS} ${XLIBS} -o butc;; \
rs_aix*) ${CC} ${CFLAGS} ${SOBJS} ${LIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS} /usr/lib/libc_r.a -o butc;; \
*) ${CC} ${CFLAGS} ${SOBJS} ${LIBS} \
${KRB5LIBS} $(LIBCOM_ERR) ${XLIBS} -o butc;; \
esac
tcmain.o: tcmain.c ${INCLS} AFS_component_version_number.c

33
src/butc/tcmain.c
View File

@ -111,13 +111,6 @@ int rxBind = 0;
#define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
afs_uint32 SHostAddrs[ADDRSPERSITE];
/* dummy routine for the audit work. It should do nothing since audits */
/* occur at the server level and bos is not a server. */
osi_audit()
{
return 0;
}
static afs_int32
SafeATOL(register char *anum)
{
@ -835,9 +828,9 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
register afs_int32 code;
struct rx_securityClass *(securityObjects[3]);
struct rx_service *service;
struct ktc_token ttoken;
Date when_token_expires;
char cellName[64];
int localauth;
int authflags;
/*process arguments */
afs_int32 portOffset = 0;
#ifdef AFS_PTHREAD_ENV
@ -867,6 +860,10 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
initialize_VOLS_error_table();
initialize_BUDB_error_table();
initialize_BUCD_error_table();
#ifdef AFS_RXK5
initialize_RXK5_error_table();
#endif
initialize_rx_error_table();
if (as->parms[0].items) {
portOffset = SafeATOL(as->parms[0].items->data);
@ -1030,7 +1027,13 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
if (as->parms[4].items)
autoQuery = 0;
localauth = (as->parms[5].items ? 1 : 0);
authflags = (as->parms[5].items ? 2 : 1);
#ifdef AFS_RXK5
if (as->parms[9].items) authflags |= FORCE_RXKAD; /* -k4 */
if (as->parms[10].items) authflags |= FORCE_RXK5; /* -k5 */
if (!(authflags & (FORCE_RXK5|FORCE_RXKAD)))
authflags |= env_afs_rxk5_default();
#endif
rxBind = (as->parms[8].items ? 1 : 0);
if (rxBind) {
@ -1061,7 +1064,7 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
rx_SetRxDeadTime(150);
/* Establish connection with the vldb server */
code = vldbClientInit(0, localauth, cellName, &cstruct, &ttoken);
code = vldbClientInit(authflags, cellName, &cstruct, &when_token_expires);
if (code) {
TapeLog(0, 0, code, 0, "Can't access vldb\n");
return code;
@ -1100,7 +1103,7 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
rx_SetMaxProcs(service, 4);
/* Establish connection to the backup database */
code = udbClientInit(0, localauth, cellName);
code = udbClientInit(authflags, cellName);
if (code) {
TapeLog(0, 0, code, 0, "Can't access backup database\n");
exit(1);
@ -1144,7 +1147,7 @@ WorkerBee(struct cmd_syndesc *as, char *arock)
TLog(0, "Starting Tape Coordinator: Port offset %u Debug level %u\n",
portOffset, debugLevel);
t = ttoken.endTime;
t = when_token_expires;
TLog(0, "Token expires: %s\n", cTIME(&t));
rx_StartServer(1); /* Donate this process to the server process pool */
@ -1196,6 +1199,10 @@ main(int argc, char **argv)
"Force multiple XBSA server support");
cmd_AddParm(ts, "-rxbind", CMD_FLAG, CMD_OPTIONAL,
"bind Rx socket");
#ifdef AFS_RXK5
cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL, "use rxkad security");
cmd_AddParm(ts, "-k5", CMD_FLAG, CMD_OPTIONAL, "use rxk5 security");
#endif
/* Initialize dirpaths */
if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {

2
src/butc/test_budb.c
View File

@ -48,7 +48,7 @@ connect_buserver()
* Connect to buserver
*/
cellName[0] = '\0';
code = udbClientInit(0, 0, cellName);
code = udbClientInit(0, cellName);
if (code) {
printf("Error in udbClientInit call\n");
ERROR(code);

4
src/butm/Makefile.in
View File

@ -8,6 +8,7 @@
srcdir=@srcdir@
include @TOP_OBJDIR@/src/config/Makefile.config
LIBCOM_ERR=${TOP_LIBDIR}/libcom_err.a
INCLS=${TOP_INCDIR}/afs/com_err.h ${TOP_INCDIR}/afs/butm.h
LIBS=${TOP_LIBDIR}/libbubasics.a \
@ -15,7 +16,6 @@ LIBS=${TOP_LIBDIR}/libbubasics.a \
${TOP_LIBDIR}/libusd.a \
${TOP_LIBDIR}/libcom_err.a \
${TOP_LIBDIR}/libbutm.a \
${TOP_LIBDIR}/libcom_err.a \
${TOP_LIBDIR}/util.a \
${XLIBS}
@ -36,7 +36,7 @@ file_tm.o: file_tm.c ${INCLS} AFS_component_version_number.c
test_ftm.o: test_ftm.c ${INCLS} AFS_component_version_number.c
test_ftm: test_ftm.o libbutm.a
${CC} ${LDFLAGS} -o test_ftm test_ftm.o libbutm.a ${LIBS}
${CC} ${LDFLAGS} -o test_ftm test_ftm.o libbutm.a ${LIBS} $(LIBCOM_ERR)
test: test_ftm
echo 'Usage: ./test_ftm -conf config -tape xxx *'

1
src/butm/butm_test.c
View File

@ -74,6 +74,7 @@ main(argc, argv)
* General Setup
* ------------- */
initialize_BUTM_error_table();
initialize_rx_error_table();
tapeInfo.structVersion = BUTM_MAJORVERSION;

1
src/butm/test_ftm.c
View File

@ -119,6 +119,7 @@ main(argc, argv)
whoami = argv[0];
initialize_BUTM_error_table();
initialize_rx_error_table();
if (argc < 2)
goto usage;

6
src/cf/bigendian.m4
View File

@ -10,9 +10,11 @@ dnl it when cross-compiling
AC_DEFUN([OPENAFS_CHECK_BIGENDIAN], [
AC_ARG_ENABLE(bigendian,
[ --enable-bigendian the target is big endian],
openafs_cv_c_bigendian_compile=no
openafs_cv_c_bigendian=yes)
AC_ARG_ENABLE(littleendian,
[ --enable-littleendian the target is little endian],
openafs_cv_c_bigendian_compile=no
openafs_cv_c_bigendian=no)
AC_CACHE_CHECK(whether byte order is known at compile time,
openafs_cv_c_bigendian_compile,
@ -45,9 +47,9 @@ AC_CACHE_CHECK(whether byte ordering is bigendian, openafs_cv_c_bigendian,[
fi
])
if test "$openafs_cv_c_bigendian" = "yes"; then
AC_DEFINE(AUTOCONF_FOUND_BIGENDIAN, 1, [define if target is big endian])dnl
AC_DEFINE([AUTOCONF_FOUND_BIGENDIAN], 1, [define if target is big endian])dnl
fi
if test "$openafs_cv_c_bigendian_compile" = "yes"; then
AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
AC_DEFINE([ENDIANESS_IN_SYS_PARAM_H], 1, [define if sys/param.h defines the endiness])dnl
fi
])

50
src/cf/darwin-exp-dc.m4 Normal file
View File

@ -0,0 +1,50 @@
dnl Copyright (c) 2007
dnl The Regents of the University of Michigan
dnl ALL RIGHTS RESERVED
dnl
dnl Permission is granted to use, copy, create derivative works
dnl and redistribute this software and such derivative works
dnl for any purpose, so long as the name of the University of
dnl Michigan is not used in any advertising or publicity
dnl pertaining to the use or distribution of this software
dnl without specific, written prior authorization. If the
dnl above copyright notice or any other identification of the
dnl University of Michigan is included in any copy of any
dnl portion of this software, then the disclaimer below must
dnl also be included.
dnl
dnl This software is provided as is, without representation
dnl from the University of Michigan as to its fitness for any
dnl purpose, and without warranty by the University of
dnl Michigan of any kind, either express or implied, including
dnl without limitation the implied warranties of
dnl merchantability and fitness for a particular purpose. The
dnl regents of the University of Michigan shall not be liable
dnl for any damages, including special, indirect, incidental, or
dnl consequential damages, with respect to any claim arising
dnl out of or in connection with the use of the software, even
dnl if it has been or is hereafter advised of the possibility of
dnl such damages.
dnl
AC_DEFUN([AC_DARWIN_EXP_DC], [#
# Current MacOS kerberos libaries do not export all the
# functionality required by rxk5. Worse yet, it implements
# its own unique internal credentials cache and does not
# provide a standalone external api to access that cache.
# Shame, shame, shame.
#
# The simple solution is to use file based credentials caches.
# You should go use that, and not read any further.
#
# This hack enables use of code that hooks up to one internal
# mechanism used by one version of kerberos (65-10). Success with
# any other version is unlikely. Use with any version is unwise.
# EXPERIMENTAL USE ONLY. You were warned.
#
AC_ARG_ENABLE([temp-macosx-kludge],
[ --enable-temp-macosx-kludge experimenal use only; do not use],,enable_temp_macosx_kludge=no)
m4_divert_text([DEFAULTS], [ENABLE_DC='#'])dnl
if test X"$enable_temp_macosx_kludge" == Xyes; then
ENABLE_DC=''
fi
AC_SUBST(ENABLE_DC)])

2
src/cf/function-macro.m4
View File

@ -9,7 +9,7 @@ ac_cv_compiler_has_function_macro=yes,
ac_cv_compiler_has_function_macro=no)])
AC_MSG_RESULT($ac_cv_compiler_has_function_macro)
if test "$ac_cv_compiler_has_function_macro" = "yes"; then
AC_DEFINE(HAVE_FUNCTION_MACRO, 1, [define if compiler has __FUNCTION__])
AC_DEFINE([HAVE_FUNCTION_MACRO], 1, [define if compiler has __FUNCTION__])
fi
])

2
src/cf/irix-test.m4
View File

@ -14,7 +14,7 @@ ac_cv_irix_sys_systm_h_has_mem_funcs=no,
ac_cv_irix_sys_systm_h_has_mem_funcs=yes)])
CPPFLAGS="$save_CPPFLAGS"
if test "$ac_cv_irix_sys_systm_h_has_mem_funcs" = "yes"; then
AC_DEFINE(IRIX_HAS_MEM_FUNCS, 1, [define if irix has memcpy and friends])
AC_DEFINE([IRIX_HAS_MEM_FUNCS], 1, [define if irix has memcpy and friends])
fi
AC_MSG_RESULT($ac_cv_irix_sys_systm_h_has_mem_funcs)
])

264
src/cf/kerberos.m4
View File

@ -8,52 +8,204 @@ AC_DEFUN([OPENAFS_KRB5CONF],[
dnl AC_ARG_VAR(KRB5CFLAGS, [C flags to compile Kerberos 5 programs])
dnl AC_ARG_VAR(KRB5LIBS, [Libraries and flags to compile Kerberos 5 programs])
dnl AC_ARG_VAR(KRB5_CONFIG, [Location of krb5-config script])
dnl AC_ARG_VAR(KRB5CONFIG_SCRIPT, [Location of krb5-config script])
dnl AC_ARG_VAR(KRB5VENDOR, [Kerberos flavor--HEIMDAL or MIT])
AC_ARG_WITH([krb5-conf],[--with-krb5-conf[=krb5-config-location] Use a krb5-config script to configure Kerberos])
if test X$with_krb5_conf != X; then
conf_krb5=YES
if test X$with_krb5_conf = Xyes; then
AC_PATH_PROG(KRB5_CONFIG, krb5-config, not_found)
if test X$KRB5_CONFIG = Xnot_found; then
AC_MSG_ERROR([cannot find krb5-config script, you must configure Kerberos manually])
fi
else
KRB5_CONFIG=$withval
fi
KRB5CFLAGS=`$KRB5_CONFIG --cflags krb5`
retval=$?
if test $retval -ne 0; then
AC_MSG_ERROR([$KRB5_CONFIG failed with an error code of $retval])
fi
KRB5LIBS=`$KRB5_CONFIG --libs krb5`
retval=$?
if test $retval -ne 0; then
AC_MSG_ERROR([$KRB5_CONFIG failed with an error code of $retval])
fi
AC_MSG_RESULT([Adding $KRB5CFLAGS to KRB5CFLAGS])
AC_MSG_RESULT([Adding $KRB5LIBS to KRB5LIBS])
fi
AC_ARG_WITH([krb5], [--with-krb5 Support for Kerberos 5 (manual configuration)])
if test X$with_krb5 = Xyes; then
if test X$conf_krb5 = XYES; then
AC_MSG_ERROR([--with-krb5-config and --with-krb5 are mutually exclusive, choose only one])
NEED_NFOLD='#'
NEED_DANISH='#'
NEED_RXK5_FIXUPS='#'
BUILD_KRB5=no
if test "X$with_krb5_conf" != X && test "X$with_krb5_conf" != Xno; then
KRB5CONFIG_SCRIPT=$with_krb5_conf
BUILD_KRB5=yes
AC_MSG_RESULT([case 1 $KRB5CONFIG_SCRIPT for krb5_config XXX])
else
if test -x "$with_krb5/bin/krb5-config"; then
KRB5CONFIG_SCRIPT="$with_krb5/bin/krb5-config"
BUILD_KRB5=yes
AC_MSG_RESULT([case 2 $KRB5CONFIG_SCRIPT for krb5_config XXX])
else
if test "X$with_krb5" != X && test "X$with_krb5" != Xno; then
BUILD_KRB5=yes
AC_MSG_RESULT([case 3 do k5, manual config, or ssl XXX])
else
if test "X$conf_ssl" = XYES; then
BUILD_KRB5=yes
AC_MSG_RESULT([case 4 k4, ssl XXX])
else AC_MSG_RESULT([no case, without krb5 and not k5ssl XXX])
fi
fi
fi
fi
if test "X$with_krb5_conf" = Xyes; then
AC_PATH_PROG(KRB5CONFIG_SCRIPT, krb5-config, not_found)
if test "X$KRB5CONFIG_SCRIPT" = Xnot_found &&
test "X$conf_ssl" != XYES &&
test "X$KRB5CFLAGS" = X &&
test "X$KRB5LIBS" = X &&
test "X$KRB5CONFIG_SCRIPT" = X; then
AC_MSG_ERROR([cannot find krb5-config script, you must configure Kerberos manually])
fi
BUILD_KRB5=yes
fi
if test "X$KRB5CONFIG_SCRIPT" != X; then
if test "X$conf_ssl" = XYES; then
AC_MSG_ERROR([--with-ssl and $KRB5CONFIG_SCRIPT, choose only one])
fi
KRB5CFLAGS="`$KRB5CONFIG_SCRIPT --cflags krb5`"
retval=$?
if test $retval -ne 0; then
AC_MSG_ERROR([$KRB5CONFIG_SCRIPT --cflags krb5: failed with an error code of $retval])
fi
KRB5LIBS_RAW="`$KRB5CONFIG_SCRIPT --libs krb5`"
retval=$?
if test $retval -ne 0; then
AC_MSG_ERROR([$KRB5CONFIG_SCRIPT --libs krb5: failed with an error code of $retval])
fi
KRB5LIBS="`echo $KRB5LIBS_RAW | sed 's; [[^ ]]*com_err[[^ ]]*;;'`"
KRB5PREFIX="`$KRB5CONFIG_SCRIPT --prefix`"
retval=$?
if test $retval -ne 0; then
AC_MSG_ERROR([$KRB5CONFIG_SCRIPT --prefix: failed with an error code of $retval])
fi
AC_MSG_RESULT([Adding $KRB5CFLAGS to KRB5CFLAGS])
AC_MSG_RESULT([k5libs $KRB5LIBS_RAW before removing -lcom_err])
AC_MSG_RESULT([Adding $KRB5LIBS to KRB5LIBS])
AC_MSG_RESULT([Setting $KRB5PREFIX to KRB5PREFIX])
fi
if test "X$BUILD_KRB5" = Xyes; then
if test "X$conf_ssl" = XYES; then
AC_MSG_RESULT([set vendor K5SSL XXX])
KRB5VENDOR="K5SSL";
else
dnl if krb5-config is missing, this is worth a try.
if test "X$KRB5CONFIG_SCRIPT" = X &&
test "X$with_krb5" != Xyes; then
if test "X$KRB5CFLAGS" = X; then
AC_MSG_WARN([KRB5CFLAGS is not set])
KRB5CFLAGS="-I$with_krb5/include"
AC_MSG_RESULT([Adding $KRB5CFLAGS to KRB5CFLAGS (heuristic)])
fi
if test "X$KRB5LIBS" = X; then
AC_MSG_WARN([KRB5LIBS is not set])
if test "X$KRB5PREFIX" = X; then
KRB5PREFIX="-I$with_krb5"
AC_MSG_RESULT([Adding $KRB5PREFIX to KRB5PREFIX (heuristic)])
fi
conf_krb5=YES
fi
AC_MSG_RESULT([not ssl, find out who is vendor XXX])
save_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $KRB5CFLAGS"
if test "X$BUILD_KRB5" = Xyes; then
AC_MSG_CHECKING(for heimdal style krb5_keyblock)
AC_CACHE_VAL(ac_cv_heimdal_style_krb5_keyblock,
[
AC_TRY_COMPILE([#include <krb5.h>], [krb5_keyblock _k;
printf("%d %d %d\n", (int)_k.keytype, (int)_k.keyvalue.length,
(int)_k.keyvalue.data);],
kludge_need_parse_units_h=no
ac_cv_heimdal_style_krb5_keyblock=yes,
AC_TRY_COMPILE(
[#include <parse_units.h>
#include <krb5.h>], [krb5_keyblock _k;
printf("%d %d %d\n", (int)_k.keytype, (int)_k.keyvalue.length,
(int)_k.keyvalue.data);],
kludge_need_parse_units_h=yes
ac_cv_heimdal_style_krb5_keyblock=yes,
ac_cv_heimdal_style_krb5_keyblock=no)
)])
AC_MSG_RESULT($ac_cv_heimdal_style_krb5_keyblock)
if test "x$ac_cv_heimdal_style_krb5_keyblock" = xyes; then
if test "x$kludge_need_parse_units_h" = xyes; then
AC_DEFINE([HAVE_PARSE_UNITS_H], 1, [define if heimdal krb5.h needs parse_units.h])
fi
KRB5VENDOR="HEIMDAL";
else
AC_MSG_CHECKING(for mit style krb5_keyblock)
AC_CACHE_VAL(ac_cv_mit_style_krb5_keyblock,
[
AC_TRY_COMPILE(
[#include <krb5.h>],
[krb5_keyblock _k;
printf("%d %d %d\n", (int)_k.enctype, (int)_k.length, (int)_k.contents);],
ac_cv_mit_style_krb5_keyblock=yes,
ac_cv_mit_style_krb5_keyblock=no)])
AC_MSG_RESULT($ac_cv_mit_style_krb5_keyblock)
if test "x$ac_cv_mit_style_krb5_keyblock" = xyes; then
KRB5VENDOR="MIT";
fi
fi
fi
dnl if krb5-config is missing, this is probably wrong, but worth a start.
if test "X$KRB5CONFIG_SCRIPT" = X &&
test "X$with_krb5" != Xyes &&
test "X$KRB5LIBS" = X; then
if test "X$KRB5VENDOR" = XHEIMDAL; then
KRB5LIBS="-L$with_krb5/lib -lkrb5 -lasn1 -lroken -lcrypto"
else
if test "X$KRB5VENDOR" = XMIT; then
KRB5LIBS="-L$with_krb5/lib -lkrb5 -lk5crypto"
else
AC_MSG_WARN([-with-krb5, and unable to guess at KRB5LIBS])
fi
fi
AC_MSG_RESULT([Adding $KRB5LIBS to KRB5LIBS (heuristic)])
fi
CPPFLAGS="$save_CPPFLAGS"
fi
BUILD_KRB5=no
if test X$conf_krb5 = XYES; then
if test "X${KRB5VENDOR}" != X; then
if test "X${KRB5VENDOR}" != XK5SSL; then
AC_MSG_RESULT([Detected $KRB5VENDOR Kerberos V implementation])
fi
else
AC_MSG_RESULT([Can't determine Kerberos V implementation])
fi
if test "X$KRB5VENDOR" = XHEIMDAL; then
AC_DEFINE([COMPILED_WITH_HEIMDAL], 1, [define if linking against kth heimdal (please do not use this symbol for conditional compilation)])
# TEMPORARY workaround to incompatibility of
# AFS and Heimdal errortables
if test "X$KRB5PREFIX" = X; then
FIXUP_K5LIBDIR="/usr/lib"
else
FIXUP_K5LIBDIR="$KRB5PREFIX/lib"
fi
LIBFIXUPKRB5=libfixupkrb5.a
NEED_RXK5_FIXUPS=''
NEED_NFOLD=''
K5SUPPORT=' nfold.o'
fi
if test "X$KRB5VENDOR" = XSHISHI; then
dnl *** Unsupported; only rxk5 has the necessary logic.
dnl *** Beware shishi licensing.
AC_DEFINE([COMPILED_WITH_SHISHI], 1, [define if linking against shishi kerberos 5 (please do not use this symbol for conditional compilation)])
NEED_NFOLD=''
K5SUPPORT=' nfold.o'
fi
if test "X$KRB5VENDOR" = XMIT; then
AC_DEFINE([COMPILED_WITH_MIT], 1, [define if linking against MIT kerberos 5 (please do not use this symbol for conditional compilation)])
K5SUPPORT=' danish.o nfold.o'
NEED_DANISH=''
NEED_NFOLD=''
fi
if test "X$KRB5VENDOR" = XK5SSL; then
AC_DEFINE([COMPILED_WITH_SSL], 1, [define if using k5ssl + openssl (please do not use this symbol for conditional compilation)])
K5SUPPORT=' danish.o nfold.o'
if test "X$KRB5CFLAGS" != X; then
AC_MSG_WARN([-with-ssl, but KRB5CFLAGS is set])
fi
if test "X$KRB5LIBS" != X; then
AC_MSG_WARN([-with-ssl, but KRB5LIBS is set])
fi
KRB5LIBS='${TOP_LIBDIR}/libk5ssl.a '"$SSLLIBS"' ${TOP_LIBDIR}/libcom_err.a'
AC_MSG_RESULT([Using internal K5SSL Kerberos V implementation])
AC_DEFINE([HAVE_KRB5_CREDS_KEYBLOCK], 1, [define if krb5_creds has keyblock])
AC_DEFINE([HAVE_KRB5_PRINC_SIZE], 1, [define if krb5_princ_size exists])
fi
if test "X$KRB5VENDOR" != X && test "X$KRB5VENDOR" != XK5SSL; then
AC_MSG_RESULT([Configuring support for Kerberos 5 utilities])
BUILD_KRB5=yes
save_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $KRB5CFLAGS"
save_LIBS="$LIBS"
@ -67,7 +219,6 @@ if test X$conf_krb5 = XYES; then
AC_DEFINE([HAVE_KRB524_CONVERT_CREDS_KDC], 1,
[Define to 1 if you have the `krb524_convert_creds_kdc' function.])])])])
AC_CHECK_HEADERS([kerberosIV/krb.h])
AC_CHECK_HEADERS([kerberosV/heim_err.h])
AC_MSG_CHECKING(for krb5_creds.keyblock existence)
AC_CACHE_VAL(ac_cv_krb5_creds_keyblock_exists,
@ -90,21 +241,46 @@ printf("%x\n", _c.session);],
ac_cv_krb5_creds_session_exists=yes,
ac_cv_krb5_creds_session_exists=no)])
AC_MSG_RESULT($ac_cv_krb5_creds_session_exists)
if test "x$ac_cv_krb5_creds_keyblock_exists" = "xyes"; then
AC_DEFINE(HAVE_KRB5_CREDS_KEYBLOCK, 1, [define if krb5_creds has keyblock])
fi
if test "x$ac_cv_krb5_creds_session_exists" = "xyes"; then
AC_DEFINE(HAVE_KRB5_CREDS_SESSION, 1, [define if krb5_creds has session])
fi
dnl AC_CHECK_MEMBERS([krb5_creds.keyblock, krb5_creds.session],,, [#include <krb5.h>])
CPPFLAGS="$save_CPPFLAGS"
LIBS="$save_LIBS"
fi
if test "X$KRB5VENDOR" = XK5SSL; then
AC_MSG_RESULT([Configuring built-in support for Kerberos 5])
ac_cv_krb5_creds_keyblock_exists=yes;
AC_DEFINE([HAVE_KRB5_PRINC_SIZE], 1, [define if krb5_princ_size exists])
fi
AC_SUBST(BUILD_KRB5)
if test "x$ac_cv_krb5_creds_keyblock_exists" = xyes; then
AC_DEFINE([HAVE_KRB5_CREDS_KEYBLOCK], 1, [define if krb5_creds has keyblock])
fi
if test "x$ac_cv_krb5_creds_session_exists" = xyes; then
AC_DEFINE([HAVE_KRB5_CREDS_SESSION], 1, [define if krb5_creds has session])
fi
else AC_MSG_RESULT([Krb5 not configured. XXX])
fi
KAUTH_KLOG_SUFFIX=''
if test "$BUILD_KRB5" = "yes"; then
KAUTH_KLOG_SUFFIX='.ka'
DISABLE_KRB5='#'
else
ENABLE_KRB5='#'
fi
AC_SUBST(DISABLE_KRB5)
AC_SUBST(ENABLE_KRB5)
AC_SUBST(KRB5CFLAGS)
AC_SUBST(KRB5LIBS)
dnl KRB5LIBS_RAW is not used; only output in case -lcom_err is missed.
AC_SUBST(KRB5LIBS_RAW)
AC_SUBST(FIXUP_K5LIBDIR)
AC_SUBST(LIBFIXUPKRB5)
AC_SUBST(K5SUPPORT)
AC_SUBST(NEED_RXK5_FIXUPS)
AC_SUBST(NEED_NFOLD)
AC_SUBST(NEED_DANISH)
AC_SUBST(KAUTH_KLOG_SUFFIX)
])dnl

26
src/cf/linux-test1.m4
View File

@ -8,7 +8,7 @@ CFLAGS += $CPPFLAGS
obj-m += conftest.o
_ACEOF
cat >conftest.dir/conftest.c <<\_ACEOF &&
cat >conftest.dir/conftest.c <<_ACEOF &&
#include <linux/module.h>
$1
@ -19,8 +19,9 @@ $2
MODULE_LICENSE("http://www.openafs.org/dl/license10.html");
_ACEOF
echo make -C $LINUX_KERNEL_PATH M=$SRCDIR_PARENT/conftest.dir modules KBUILD_VERBOSE=1 >&AS_MESSAGE_LOG_FD
make -C $LINUX_KERNEL_PATH M=$SRCDIR_PARENT/conftest.dir modules KBUILD_VERBOSE=1 >&AS_MESSAGE_LOG_FD 2>conftest.err
echo make -C $LINUX_KERNEL_PATH M=$SRCDIR_PARENT/conftest.dir modules KBUILD_VERBOSE=1 >&AS_MESSAGE_LOG_FD &&
make -C $LINUX_KERNEL_PATH M=$SRCDIR_PARENT/conftest.dir modules KBUILD_VERBOSE=1 >&AS_MESSAGE_LOG_FD 2>conftest.err &&
test -f conftest.dir/conftest.ko
then [$3]
else
sed '/^ *+/d' conftest.err >&AS_MESSAGE_LOG_FD
@ -46,7 +47,7 @@ AC_DEFUN([AC_TRY_KBUILD24], [
# [ACTION-IF-SUCCESS], [ACTION-IF-FAILURE])
#
AC_DEFUN([AC_TRY_KBUILD], [
if test -f $LINUX_KERNEL_PATH/scripts/Makefile.build; then
if test -d $LINUX_KERNEL_PATH/scripts/kconfig; then
AC_TRY_KBUILD26([$1], [$2], [$3], [$4])
else
AC_TRY_KBUILD24([$1], [$2], [$3], [$4])
@ -54,6 +55,21 @@ AC_DEFUN([AC_TRY_KBUILD], [
AC_DEFUN([LINUX_KERNEL_COMPILE_WORKS], [
AC_MSG_CHECKING([for linux kernel module build works])
AC_TRY_KBUILD([],[],:,AC_MSG_RESULT(no)
if test -f $LINUX_KERNEL_PATH/scripts/Makefile.build; then
openafs_lkcw_cmpop='<'; openafs_lkcw_testop='-lt'
else
openafs_lkcw_cmpop='>='; openafs_lkcw_testop='-ge'
fi
if test "`echo $AFS_SYSNAME | sed 's;.*linux-*;;'`" $openafs_lkcw_testop 26
then
openafs_lkcw_cmpop='lose; sysname and kernel path not consistent'
fi
AC_TRY_KBUILD(
[#include <linux/version.h>],
[/* sysname is $AFS_SYSNAME; kernel_path is $LINUX_KERNEL_PATH */
#if LINUX_VERSION_CODE $openafs_lkcw_cmpop KERNEL_VERSION(2,6,0)
lose
#endif
],:,AC_MSG_RESULT(no)
AC_MSG_FAILURE([Fix problem or use --disable-kernel-module...]))
AC_MSG_RESULT(yes)])

3
src/cf/linux-test2.m4
View File

@ -2,7 +2,8 @@ dnl LINUX_BUILD_VNODE_FROM_INODE (configdir, outputdir, tmpldir)
dnl defaults: (src/config, src/afs/LINUX, src/afs/linux)
AC_DEFUN([LINUX_BUILD_VNODE_FROM_INODE], [
AC_MSG_CHECKING(whether to build osi_vfs.h)
dnl AC_MSG_CHECKING(whether to build osi_vfs.h)
AC_MSG_NOTICE(customizing osi_vfs.h)
configdir=ifelse([$1], ,[src/config],$1)
outputdir=ifelse([$2], ,[src/afs/LINUX],$2)
tmpldir=ifelse([$3], ,[src/afs/LINUX],$3)

146
src/cf/linux-test5.m4
View File

@ -1,73 +1,80 @@
AC_DEFUN([OPENAFS_GCC_SUPPORTS_MARCH], [
AC_MSG_CHECKING(if $CC accepts -march=pentium)
save_CFLAGS="$CFLAGS"
CFLAGS="-MARCH=pentium"
AC_CACHE_VAL(openafs_gcc_supports_march,[
AC_TRY_COMPILE(
[],
[int x;],
openafs_gcc_supports_march=yes,
openafs_gcc_supports_march=no)])
AC_MSG_RESULT($openafs_gcc_supports_march)
if test x$openafs_gcc_supports_march = xyes; then
P5PLUS_KOPTS="-march=pentium"
else
P5PLUS_KOPTS="-m486 -malign-loops=2 -malign-jumps=2 -malign-functions=2"
fi
CFLAGS="$save_CFLAGS"
])
dnl AC_DEFUN([OPENAFS_GCC_SUPPORTS_NO_COMMON], [
dnl AC_MSG_CHECKING(if $CC supports -fno-common)
dnl save_CFLAGS="$CFLAGS"
dnl CFLAGS="-fno-common"
dnl AC_CACHE_VAL(openafs_gcc_supports_no_common,[
dnl AC_TRY_COMPILE(
dnl [],
dnl [int x;],
dnl openafs_gcc_supports_no_common=yes,
dnl openafs_gcc_supports_no_common=no)])
dnl AC_MSG_RESULT($openafs_gcc_supports_no_common)
dnl if test x$openafs_gcc_supports_no_common = xyes; then
dnl LINUX_KCFLAGS="$LINUX_KCFLAGS -fno-common"
dnl fi
dnl CFLAGS="$save_CFLAGS"
dnl ])
AC_DEFUN([OPENAFS_GCC_NEEDS_NO_STRICT_ALIASING], [
AC_MSG_CHECKING(if $CC needs -fno-strict-aliasing)
save_CFLAGS="$CFLAGS"
CFLAGS="-fno-strict-aliasing"
AC_CACHE_VAL(openafs_gcc_needs_no_strict_aliasing,[
AC_TRY_COMPILE(
[],
[int x;],
openafs_gcc_needs_no_strict_aliasing=yes,
openafs_gcc_needs_no_strict_aliasing=no)])
AC_MSG_RESULT($openafs_gcc_needs_no_strict_aliasing)
if test x$openafs_gcc_needs_no_strict_aliasing = xyes; then
LINUX_GCC_KOPTS="$LINUX_GCC_KOPTS -fno-strict-aliasing"
fi
CFLAGS="$save_CFLAGS"
])
AC_DEFUN([LINUX_KERNEL_HAS_NFSSRV], [
AC_MSG_CHECKING(if kernel has nfs support)
AC_CACHE_VAL([ac_cv_linux_kernel_has_nfssrv],[
AC_TRY_KBUILD(
[#include <linux/sunrpc/svc.h>
#include <linux/sunrpc/svcauth.h>],
[#ifdef CONFIG_SUNRPC_SECURE
rpc_flavor_t x = 0;
struct auth_ops *ops = 0;
svc_auth_register(x, ops);
#else
lose
#endif],
ac_cv_linux_kernel_has_nfssrv=yes,
ac_cv_linux_kernel_has_nfssrv=no)])
AC_MSG_RESULT($ac_cv_linux_kernel_has_nfssrv)])
AC_DEFUN([OPENAFS_GCC_NEEDS_NO_STRENGTH_REDUCE], [
AC_MSG_CHECKING(if $CC needs -fno-strength-reduce)
save_CFLAGS="$CFLAGS"
CFLAGS="-fno-strength-reduce"
AC_CACHE_VAL(openafs_gcc_needs_no_strength_reduce,[
AC_TRY_COMPILE(
[],
[int x;],
openafs_gcc_needs_no_strength_reduce=yes,
openafs_gcc_needs_no_strength_reduce=no)])
AC_MSG_RESULT($openafs_gcc_needs_no_strength_reduce)
if test x$openafs_gcc_needs_no_strength_reduce = xyes; then
LINUX_GCC_KOPTS="$LINUX_GCC_KOPTS -fno-strength-reduce"
fi
CFLAGS="$save_CFLAGS"
])
AC_DEFUN([OPENAFS_GCC_SUPPORTS_NO_COMMON], [
AC_MSG_CHECKING(if $CC supports -fno-common)
save_CFLAGS="$CFLAGS"
CFLAGS="-fno-common"
AC_CACHE_VAL(openafs_gcc_supports_no_common,[
AC_TRY_COMPILE(
[],
[int x;],
openafs_gcc_supports_no_common=yes,
openafs_gcc_supports_no_common=no)])
AC_MSG_RESULT($openafs_gcc_supports_no_common)
if test x$openafs_gcc_supports_no_common = xyes; then
LINUX_GCC_KOPTS="$LINUX_GCC_KOPTS -fno-common"
fi
CFLAGS="$save_CFLAGS"
])
AC_DEFUN([LINUX_KERNEL_GET_KCC], [
AC_MSG_NOTICE([kernel compilation options])
if mkdir conftest.dir &&
cat >conftest.dir/conftest.mk <<'_ACEOF' &&
include Makefile
cflags:; @echo CFLAGS=$[](CFLAGS)
cc:; @echo CC=$[](CC)
_ACEOF
cat >conftest.dir/conftest.sh <<'_ACEOF' &&
KBUILD_SRC=$[]1
shift
make -C "$[]KBUILD_SRC" -f `pwd`/conftest.dir/conftest.mk KBUILD_SRC="$[]KBUILD_SRC" M=`pwd` V=1 "$[]@"
_ACEOF
echo sh conftest.dir/conftest.sh $LINUX_KERNEL_PATH cc cflags >&AS_MESSAGE_LOG_FD
sh conftest.dir/conftest.sh $LINUX_KERNEL_PATH cc cflags 2>conftest.err >conftest.out
then
LINUX_KCC="`sed -n 's/^CC=//p' conftest.out`"
LINUX_KCFLAGS="`sed -n 's/^CFLAGS=//p' conftest.out`"
else
sed '/^ *+/d' conftest.err >&AS_MESSAGE_LOG_FD
echo "$as_me: failed using conftestdir.dir/conftest.mk:" >&AS_MESSAGE_LOG_FD
sed 's/^/| /' conftest.dir/conftest.mk >&AS_MESSAGE_LOG_FD
echo "$as_me: and conftest.dir/conftest.sh was:" >&AS_MESSAGE_LOG_FD
sed 's/^/| /' conftest.dir/conftest.sh >&AS_MESSAGE_LOG_FD
AC_MSG_FAILURE([Fix problem or use --disable-kernel-module...])
fi; rm -fr conftest.err conftest.out conftest.dir
# for 2.6: empty LINUX_KCFLAGS or replace with fixed -Iarch/um/include
if test -f $LINUX_KERNEL_PATH/scripts/Makefile.build; then
LINUX_KCFLAGS=`echo "$LINUX_KCFLAGS" | sed "s/ */ /g
s/"'$'"/ /
: again
h
s/ .*//
/-I[[^\/]]/{
s%-I%-I$LINUX_KERNEL_PATH/%
p
}
g
s/^[[^ ]]* //
t again
d"`
fi])
AC_DEFUN([OPENAFS_GCC_SUPPORTS_PIPE], [
AC_MSG_CHECKING(if $CC supports -pipe)
@ -81,7 +88,10 @@ openafs_gcc_supports_pipe=yes,
openafs_gcc_supports_pipe=no)])
AC_MSG_RESULT($openafs_gcc_supports_pipe)
if test x$openafs_gcc_supports_pipe = xyes; then
LINUX_GCC_KOPTS="$LINUX_GCC_KOPTS -pipe"
LINUX_KCFLAGS="$LINUX_KCFLAGS -pipe"
fi
CFLAGS="$save_CFLAGS"
])
AC_SUBST(LINUX_KCC)
AC_SUBST(LINUX_KCFLAGS)
AC_SUBST(NFSSRV)

19
src/cf/ressearch.m4
View File

@ -20,4 +20,23 @@ r = res_search( host, C_IN, T_MX, (u_char *)&ans, sizeof(ans));
return 0;
],
ac_cv_func_res_search=yes)
AC_TRY_LINK([
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#ifdef HAVE_ARPA_NAMESER_COMPAT_H
#include <arpa/nameser_compat.h>
#endif
#include <resolv.h>],
[
struct __res_state nstate[1];
unsigned char reply[1024];
int r;
memset(nstate, 0, sizeof *nstate);
r = res_ninit(nstate);
r = res_nsearch(nstate, "openafs.org", C_IN, T_SRV, reply, sizeof reply);
res_nclose(nstate);
return 0;
],
ac_cv_func_res_nclose=yes)
])

2
src/cf/solaris-dqrwlock.m4
View File

@ -11,7 +11,7 @@ ac_cv_solaris_ufsvfs_has_dqrwlock=yes,
ac_cv_solaris_ufsvfs_has_dqrwlock=no)])
AC_MSG_RESULT($ac_cv_solaris_ufsvfs_has_dqrwlock)
if test "$ac_cv_solaris_ufsvfs_has_dqrwlock" = "yes"; then
AC_DEFINE(HAVE_VFS_DQRWLOCK, 1, [define if struct ufsvfs has vfs_dqrwlock])
AC_DEFINE([HAVE_VFS_DQRWLOCK], 1, [define if struct ufsvfs has vfs_dqrwlock])
fi
])

2
src/cf/solaris-fs-rolled.m4
View File

@ -10,7 +10,7 @@ ac_cv_solaris_fs_has_fs_rolled=yes,
ac_cv_solaris_fs_has_fs_rolled=no)])
AC_MSG_RESULT($ac_cv_solaris_fs_has_fs_rolled)
if test "$ac_cv_solaris_fs_has_fs_rolled" = "yes"; then
AC_DEFINE(STRUCT_FS_HAS_FS_ROLLED, 1, [define if struct fs has fs_rolled])
AC_DEFINE([STRUCT_FS_HAS_FS_ROLLED], 1, [define if struct fs has fs_rolled])
fi
])

2
src/cf/solaris-pcorefile.m4
View File

@ -11,7 +11,7 @@ ac_cv_solaris_proc_has_p_corefile=yes,
ac_cv_solaris_proc_has_p_corefile=no)])
AC_MSG_RESULT($ac_cv_solaris_proc_has_p_corefile)
if test "$ac_cv_solaris_proc_has_p_corefile" = "yes"; then
AC_DEFINE(HAVE_P_COREFILE, 1, [define if struct proc has p_corefile])
AC_DEFINE([HAVE_P_COREFILE], 1, [define if struct proc has p_corefile])
fi
])

29
src/cf/ssl.m4 Normal file
View File

@ -0,0 +1,29 @@
dnl
dnl $Id$
dnl
dnl openssl autoconf glue
dnl
AC_DEFUN([OPENAFS_SSL],[
AC_ARG_WITH([ssl], [--with-ssl Support for SSL])
if test X$with_ssl != X; then
conf_ssl=YES
if test X$with_ssl != Xyes; then
SSLINCL="-I$withval/include";
SSLLIBS="-L$withval/lib -lcrypto";
else
SSLLIBS="-lcrypto";
fi
DISABLE_SSL='#'
else
ENABLE_SSL='#'
fi
AC_SUBST(SSLINCL)
AC_SUBST(SSLLIBS)
AC_SUBST(ENABLE_SSL)
AC_SUBST(DISABLE_SSL)
])dnl

Some files were not shown because too many files have changed in this diff Show More