* bad, but that's somewhat trickier, due to locking
* constraints (though not impossible).
*/
- if (tc->id && (rx_SecurityClassOf(tc->id) != 0)) {
+ if (tc->id && (rx_SecurityClassOf(tc->id) != RX_SECIDX_NULL)) {
tc->forceConnectFS = 1; /* force recreation of connection */
}
tu->states &= ~UHasTokens; /* remove the authentication info */
conn = rx_ConnectionOf(call); /* call -> conn) */
if (conn) {
secClass = rx_SecurityClassOf(conn); /* conn -> securityIndex */
- if (secClass == 0) { /* unauthenticated */
+ if (secClass == RX_SECIDX_NULL) { /* unauthenticated */
osi_audit("AFS_Aud_Unauth", (-1), AUD_STR, audEvent, AUD_END);
strcpy(afsName, "--UnAuth--");
- } else if (secClass == 2) { /* authenticated */
+ } else if (secClass == RX_SECIDX_KAD) { /* authenticated */
char tcell[MAXKTCREALMLEN];
char name[MAXKTCNAMELEN];
char inst[MAXKTCNAMELEN];
*classes = calloc(*numClasses, sizeof(**classes));
- (*classes)[0] = rxnull_NewServerSecurityObject();
- (*classes)[1] = NULL;
- (*classes)[2] = rxkad_NewKrb5ServerSecurityObject(0, dir,
- afsconf_GetKey,
- _afsconf_GetRxkadKrb5Key,
- NULL);
+ (*classes)[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ (*classes)[RX_SECIDX_VAB] = NULL;
+ (*classes)[RX_SECIDX_KAD] =
+ rxkad_NewKrb5ServerSecurityObject(0, dir, afsconf_GetKey,
+ _afsconf_GetRxkadKrb5Key, NULL);
if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT)
- (*classes)[3] = rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir,
- afsconf_GetKey,
- _afsconf_GetRxkadKrb5Key,
- NULL);
+ (*classes)[RX_SECIDX_KAE] =
+ rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir, afsconf_GetKey,
+ _afsconf_GetRxkadKrb5Key, NULL);
}
#endif
tconn = rx_ConnectionOf(acall);
code = rx_SecurityClassOf(tconn);
- if (code == 0) {
+ if (code == RX_SECIDX_NULL) {
UNLOCK_GLOBAL_MUTEX;
return 0; /* not authenticated at all, answer is no */
- } else if (code == 1) {
+ } else if (code == RX_SECIDX_VAB) {
/* bcrypt tokens */
UNLOCK_GLOBAL_MUTEX;
return 0; /* not supported any longer */
- } else if (code == 2) {
+ } else if (code == RX_SECIDX_KAD) {
flag = rxkadSuperUser(adir, acall, identity);
UNLOCK_GLOBAL_MUTEX;
return flag;
#endif
#define BUDB_SERVICE 22314 /* service id */
-#define RX_SCINDEX_NULL 0 /* No security */
-#define RX_SCINDEX_VAB 1 /* vice tokens, with bcrypt */
-#define RX_SCINDEX_KAD 2 /* Kerberos/DES */
-
/* maximums for various text strings
* DON'T alter these values until all disk/tape structures can be handled
* correctly. In particular, volume names are 64.
* security on connections made to this server
*/
- securityObjects[0] = rxnull_NewServerSecurityObject();
- if (!securityObjects[0]) {
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (!securityObjects[RX_SECIDX_NULL]) {
TLog(0, "rxnull_NewServerSecurityObject");
exit(1);
}
int
callPermitted(struct rx_call *call)
{
- /* before this code can be used, the rx connection, on the bucoord side, must */
- /* be changed so that it will set up for token passing instead of using a */
- /* simple rx connection that, below, returns a value of 0 from rx_SecurityClassOf */
+ /*
+ * Before this code can be used, the rx connection, on the bucoord side,
+ * must be changed so that it will set up for token passing instead of
+ * using a simple rx connection that, below, returns a value of
+ * RX_SECIDX_NULL from rx_SecurityClassOf.
+ */
return 1;
}
if (code)
goto abort;
sc = rxnull_NewClientSecurityObject();
- si = RX_SCINDEX_NULL;
+ si = RX_SECIDX_NULL;
conns[0] =
rx_NewConnection(htonl(INADDR_LOOPBACK), htons(AFSCONF_KAUTHPORT),
KA_MAINTENANCE_SERVICE, sc, si);
case KA_TICKET_GRANTING_SERVICE:
no_security:
*scP = rxnull_NewClientSecurityObject();
- *siP = RX_SCINDEX_NULL;
+ *siP = RX_SECIDX_NULL;
break;
case KA_MAINTENANCE_SERVICE:
if (!token)
rxkad_NewClientSecurityObject(rxkad_crypt, &token->sessionKey,
token->kvno, token->ticketLen,
token->ticket);
- *siP = RX_SCINDEX_KAD;
+ *siP = RX_SECIDX_KAD;
break;
default:
UNLOCK_GLOBAL_MUTEX;
noAuthenticationRequired = afsconf_GetNoAuthFlag(KA_conf);
si = rx_SecurityClassOf(rx_ConnectionOf(call));
- if (si == RX_SCINDEX_VAB) {
+ if (si == RX_SECIDX_VAB) {
printf("No support for VAB security module yet.\n");
return -1;
- } else if (si == RX_SCINDEX_NULL) {
+ } else if (si == RX_SECIDX_NULL) {
code = KANOAUTH;
goto no_auth;
- } else if (si != RX_SCINDEX_KAD) {
+ } else if (si != RX_SECIDX_KAD) {
es_Report("Unknown security index %d\n", si);
return -1;
}
exit(2);
}
- sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
+ sca[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
tservice =
rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
- scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
- scm[RX_SCINDEX_VAB] = 0;
- scm[RX_SCINDEX_KAD] =
+ scm[RX_SECIDX_NULL] = sca[RX_SECIDX_NULL];
+ scm[RX_SECIDX_VAB] = 0;
+ scm[RX_SECIDX_KAD] =
rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
tservice =
rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
#define KA_TICKET_GRANTING_SERVICE 732
#define KA_MAINTENANCE_SERVICE 733
-#define RX_SCINDEX_NULL 0 /* No security */
-#define RX_SCINDEX_VAB 1 /* vice tokens, with bcrypt */
-#define RX_SCINDEX_KAD 2 /* Kerberos/DES */
-
#define KA_TGS_NAME "krbtgt"
/* realm is TGS instance */
#define KA_ADMIN_NAME "AuthServer"
int si; /* security class index */
sc = rxnull_NewClientSecurityObject();
- si = RX_SCINDEX_NULL;
+ si = RX_SECIDX_NULL;
conns[0] =
rx_NewConnection(htonl(INADDR_LOOPBACK), htons(AFSCONF_KAUTHPORT),
KA_MAINTENANCE_SERVICE, sc, si);
*aid = ANONYMOUSID;
tconn = rx_ConnectionOf(acall);
code = rx_SecurityClassOf(tconn);
- if (code == 0)
+ if (code == RX_SECIDX_NULL)
return 0;
- else if (code == 1) { /* vab class */
+ else if (code == RX_SECIDX_VAB) {
goto done; /* no longer supported */
- } else if (code == 2) { /* kad class */
+ } else if (code == RX_SECIDX_KAD) {
if ((code = rxkad_GetServerInfo(rx_ConnectionOf(acall), NULL, NULL,
name, inst, tcell, NULL)))
goto done;
%#define BULK_MIN 1
%#define BULK_NAME_MAX 1024
-/* Index of the "null" security class in the BULK service. This must be 0 (there are N classes, numbered from 0. In this case, N is 1) */
-%#define BULK_NULL 0
%#define BULK_ERROR 1 /* Error used to abort a bulk transfer */
null_securityObject = rxnull_NewClientSecurityObject();
conn =
rx_NewConnection(host, BULK_SERVER_PORT, BULK_SERVICE_ID,
- null_securityObject, BULK_NULL);
+ null_securityObject, RX_SECIDX_NULL);
clock_NewTime();
clock_GetTime(&startTime);
Quit("rx_init");
/* Create a single security object, in this case the null security object, for unauthenticated connections, which will be used to control security on connections made to this server */
- securityObjects[BULK_NULL] = rxnull_NewServerSecurityObject();
- if (securityObjects[BULK_NULL] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
Quit("rxnull_NewServerSecurityObject");
/* Instantiate a single BULK service. The rxgen-generated procedure which is called to decode requests is passed in here (BULK_ExecuteRequest). */
/* Minimum number of requests that are guaranteed to be handled immediately */
%#define BULK_MIN 1
-/* Index of the "null" security class in the BULK service. This must be 0 (there are N classes, numbered from 0. In this case, N is 1) */
-%#define BULK_NULL 0
-
%#define BULK_ERROR 1 /* Error used to abort a bulk transfer */
host = GetIpAddress(hostname);
conn =
rx_NewConnection(host, BULK_SERVER_PORT, BULK_SERVICE_ID,
- null_securityObject, BULK_NULL);
+ null_securityObject, RX_SECIDX_NULL);
} else if (strcmp(*argv, "-f") == 0)
store = 0;
else if (strcmp(*argv, "-s") == 0)
Quit("rx_init");
/* Create a single security object, in this case the null security object, for unauthenticated connections, which will be used to control security on connections made to this server */
- securityObjects[BULK_NULL] = rxnull_NewServerSecurityObject();
- if (securityObjects[BULK_NULL] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
Quit("rxnull_NewServerSecurityObject");
/* Instantiate a single BULK service. The rxgen-generated procedure which is called to decode requests is passed in here (BULK_ExecuteRequest). */
/* Minimum number of requests that are guaranteed to be handled immediately */
#define SAMPLE_MIN 1
-/* Index of the "null" security class in the sample service. This must be 0 (there are N classes, numbered from 0. In this case, N is 1) */
-#define SAMPLE_NULL 0
-
/* The "multi" flag, below, tells rxgen to create appropriate stubs for multi rx */
Add(IN int verbose, int a, int b, OUT int *result) multi = 1;
Sub(IN int verbose, int a, int b, OUT int *result) multi = 2;
conns[i] =
rx_NewConnection(host[i].ipaddr, SAMPLE_SERVER_PORT,
SAMPLE_SERVICE_ID, null_securityObject,
- SAMPLE_NULL);
+ RX_SECIDX_NULL);
}
clock_NewTime();
Quit("rx_init");
/* Create a single security object, in this case the null security object, for unauthenticated connections, which will be used to control security on connections made to this server */
- securityObjects[SAMPLE_NULL] = rxnull_NewServerSecurityObject();
- if (securityObjects[SAMPLE_NULL] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
Quit("rxnull_NewServerSecurityObject");
/* Instantiate a single sample service. The rxgen-generated procedure which is called to decode requests is passed in here (TEST_ExecuteRequest). */
#define RX_RESTARTING (-100)
typedef enum {
- RX_SECIDX_NULL = 0,
- RX_SECIDX_KAD = 2,
- RX_SECIDX_GK = 4,
- RX_SECIDX_K5 = 5,
+ RX_SECIDX_NULL = 0, /** rxnull, no security. */
+ RX_SECIDX_VAB = 1, /** vice tokens with bcrypt. Unused. */
+ RX_SECIDX_KAD = 2, /** kerberos/DES. */
+ RX_SECIDX_KAE = 3, /** rxkad, but always encrypt. */
+ RX_SECIDX_GK = 4, /** rxgk, RFC 3961 crypto. */
+ RX_SECIDX_K5 = 5, /** kerberos 5 tickets as tokens. */
} rx_securityIndex;
struct rx_securityObjectStats {
/* Minimum number of requests that are guaranteed to be handled immediately */
%#define SAMPLE_MIN 1
-/* Index of the "null" security class in the sample service. This must be 0 (there are N classes, numbered from 0. In this case, N is 1) */
-%#define SAMPLE_NULL 0
-
-
Add(IN int a, int b, OUT int *result) = 1;
Sub(IN int a, int b, OUT int *result) = 2;
null_securityObject = rxnull_NewClientSecurityObject();
conn =
rx_NewConnection(host, SAMPLE_SERVER_PORT, SAMPLE_SERVICE_ID,
- null_securityObject, SAMPLE_NULL);
+ null_securityObject, RX_SECIDX_NULL);
for (i = 1; i < 10; i++) {
int error, result;
printf("add(%d,%d)", i, i * 2);
Quit("rx_init");
/* Create a single security object, in this case the null security object, for unauthenticated connections, which will be used to control security on connections made to this server */
- securityObjects[SAMPLE_NULL] = rxnull_NewServerSecurityObject();
- if (securityObjects[SAMPLE_NULL] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
Quit("rxnull_NewServerSecurityObject");
/* Instantiate a single sample service. The rxgen-generated procedure which is called to decode requests is passed in here (TEST_ExecuteRequest). */
continue;
if (onlyAuth != 999) {
if (onlyAuth == -1) {
- if (tconn.securityIndex != 0)
+ if (tconn.securityIndex != RX_SECIDX_NULL)
continue;
} else {
- if (tconn.securityIndex != 2)
+ if (tconn.securityIndex != RX_SECIDX_KAD)
continue;
if (withSecStats && (tconn.secStats.type == 3)
&& (tconn.secStats.level != onlyAuth))
if (withSecStats) {
switch ((int)tconn.secStats.type) {
case 0:
- if (tconn.securityIndex == 2)
+ if (tconn.securityIndex == RX_SECIDX_KAD)
printf
(" no GetStats procedure for security object\n");
break;
unsigned int expiration; /* checked by Security Module */
si = rx_SecurityClassOf(rx_ConnectionOf(call));
- if (si == 1) {
+ if (si == RX_SECIDX_VAB) {
printf("No support for VAB security module.\n");
return -1;
- } else if (si == 0) {
+ } else if (si == RX_SECIDX_NULL) {
if (minAuth > -1)
return RXKST_UNAUTH;
else
return 0;
- } else if (si != 2) {
+ } else if (si != RX_SECIDX_KAD) {
fprintf(stderr, "Unknown security index %d\n", si);
return -1;
}
null_securityObject = rxnull_NewClientSecurityObject();
conn =
rx_NewConnection(host, htons(AFSCONF_RMTSYSPORT), RMTSYS_SERVICEID,
- null_securityObject, 0);
+ null_securityObject, RX_SECIDX_NULL);
if (!conn) {
printf("Unable to make a new connection\n");
*errorcode = -1;
/* Initialize the rx-based RMTSYS server */
if (rx_Init(htons(AFSCONF_RMTSYSPORT)) < 0)
rmt_Quit("rx_init");
- securityObjects[0] = rxnull_NewServerSecurityObject();
- if (securityObjects[0] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
rmt_Quit("rxnull_NewServerSecurityObject");
service =
rx_NewService(0, RMTSYS_SERVICEID, AFSCONF_RMTSYSSERVICE,
/* Initialize the rx-based RMTSYS server */
if (rx_Init(htons(AFSCONF_RMTSYSPORT)) < 0)
rmt_Quit("rx_init");
- securityObjects[0] = rxnull_NewServerSecurityObject();
- if (securityObjects[0] == (struct rx_securityClass *)0)
+ securityObjects[RX_SECIDX_NULL] = rxnull_NewServerSecurityObject();
+ if (securityObjects[RX_SECIDX_NULL] == (struct rx_securityClass *)0)
rmt_Quit("rxnull_NewServerSecurityObject");
service =
rx_NewService(0, RMTSYS_SERVICEID, AFSCONF_RMTSYSSERVICE,
if (!afsconf_SuperUser(cdir, call, NULL))
return 0;
- if (rx_SecurityClassOf(rx_ConnectionOf(call)) == 2) {
+ if (rx_SecurityClassOf(rx_ConnectionOf(call)) == RX_SECIDX_KAD) {
code = rxkad_GetServerInfo(rx_ConnectionOf(call), &level, 0, 0, 0, 0, 0);
if (code)
return 0;
ViceLog(5,
("FindClient: authenticating connection: authClass=%d\n",
authClass));
- if (authClass == 1) {
+ if (authClass == RX_SECIDX_VAB) {
/* A bcrypt tickets, no longer supported */
ViceLog(1, ("FindClient: bcrypt ticket, using AnonymousID\n"));
return 0;
}
- if (authClass == 2) {
+ if (authClass == RX_SECIDX_KAD) {
/* an rxkad ticket */
afs_int32 kvno;
afs_int32 islocal;
projects / packages / o / openafs.git / commitdiff