xref: /freebsd/usr.sbin/gssd/gssd.c (revision 1fdeb1651cdf0032c6cf77ee8bd3fe889ca3d074)
1 /*-
2  * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3  * Authors: Doug Rabson <dfr@rabson.org>
4  * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <sys/stat.h>
33 #include <sys/linker.h>
34 #include <sys/module.h>
35 #include <sys/queue.h>
36 #include <sys/syslog.h>
37 #include <ctype.h>
38 #include <dirent.h>
39 #include <err.h>
40 #include <errno.h>
41 #ifndef WITHOUT_KERBEROS
42 #include <krb5.h>
43 #endif
44 #include <pwd.h>
45 #include <signal.h>
46 #include <stdarg.h>
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 #include <unistd.h>
51 #include <gssapi/gssapi.h>
52 #include <rpc/rpc.h>
53 #include <rpc/rpc_com.h>
54 
55 #include "gssd.h"
56 
57 #ifndef _PATH_GSS_MECH
58 #define _PATH_GSS_MECH	"/etc/gss/mech"
59 #endif
60 #ifndef _PATH_GSSDSOCK
61 #define _PATH_GSSDSOCK	"/var/run/gssd.sock"
62 #endif
63 
64 struct gss_resource {
65 	LIST_ENTRY(gss_resource) gr_link;
66 	uint64_t	gr_id;	/* indentifier exported to kernel */
67 	void*		gr_res;	/* GSS-API resource pointer */
68 };
69 LIST_HEAD(gss_resource_list, gss_resource) gss_resources;
70 int gss_resource_count;
71 uint32_t gss_next_id;
72 uint32_t gss_start_time;
73 int debug_level;
74 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
75 static char pref_realm[1024];
76 static int verbose;
77 static int use_old_des;
78 #ifndef WITHOUT_KERBEROS
79 /* 1.2.752.43.13.14 */
80 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
81 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
82 static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
83     &gss_krb5_set_allowable_enctypes_x_desc;
84 static gss_OID_desc gss_krb5_mech_oid_x_desc =
85 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
86 static gss_OID GSS_KRB5_MECH_OID_X =
87     &gss_krb5_mech_oid_x_desc;
88 #endif
89 
90 static void gssd_load_mech(void);
91 static int find_ccache_file(const char *, uid_t, char *);
92 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
93 static void gssd_verbose_out(const char *, ...);
94 #ifndef WITHOUT_KERBEROS
95 static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
96 #endif
97 
98 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
99 extern int gssd_syscall(char *path);
100 
101 int
102 main(int argc, char **argv)
103 {
104 	/*
105 	 * We provide an RPC service on a local-domain socket. The
106 	 * kernel's GSS-API code will pass what it can't handle
107 	 * directly to us.
108 	 */
109 	struct sockaddr_un sun;
110 	int fd, oldmask, ch, debug;
111 	SVCXPRT *xprt;
112 
113 	/*
114 	 * Initialize the credential cache file name substring and the
115 	 * search directory list.
116 	 */
117 	strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring));
118 	ccfile_dirlist[0] = '\0';
119 	pref_realm[0] = '\0';
120 	debug = 0;
121 	verbose = 0;
122 	while ((ch = getopt(argc, argv, "dovs:c:r:")) != -1) {
123 		switch (ch) {
124 		case 'd':
125 			debug_level++;
126 			break;
127 		case 'o':
128 #ifndef WITHOUT_KERBEROS
129 			/*
130 			 * Force use of DES and the old type of GSSAPI token.
131 			 */
132 			use_old_des = 1;
133 #else
134 			errx(1, "This option not available when built"
135 			    " without MK_KERBEROS\n");
136 #endif
137 			break;
138 		case 'v':
139 			verbose = 1;
140 			break;
141 		case 's':
142 #ifndef WITHOUT_KERBEROS
143 			/*
144 			 * Set the directory search list. This enables use of
145 			 * find_ccache_file() to search the directories for a
146 			 * suitable credentials cache file.
147 			 */
148 			strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
149 #else
150 			errx(1, "This option not available when built"
151 			    " without MK_KERBEROS\n");
152 #endif
153 			break;
154 		case 'c':
155 			/*
156 			 * Specify a non-default credential cache file
157 			 * substring.
158 			 */
159 			strlcpy(ccfile_substring, optarg,
160 			    sizeof(ccfile_substring));
161 			break;
162 		case 'r':
163 			/*
164 			 * Set the preferred realm for the credential cache tgt.
165 			 */
166 			strlcpy(pref_realm, optarg, sizeof(pref_realm));
167 			break;
168 		default:
169 			fprintf(stderr,
170 			    "usage: %s [-d] [-s dir-list] [-c file-substring]"
171 			    " [-r preferred-realm]\n", argv[0]);
172 			exit(1);
173 			break;
174 		}
175 	}
176 
177 	gssd_load_mech();
178 
179 	if (!debug_level) {
180 		daemon(0, 0);
181 		signal(SIGINT, SIG_IGN);
182 		signal(SIGQUIT, SIG_IGN);
183 		signal(SIGHUP, SIG_IGN);
184 	}
185 
186 	memset(&sun, 0, sizeof sun);
187 	sun.sun_family = AF_LOCAL;
188 	unlink(_PATH_GSSDSOCK);
189 	strcpy(sun.sun_path, _PATH_GSSDSOCK);
190 	sun.sun_len = SUN_LEN(&sun);
191 	fd = socket(AF_LOCAL, SOCK_STREAM, 0);
192 	if (!fd) {
193 		if (debug_level == 0) {
194 			syslog(LOG_ERR, "Can't create local gssd socket");
195 			exit(1);
196 		}
197 		err(1, "Can't create local gssd socket");
198 	}
199 	oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
200 	if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) {
201 		if (debug_level == 0) {
202 			syslog(LOG_ERR, "Can't bind local gssd socket");
203 			exit(1);
204 		}
205 		err(1, "Can't bind local gssd socket");
206 	}
207 	umask(oldmask);
208 	if (listen(fd, SOMAXCONN) < 0) {
209 		if (debug_level == 0) {
210 			syslog(LOG_ERR, "Can't listen on local gssd socket");
211 			exit(1);
212 		}
213 		err(1, "Can't listen on local gssd socket");
214 	}
215 	xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE);
216 	if (!xprt) {
217 		if (debug_level == 0) {
218 			syslog(LOG_ERR,
219 			    "Can't create transport for local gssd socket");
220 			exit(1);
221 		}
222 		err(1, "Can't create transport for local gssd socket");
223 	}
224 	if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) {
225 		if (debug_level == 0) {
226 			syslog(LOG_ERR,
227 			    "Can't register service for local gssd socket");
228 			exit(1);
229 		}
230 		err(1, "Can't register service for local gssd socket");
231 	}
232 
233 	LIST_INIT(&gss_resources);
234 	gss_next_id = 1;
235 	gss_start_time = time(0);
236 
237 	gssd_syscall(_PATH_GSSDSOCK);
238 	svc_run();
239 
240 	return (0);
241 }
242 
243 static void
244 gssd_load_mech(void)
245 {
246 	FILE		*fp;
247 	char		buf[256];
248 	char		*p;
249 	char		*name, *oid, *lib, *kobj;
250 
251 	fp = fopen(_PATH_GSS_MECH, "r");
252 	if (!fp)
253 		return;
254 
255 	while (fgets(buf, sizeof(buf), fp)) {
256 		if (*buf == '#')
257 			continue;
258 		p = buf;
259 		name = strsep(&p, "\t\n ");
260 		if (p) while (isspace(*p)) p++;
261 		oid = strsep(&p, "\t\n ");
262 		if (p) while (isspace(*p)) p++;
263 		lib = strsep(&p, "\t\n ");
264 		if (p) while (isspace(*p)) p++;
265 		kobj = strsep(&p, "\t\n ");
266 		if (!name || !oid || !lib || !kobj)
267 			continue;
268 
269 		if (strcmp(kobj, "-")) {
270 			/*
271 			 * Attempt to load the kernel module if its
272 			 * not already present.
273 			 */
274 			if (modfind(kobj) < 0) {
275 				if (kldload(kobj) < 0) {
276 					fprintf(stderr,
277 			"%s: can't find or load kernel module %s for %s\n",
278 					    getprogname(), kobj, name);
279 				}
280 			}
281 		}
282 	}
283 	fclose(fp);
284 }
285 
286 static void *
287 gssd_find_resource(uint64_t id)
288 {
289 	struct gss_resource *gr;
290 
291 	if (!id)
292 		return (NULL);
293 
294 	LIST_FOREACH(gr, &gss_resources, gr_link)
295 		if (gr->gr_id == id)
296 			return (gr->gr_res);
297 
298 	return (NULL);
299 }
300 
301 static uint64_t
302 gssd_make_resource(void *res)
303 {
304 	struct gss_resource *gr;
305 
306 	if (!res)
307 		return (0);
308 
309 	gr = malloc(sizeof(struct gss_resource));
310 	if (!gr)
311 		return (0);
312 	gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32);
313 	gr->gr_res = res;
314 	LIST_INSERT_HEAD(&gss_resources, gr, gr_link);
315 	gss_resource_count++;
316 	if (debug_level > 1)
317 		printf("%d resources allocated\n", gss_resource_count);
318 
319 	return (gr->gr_id);
320 }
321 
322 static void
323 gssd_delete_resource(uint64_t id)
324 {
325 	struct gss_resource *gr;
326 
327 	LIST_FOREACH(gr, &gss_resources, gr_link) {
328 		if (gr->gr_id == id) {
329 			LIST_REMOVE(gr, gr_link);
330 			free(gr);
331 			gss_resource_count--;
332 			if (debug_level > 1)
333 				printf("%d resources allocated\n",
334 				    gss_resource_count);
335 			return;
336 		}
337 	}
338 }
339 
340 static void
341 gssd_verbose_out(const char *fmt, ...)
342 {
343 	va_list ap;
344 
345 	if (verbose != 0) {
346 		va_start(ap, fmt);
347 		if (debug_level == 0)
348 			vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap);
349 		else
350 			vfprintf(stderr, fmt, ap);
351 		va_end(ap);
352 	}
353 }
354 
355 bool_t
356 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
357 {
358 
359 	gssd_verbose_out("gssd_null: done\n");
360 	return (TRUE);
361 }
362 
363 bool_t
364 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
365 {
366 	gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
367 	gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
368 	gss_name_t name = GSS_C_NO_NAME;
369 	char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
370 	int gotone, gotcred;
371 	OM_uint32 min_stat;
372 #ifndef WITHOUT_KERBEROS
373 	gss_buffer_desc principal_desc;
374 	char enctype[sizeof(uint32_t)];
375 	int key_enctype;
376 	OM_uint32 maj_stat;
377 #endif
378 
379 	memset(result, 0, sizeof(*result));
380 	if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
381 		/*
382 		 * For the "-s" case and no credentials provided as an
383 		 * argument, search the directory list for an appropriate
384 		 * credential cache file. If the search fails, return failure.
385 		 */
386 		gotone = 0;
387 		cp = ccfile_dirlist;
388 		do {
389 			cp2 = strchr(cp, ':');
390 			if (cp2 != NULL)
391 				*cp2 = '\0';
392 			gotone = find_ccache_file(cp, argp->uid, ccname);
393 			if (gotone != 0)
394 				break;
395 			if (cp2 != NULL)
396 				*cp2++ = ':';
397 			cp = cp2;
398 		} while (cp != NULL && *cp != '\0');
399 		if (gotone == 0) {
400 			result->major_status = GSS_S_CREDENTIALS_EXPIRED;
401 			gssd_verbose_out("gssd_init_sec_context: -s no"
402 			    " credential cache file found for uid=%d\n",
403 			    (int)argp->uid);
404 			return (TRUE);
405 		}
406 	} else {
407 		/*
408 		 * If there wasn't a "-s" option or the credentials have
409 		 * been provided as an argument, do it the old way.
410 		 * When credentials are provided, the uid should be root.
411 		 */
412 		if (argp->cred != 0 && argp->uid != 0) {
413 			if (debug_level == 0)
414 				syslog(LOG_ERR, "gss_init_sec_context:"
415 				    " cred for non-root");
416 			else
417 				fprintf(stderr, "gss_init_sec_context:"
418 				    " cred for non-root\n");
419 		}
420 		snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
421 		    (int) argp->uid);
422 	}
423 	setenv("KRB5CCNAME", ccname, TRUE);
424 
425 	if (argp->cred) {
426 		cred = gssd_find_resource(argp->cred);
427 		if (!cred) {
428 			result->major_status = GSS_S_CREDENTIALS_EXPIRED;
429 			gssd_verbose_out("gssd_init_sec_context: cred"
430 			    " resource not found\n");
431 			return (TRUE);
432 		}
433 	}
434 	if (argp->ctx) {
435 		ctx = gssd_find_resource(argp->ctx);
436 		if (!ctx) {
437 			result->major_status = GSS_S_CONTEXT_EXPIRED;
438 			gssd_verbose_out("gssd_init_sec_context: context"
439 			    " resource not found\n");
440 			return (TRUE);
441 		}
442 	}
443 	if (argp->name) {
444 		name = gssd_find_resource(argp->name);
445 		if (!name) {
446 			result->major_status = GSS_S_BAD_NAME;
447 			gssd_verbose_out("gssd_init_sec_context: name"
448 			    " resource not found\n");
449 			return (TRUE);
450 		}
451 	}
452 	gotcred = 0;
453 
454 #ifndef WITHOUT_KERBEROS
455 	if (use_old_des != 0) {
456 		if (cred == GSS_C_NO_CREDENTIAL) {
457 			/* Acquire a credential for the uid. */
458 			maj_stat = gssd_get_user_cred(&min_stat, argp->uid,
459 			    &cred);
460 			if (maj_stat == GSS_S_COMPLETE)
461 				gotcred = 1;
462 			else
463 				gssd_verbose_out("gssd_init_sec_context: "
464 				    "get user cred failed uid=%d major=0x%x "
465 				    "minor=%d\n", (int)argp->uid,
466 				    (unsigned int)maj_stat, (int)min_stat);
467 		}
468 		if (cred != GSS_C_NO_CREDENTIAL) {
469 			key_enctype = ETYPE_DES_CBC_CRC;
470 			enctype[0] = (key_enctype >> 24) & 0xff;
471 			enctype[1] = (key_enctype >> 16) & 0xff;
472 			enctype[2] = (key_enctype >> 8) & 0xff;
473 			enctype[3] = key_enctype & 0xff;
474 			principal_desc.length = sizeof(enctype);
475 			principal_desc.value = enctype;
476 			result->major_status = gss_set_cred_option(
477 			    &result->minor_status, &cred,
478 			    GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
479 			    &principal_desc);
480 			gssd_verbose_out("gssd_init_sec_context: set allowable "
481 			    "enctype major=0x%x minor=%d\n",
482 			    (unsigned int)result->major_status,
483 			    (int)result->minor_status);
484 			if (result->major_status != GSS_S_COMPLETE) {
485 				if (gotcred != 0)
486 					gss_release_cred(&min_stat, &cred);
487 				return (TRUE);
488 			}
489 		}
490 	}
491 #endif
492 	result->major_status = gss_init_sec_context(&result->minor_status,
493 	    cred, &ctx, name, argp->mech_type,
494 	    argp->req_flags, argp->time_req, argp->input_chan_bindings,
495 	    &argp->input_token, &result->actual_mech_type,
496 	    &result->output_token, &result->ret_flags, &result->time_rec);
497 	gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d"
498 	    " uid=%d\n", (unsigned int)result->major_status,
499 	    (int)result->minor_status, (int)argp->uid);
500 	if (gotcred != 0)
501 		gss_release_cred(&min_stat, &cred);
502 
503 	if (result->major_status == GSS_S_COMPLETE
504 	    || result->major_status == GSS_S_CONTINUE_NEEDED) {
505 		if (argp->ctx)
506 			result->ctx = argp->ctx;
507 		else
508 			result->ctx = gssd_make_resource(ctx);
509 	}
510 
511 	return (TRUE);
512 }
513 
514 bool_t
515 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp)
516 {
517 	gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
518 	gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
519 	gss_name_t src_name;
520 	gss_cred_id_t delegated_cred_handle;
521 
522 	memset(result, 0, sizeof(*result));
523 	if (argp->ctx) {
524 		ctx = gssd_find_resource(argp->ctx);
525 		if (!ctx) {
526 			result->major_status = GSS_S_CONTEXT_EXPIRED;
527 			gssd_verbose_out("gssd_accept_sec_context: ctx"
528 			    " resource not found\n");
529 			return (TRUE);
530 		}
531 	}
532 	if (argp->cred) {
533 		cred = gssd_find_resource(argp->cred);
534 		if (!cred) {
535 			result->major_status = GSS_S_CREDENTIALS_EXPIRED;
536 			gssd_verbose_out("gssd_accept_sec_context: cred"
537 			    " resource not found\n");
538 			return (TRUE);
539 		}
540 	}
541 
542 	memset(result, 0, sizeof(*result));
543 	result->major_status = gss_accept_sec_context(&result->minor_status,
544 	    &ctx, cred, &argp->input_token, argp->input_chan_bindings,
545 	    &src_name, &result->mech_type, &result->output_token,
546 	    &result->ret_flags, &result->time_rec,
547 	    &delegated_cred_handle);
548 	gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n",
549 	    (unsigned int)result->major_status, (int)result->minor_status);
550 
551 	if (result->major_status == GSS_S_COMPLETE
552 	    || result->major_status == GSS_S_CONTINUE_NEEDED) {
553 		if (argp->ctx)
554 			result->ctx = argp->ctx;
555 		else
556 			result->ctx = gssd_make_resource(ctx);
557 		result->src_name = gssd_make_resource(src_name);
558 		result->delegated_cred_handle =
559 			gssd_make_resource(delegated_cred_handle);
560 	}
561 
562 	return (TRUE);
563 }
564 
565 bool_t
566 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp)
567 {
568 	gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
569 
570 	if (ctx) {
571 		result->major_status = gss_delete_sec_context(
572 			&result->minor_status, &ctx, &result->output_token);
573 		gssd_delete_resource(argp->ctx);
574 	} else {
575 		result->major_status = GSS_S_COMPLETE;
576 		result->minor_status = 0;
577 	}
578 	gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n",
579 	    (unsigned int)result->major_status, (int)result->minor_status);
580 
581 	return (TRUE);
582 }
583 
584 bool_t
585 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp)
586 {
587 	gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
588 
589 	if (ctx) {
590 		result->major_status = gss_export_sec_context(
591 			&result->minor_status, &ctx,
592 			&result->interprocess_token);
593 		result->format = KGSS_HEIMDAL_1_1;
594 		gssd_delete_resource(argp->ctx);
595 	} else {
596 		result->major_status = GSS_S_FAILURE;
597 		result->minor_status = 0;
598 		result->interprocess_token.length = 0;
599 		result->interprocess_token.value = NULL;
600 	}
601 	gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n",
602 	    (unsigned int)result->major_status, (int)result->minor_status);
603 
604 	return (TRUE);
605 }
606 
607 bool_t
608 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp)
609 {
610 	gss_name_t name;
611 
612 	result->major_status = gss_import_name(&result->minor_status,
613 	    &argp->input_name_buffer, argp->input_name_type, &name);
614 	gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n",
615 	    (unsigned int)result->major_status, (int)result->minor_status);
616 
617 	if (result->major_status == GSS_S_COMPLETE)
618 		result->output_name = gssd_make_resource(name);
619 	else
620 		result->output_name = 0;
621 
622 	return (TRUE);
623 }
624 
625 bool_t
626 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp)
627 {
628 	gss_name_t name = gssd_find_resource(argp->input_name);
629 	gss_name_t output_name;
630 
631 	memset(result, 0, sizeof(*result));
632 	if (!name) {
633 		result->major_status = GSS_S_BAD_NAME;
634 		return (TRUE);
635 	}
636 
637 	result->major_status = gss_canonicalize_name(&result->minor_status,
638 	    name, argp->mech_type, &output_name);
639 	gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n",
640 	    (unsigned int)result->major_status, (int)result->minor_status);
641 
642 	if (result->major_status == GSS_S_COMPLETE)
643 		result->output_name = gssd_make_resource(output_name);
644 	else
645 		result->output_name = 0;
646 
647 	return (TRUE);
648 }
649 
650 bool_t
651 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp)
652 {
653 	gss_name_t name = gssd_find_resource(argp->input_name);
654 
655 	memset(result, 0, sizeof(*result));
656 	if (!name) {
657 		result->major_status = GSS_S_BAD_NAME;
658 		gssd_verbose_out("gssd_export_name: name resource not found\n");
659 		return (TRUE);
660 	}
661 
662 	result->major_status = gss_export_name(&result->minor_status,
663 	    name, &result->exported_name);
664 	gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n",
665 	    (unsigned int)result->major_status, (int)result->minor_status);
666 
667 	return (TRUE);
668 }
669 
670 bool_t
671 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp)
672 {
673 	gss_name_t name = gssd_find_resource(argp->input_name);
674 
675 	if (name) {
676 		result->major_status = gss_release_name(&result->minor_status,
677 		    &name);
678 		gssd_delete_resource(argp->input_name);
679 	} else {
680 		result->major_status = GSS_S_COMPLETE;
681 		result->minor_status = 0;
682 	}
683 	gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n",
684 	    (unsigned int)result->major_status, (int)result->minor_status);
685 
686 	return (TRUE);
687 }
688 
689 bool_t
690 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp)
691 {
692 	gss_name_t name = gssd_find_resource(argp->pname);
693 	uid_t uid;
694 	char buf[1024], *bufp;
695 	struct passwd pwd, *pw;
696 	size_t buflen;
697 	int error;
698 	static size_t buflen_hint = 1024;
699 
700 	memset(result, 0, sizeof(*result));
701 	if (name) {
702 		result->major_status =
703 			gss_pname_to_uid(&result->minor_status,
704 			    name, argp->mech, &uid);
705 		if (result->major_status == GSS_S_COMPLETE) {
706 			result->uid = uid;
707 			buflen = buflen_hint;
708 			for (;;) {
709 				pw = NULL;
710 				bufp = buf;
711 				if (buflen > sizeof(buf))
712 					bufp = malloc(buflen);
713 				if (bufp == NULL)
714 					break;
715 				error = getpwuid_r(uid, &pwd, bufp, buflen,
716 				    &pw);
717 				if (error != ERANGE)
718 					break;
719 				if (buflen > sizeof(buf))
720 					free(bufp);
721 				buflen += 1024;
722 				if (buflen > buflen_hint)
723 					buflen_hint = buflen;
724 			}
725 			if (pw) {
726 				int len = NGRPS;
727 				int groups[NGRPS];
728 				result->gid = pw->pw_gid;
729 				getgrouplist(pw->pw_name, pw->pw_gid,
730 				    groups, &len);
731 				result->gidlist.gidlist_len = len;
732 				result->gidlist.gidlist_val =
733 					mem_alloc(len * sizeof(int));
734 				memcpy(result->gidlist.gidlist_val, groups,
735 				    len * sizeof(int));
736 				gssd_verbose_out("gssd_pname_to_uid: mapped"
737 				    " to uid=%d, gid=%d\n", (int)result->uid,
738 				    (int)result->gid);
739 			} else {
740 				result->gid = 65534;
741 				result->gidlist.gidlist_len = 0;
742 				result->gidlist.gidlist_val = NULL;
743 				gssd_verbose_out("gssd_pname_to_uid: mapped"
744 				    " to uid=%d, but no groups\n",
745 				    (int)result->uid);
746 			}
747 			if (bufp != NULL && buflen > sizeof(buf))
748 				free(bufp);
749 		} else
750 			gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x"
751 			    " minor=%d\n", (unsigned int)result->major_status,
752 			    (int)result->minor_status);
753 	} else {
754 		result->major_status = GSS_S_BAD_NAME;
755 		result->minor_status = 0;
756 		gssd_verbose_out("gssd_pname_to_uid: no name\n");
757 	}
758 
759 	return (TRUE);
760 }
761 
762 bool_t
763 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp)
764 {
765 	gss_name_t desired_name = GSS_C_NO_NAME;
766 	gss_cred_id_t cred;
767 	char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
768 	int gotone;
769 #ifndef WITHOUT_KERBEROS
770 	gss_buffer_desc namebuf;
771 	uint32_t minstat;
772 	krb5_error_code kret;
773 #endif
774 
775 	memset(result, 0, sizeof(*result));
776 	if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
777 		/*
778 		 * For the "-s" case and no name provided as an
779 		 * argument, search the directory list for an appropriate
780 		 * credential cache file. If the search fails, return failure.
781 		 */
782 		gotone = 0;
783 		cp = ccfile_dirlist;
784 		do {
785 			cp2 = strchr(cp, ':');
786 			if (cp2 != NULL)
787 				*cp2 = '\0';
788 			gotone = find_ccache_file(cp, argp->uid, ccname);
789 			if (gotone != 0)
790 				break;
791 			if (cp2 != NULL)
792 				*cp2++ = ':';
793 			cp = cp2;
794 		} while (cp != NULL && *cp != '\0');
795 		if (gotone == 0) {
796 			result->major_status = GSS_S_CREDENTIALS_EXPIRED;
797 			gssd_verbose_out("gssd_acquire_cred: no cred cache"
798 			    " file found\n");
799 			return (TRUE);
800 		}
801 	} else {
802 		/*
803 		 * If there wasn't a "-s" option or the name has
804 		 * been provided as an argument, do it the old way.
805 		 * When a name is provided, it will normally exist in the
806 		 * default keytab file and the uid will be root.
807 		 */
808 		if (argp->desired_name != 0 && argp->uid != 0) {
809 			if (debug_level == 0)
810 				syslog(LOG_ERR, "gss_acquire_cred:"
811 				    " principal_name for non-root");
812 			else
813 				fprintf(stderr, "gss_acquire_cred:"
814 				    " principal_name for non-root\n");
815 		}
816 		snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
817 		    (int) argp->uid);
818 	}
819 	setenv("KRB5CCNAME", ccname, TRUE);
820 
821 	if (argp->desired_name) {
822 		desired_name = gssd_find_resource(argp->desired_name);
823 		if (!desired_name) {
824 			result->major_status = GSS_S_BAD_NAME;
825 			gssd_verbose_out("gssd_acquire_cred: no desired name"
826 			    " found\n");
827 			return (TRUE);
828 		}
829 	}
830 
831 	result->major_status = gss_acquire_cred(&result->minor_status,
832 	    desired_name, argp->time_req, argp->desired_mechs,
833 	    argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
834 	gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
835 	    (unsigned int)result->major_status, (int)result->minor_status);
836 
837 	if (result->major_status == GSS_S_COMPLETE)
838 		result->output_cred = gssd_make_resource(cred);
839 	else
840 		result->output_cred = 0;
841 
842 	return (TRUE);
843 }
844 
845 bool_t
846 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp)
847 {
848 	gss_cred_id_t cred = gssd_find_resource(argp->cred);
849 
850 	memset(result, 0, sizeof(*result));
851 	if (!cred) {
852 		result->major_status = GSS_S_CREDENTIALS_EXPIRED;
853 		gssd_verbose_out("gssd_set_cred: no credentials\n");
854 		return (TRUE);
855 	}
856 
857 	result->major_status = gss_set_cred_option(&result->minor_status,
858 	    &cred, argp->option_name, &argp->option_value);
859 	gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n",
860 	    (unsigned int)result->major_status, (int)result->minor_status);
861 
862 	return (TRUE);
863 }
864 
865 bool_t
866 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp)
867 {
868 	gss_cred_id_t cred = gssd_find_resource(argp->cred);
869 
870 	if (cred) {
871 		result->major_status = gss_release_cred(&result->minor_status,
872 		    &cred);
873 		gssd_delete_resource(argp->cred);
874 	} else {
875 		result->major_status = GSS_S_COMPLETE;
876 		result->minor_status = 0;
877 	}
878 	gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n",
879 	    (unsigned int)result->major_status, (int)result->minor_status);
880 
881 	return (TRUE);
882 }
883 
884 bool_t
885 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp)
886 {
887 
888 	result->message_context = argp->message_context;
889 	result->major_status = gss_display_status(&result->minor_status,
890 	    argp->status_value, argp->status_type, argp->mech_type,
891 	    &result->message_context, &result->status_string);
892 	gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n",
893 	    (unsigned int)result->major_status, (int)result->minor_status);
894 
895 	return (TRUE);
896 }
897 
898 int
899 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result)
900 {
901 	/*
902 	 * We don't use XDR to free the results - anything which was
903 	 * allocated came from GSS-API. We use xdr_result to figure
904 	 * out what to do.
905 	 */
906 	OM_uint32 junk;
907 
908 	if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) {
909 		init_sec_context_res *p = (init_sec_context_res *) result;
910 		gss_release_buffer(&junk, &p->output_token);
911 	} else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) {
912 		accept_sec_context_res *p = (accept_sec_context_res *) result;
913 		gss_release_buffer(&junk, &p->output_token);
914 	} else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) {
915 		delete_sec_context_res *p = (delete_sec_context_res *) result;
916 		gss_release_buffer(&junk, &p->output_token);
917 	} else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) {
918 		export_sec_context_res *p = (export_sec_context_res *) result;
919 		if (p->interprocess_token.length)
920 			memset(p->interprocess_token.value, 0,
921 			    p->interprocess_token.length);
922 		gss_release_buffer(&junk, &p->interprocess_token);
923 	} else if (xdr_result == (xdrproc_t) xdr_export_name_res) {
924 		export_name_res *p = (export_name_res *) result;
925 		gss_release_buffer(&junk, &p->exported_name);
926 	} else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) {
927 		acquire_cred_res *p = (acquire_cred_res *) result;
928 		gss_release_oid_set(&junk, &p->actual_mechs);
929 	} else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) {
930 		pname_to_uid_res *p = (pname_to_uid_res *) result;
931 		if (p->gidlist.gidlist_val)
932 			free(p->gidlist.gidlist_val);
933 	} else if (xdr_result == (xdrproc_t) xdr_display_status_res) {
934 		display_status_res *p = (display_status_res *) result;
935 		gss_release_buffer(&junk, &p->status_string);
936 	}
937 
938 	return (TRUE);
939 }
940 
941 /*
942  * Search a directory for the most likely candidate to be used as the
943  * credential cache for a uid. If successful, return 1 and fill the
944  * file's path id into "rpath". Otherwise, return 0.
945  */
946 static int
947 find_ccache_file(const char *dirpath, uid_t uid, char *rpath)
948 {
949 	DIR *dirp;
950 	struct dirent *dp;
951 	struct stat sb;
952 	time_t exptime, oexptime;
953 	int gotone, len, rating, orating;
954 	char namepath[PATH_MAX + 5 + 1];
955 	char retpath[PATH_MAX + 5 + 1];
956 
957 	dirp = opendir(dirpath);
958 	if (dirp == NULL)
959 		return (0);
960 	gotone = 0;
961 	orating = 0;
962 	oexptime = 0;
963 	while ((dp = readdir(dirp)) != NULL) {
964 		len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
965 		    dp->d_name);
966 		if (len < sizeof(namepath) &&
967 		    strstr(dp->d_name, ccfile_substring) != NULL &&
968 		    lstat(namepath, &sb) >= 0 &&
969 		    sb.st_uid == uid &&
970 		    S_ISREG(sb.st_mode)) {
971 			len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s",
972 			    dirpath, dp->d_name);
973 			if (len < sizeof(namepath) &&
974 			    is_a_valid_tgt_cache(namepath, uid, &rating,
975 			    &exptime) != 0) {
976 				if (gotone == 0 || rating > orating ||
977 				    (rating == orating && exptime > oexptime)) {
978 					orating = rating;
979 					oexptime = exptime;
980 					strcpy(retpath, namepath);
981 					gotone = 1;
982 				}
983 			}
984 		}
985 	}
986 	closedir(dirp);
987 	if (gotone != 0) {
988 		strcpy(rpath, retpath);
989 		return (1);
990 	}
991 	return (0);
992 }
993 
994 /*
995  * Try to determine if the file is a valid tgt cache file.
996  * Check that the file has a valid tgt for a principal.
997  * If it does, return 1, otherwise return 0.
998  * It also returns a "rating" and the expiry time for the TGT, when found.
999  * This "rating" is higher based on heuristics that make it more
1000  * likely to be the correct credential cache file to use. It can
1001  * be used by the caller, along with expiry time, to select from
1002  * multiple credential cache files.
1003  */
1004 static int
1005 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
1006     time_t *retexptime)
1007 {
1008 #ifndef WITHOUT_KERBEROS
1009 	krb5_context context;
1010 	krb5_principal princ;
1011 	krb5_ccache ccache;
1012 	krb5_error_code retval;
1013 	krb5_cc_cursor curse;
1014 	krb5_creds krbcred;
1015 	int gotone, orating, rating, ret;
1016 	struct passwd *pw;
1017 	char *cp, *cp2, *pname;
1018 	time_t exptime;
1019 
1020 	/* Find a likely name for the uid principal. */
1021 	pw = getpwuid(uid);
1022 
1023 	/*
1024 	 * Do a bunch of krb5 library stuff to try and determine if
1025 	 * this file is a credentials cache with an appropriate TGT
1026 	 * in it.
1027 	 */
1028 	retval = krb5_init_context(&context);
1029 	if (retval != 0)
1030 		return (0);
1031 	retval = krb5_cc_resolve(context, filepath, &ccache);
1032 	if (retval != 0) {
1033 		krb5_free_context(context);
1034 		return (0);
1035 	}
1036 	ret = 0;
1037 	orating = 0;
1038 	exptime = 0;
1039 	retval = krb5_cc_start_seq_get(context, ccache, &curse);
1040 	if (retval == 0) {
1041 		while ((retval = krb5_cc_next_cred(context, ccache, &curse,
1042 		    &krbcred)) == 0) {
1043 			gotone = 0;
1044 			rating = 0;
1045 			retval = krb5_unparse_name(context, krbcred.server,
1046 			    &pname);
1047 			if (retval == 0) {
1048 				cp = strchr(pname, '/');
1049 				if (cp != NULL) {
1050 					*cp++ = '\0';
1051 					if (strcmp(pname, "krbtgt") == 0 &&
1052 					    krbcred.times.endtime > time(NULL)
1053 					    ) {
1054 						gotone = 1;
1055 						/*
1056 						 * Test to see if this is a
1057 						 * tgt for cross-realm auth.
1058 						 * Rate it higher, if it is not.
1059 						 */
1060 						cp2 = strchr(cp, '@');
1061 						if (cp2 != NULL) {
1062 							*cp2++ = '\0';
1063 							if (strcmp(cp, cp2) ==
1064 							    0)
1065 								rating++;
1066 						}
1067 					}
1068 				}
1069 				free(pname);
1070 			}
1071 			if (gotone != 0) {
1072 				retval = krb5_unparse_name(context,
1073 				    krbcred.client, &pname);
1074 				if (retval == 0) {
1075 					cp = strchr(pname, '@');
1076 					if (cp != NULL) {
1077 						*cp++ = '\0';
1078 						if (pw != NULL && strcmp(pname,
1079 						    pw->pw_name) == 0)
1080 							rating++;
1081 						if (strchr(pname, '/') == NULL)
1082 							rating++;
1083 						if (pref_realm[0] != '\0' &&
1084 						    strcmp(cp, pref_realm) == 0)
1085 							rating++;
1086 					}
1087 				}
1088 				free(pname);
1089 				if (rating > orating) {
1090 					orating = rating;
1091 					exptime = krbcred.times.endtime;
1092 				} else if (rating == orating &&
1093 				    krbcred.times.endtime > exptime)
1094 					exptime = krbcred.times.endtime;
1095 				ret = 1;
1096 			}
1097 			krb5_free_cred_contents(context, &krbcred);
1098 		}
1099 		krb5_cc_end_seq_get(context, ccache, &curse);
1100 	}
1101 	krb5_cc_close(context, ccache);
1102 	krb5_free_context(context);
1103 	if (ret != 0) {
1104 		*retrating = orating;
1105 		*retexptime = exptime;
1106 	}
1107 	return (ret);
1108 #else /* WITHOUT_KERBEROS */
1109 	return (0);
1110 #endif /* !WITHOUT_KERBEROS */
1111 }
1112 
1113 #ifndef WITHOUT_KERBEROS
1114 /*
1115  * Acquire a gss credential for a uid.
1116  */
1117 static OM_uint32
1118 gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
1119 {
1120 	gss_buffer_desc principal_desc;
1121 	gss_name_t name;
1122 	OM_uint32 maj_stat, min_stat;
1123 	gss_OID_set mechlist;
1124 	struct passwd *pw;
1125 
1126 	pw = getpwuid(uid);
1127 	if (pw == NULL) {
1128 		*min_statp = 0;
1129 		return (GSS_S_FAILURE);
1130 	}
1131 
1132 	/*
1133 	 * The mechanism must be set to KerberosV for acquisition
1134 	 * of credentials to work reliably.
1135 	 */
1136 	maj_stat = gss_create_empty_oid_set(min_statp, &mechlist);
1137 	if (maj_stat != GSS_S_COMPLETE)
1138 		return (maj_stat);
1139 	maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X,
1140 	    &mechlist);
1141 	if (maj_stat != GSS_S_COMPLETE) {
1142 		gss_release_oid_set(&min_stat, &mechlist);
1143 		return (maj_stat);
1144 	}
1145 
1146 	principal_desc.value = (void *)pw->pw_name;
1147 	principal_desc.length = strlen(pw->pw_name);
1148 	maj_stat = gss_import_name(min_statp, &principal_desc,
1149 	    GSS_C_NT_USER_NAME, &name);
1150 	if (maj_stat != GSS_S_COMPLETE) {
1151 		gss_release_oid_set(&min_stat, &mechlist);
1152 		return (maj_stat);
1153 	}
1154 	/* Acquire the credentials. */
1155 	maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist,
1156 	    GSS_C_INITIATE, credp, NULL, NULL);
1157 	gss_release_name(&min_stat, &name);
1158 	gss_release_oid_set(&min_stat, &mechlist);
1159 	return (maj_stat);
1160 }
1161 #endif /* !WITHOUT_KERBEROS */
1162