1 /*- 2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 3 * Authors: Doug Rabson <dfr@rabson.org> 4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/param.h> 32 #include <sys/stat.h> 33 #include <sys/linker.h> 34 #include <sys/module.h> 35 #include <sys/queue.h> 36 #include <sys/syslog.h> 37 #include <ctype.h> 38 #include <dirent.h> 39 #include <err.h> 40 #include <krb5.h> 41 #include <pwd.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 #include <gssapi/gssapi.h> 47 #include <rpc/rpc.h> 48 #include <rpc/rpc_com.h> 49 50 #include "gssd.h" 51 52 #ifndef _PATH_GSS_MECH 53 #define _PATH_GSS_MECH "/etc/gss/mech" 54 #endif 55 #ifndef _PATH_GSSDSOCK 56 #define _PATH_GSSDSOCK "/var/run/gssd.sock" 57 #endif 58 59 struct gss_resource { 60 LIST_ENTRY(gss_resource) gr_link; 61 uint64_t gr_id; /* indentifier exported to kernel */ 62 void* gr_res; /* GSS-API resource pointer */ 63 }; 64 LIST_HEAD(gss_resource_list, gss_resource) gss_resources; 65 int gss_resource_count; 66 uint32_t gss_next_id; 67 uint32_t gss_start_time; 68 int debug_level; 69 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1]; 70 static char pref_realm[1024]; 71 72 static void gssd_load_mech(void); 73 static int find_ccache_file(const char *, uid_t, char *); 74 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *); 75 76 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp); 77 extern int gssd_syscall(char *path); 78 79 int 80 main(int argc, char **argv) 81 { 82 /* 83 * We provide an RPC service on a local-domain socket. The 84 * kernel's GSS-API code will pass what it can't handle 85 * directly to us. 86 */ 87 struct sockaddr_un sun; 88 int fd, oldmask, ch, debug; 89 SVCXPRT *xprt; 90 91 /* 92 * Initialize the credential cache file name substring and the 93 * search directory list. 94 */ 95 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring)); 96 ccfile_dirlist[0] = '\0'; 97 pref_realm[0] = '\0'; 98 debug = 0; 99 while ((ch = getopt(argc, argv, "ds:c:r:")) != -1) { 100 switch (ch) { 101 case 'd': 102 debug_level++; 103 break; 104 case 's': 105 /* 106 * Set the directory search list. This enables use of 107 * find_ccache_file() to search the directories for a 108 * suitable credentials cache file. 109 */ 110 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist)); 111 break; 112 case 'c': 113 /* 114 * Specify a non-default credential cache file 115 * substring. 116 */ 117 strlcpy(ccfile_substring, optarg, 118 sizeof(ccfile_substring)); 119 break; 120 case 'r': 121 /* 122 * Set the preferred realm for the credential cache tgt. 123 */ 124 strlcpy(pref_realm, optarg, sizeof(pref_realm)); 125 break; 126 default: 127 fprintf(stderr, 128 "usage: %s [-d] [-s dir-list] [-c file-substring]" 129 " [-r preferred-realm]\n", argv[0]); 130 exit(1); 131 break; 132 } 133 } 134 135 gssd_load_mech(); 136 137 if (!debug_level) 138 daemon(0, 0); 139 140 memset(&sun, 0, sizeof sun); 141 sun.sun_family = AF_LOCAL; 142 unlink(_PATH_GSSDSOCK); 143 strcpy(sun.sun_path, _PATH_GSSDSOCK); 144 sun.sun_len = SUN_LEN(&sun); 145 fd = socket(AF_LOCAL, SOCK_STREAM, 0); 146 if (!fd) { 147 if (debug_level == 0) { 148 syslog(LOG_ERR, "Can't create local gssd socket"); 149 exit(1); 150 } 151 err(1, "Can't create local gssd socket"); 152 } 153 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); 154 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) { 155 if (debug_level == 0) { 156 syslog(LOG_ERR, "Can't bind local gssd socket"); 157 exit(1); 158 } 159 err(1, "Can't bind local gssd socket"); 160 } 161 umask(oldmask); 162 if (listen(fd, SOMAXCONN) < 0) { 163 if (debug_level == 0) { 164 syslog(LOG_ERR, "Can't listen on local gssd socket"); 165 exit(1); 166 } 167 err(1, "Can't listen on local gssd socket"); 168 } 169 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); 170 if (!xprt) { 171 if (debug_level == 0) { 172 syslog(LOG_ERR, 173 "Can't create transport for local gssd socket"); 174 exit(1); 175 } 176 err(1, "Can't create transport for local gssd socket"); 177 } 178 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) { 179 if (debug_level == 0) { 180 syslog(LOG_ERR, 181 "Can't register service for local gssd socket"); 182 exit(1); 183 } 184 err(1, "Can't register service for local gssd socket"); 185 } 186 187 LIST_INIT(&gss_resources); 188 gss_next_id = 1; 189 gss_start_time = time(0); 190 191 gssd_syscall(_PATH_GSSDSOCK); 192 svc_run(); 193 194 return (0); 195 } 196 197 static void 198 gssd_load_mech(void) 199 { 200 FILE *fp; 201 char buf[256]; 202 char *p; 203 char *name, *oid, *lib, *kobj; 204 205 fp = fopen(_PATH_GSS_MECH, "r"); 206 if (!fp) 207 return; 208 209 while (fgets(buf, sizeof(buf), fp)) { 210 if (*buf == '#') 211 continue; 212 p = buf; 213 name = strsep(&p, "\t\n "); 214 if (p) while (isspace(*p)) p++; 215 oid = strsep(&p, "\t\n "); 216 if (p) while (isspace(*p)) p++; 217 lib = strsep(&p, "\t\n "); 218 if (p) while (isspace(*p)) p++; 219 kobj = strsep(&p, "\t\n "); 220 if (!name || !oid || !lib || !kobj) 221 continue; 222 223 if (strcmp(kobj, "-")) { 224 /* 225 * Attempt to load the kernel module if its 226 * not already present. 227 */ 228 if (modfind(kobj) < 0) { 229 if (kldload(kobj) < 0) { 230 fprintf(stderr, 231 "%s: can't find or load kernel module %s for %s\n", 232 getprogname(), kobj, name); 233 } 234 } 235 } 236 } 237 fclose(fp); 238 } 239 240 static void * 241 gssd_find_resource(uint64_t id) 242 { 243 struct gss_resource *gr; 244 245 if (!id) 246 return (NULL); 247 248 LIST_FOREACH(gr, &gss_resources, gr_link) 249 if (gr->gr_id == id) 250 return (gr->gr_res); 251 252 return (NULL); 253 } 254 255 static uint64_t 256 gssd_make_resource(void *res) 257 { 258 struct gss_resource *gr; 259 260 if (!res) 261 return (0); 262 263 gr = malloc(sizeof(struct gss_resource)); 264 if (!gr) 265 return (0); 266 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32); 267 gr->gr_res = res; 268 LIST_INSERT_HEAD(&gss_resources, gr, gr_link); 269 gss_resource_count++; 270 if (debug_level > 1) 271 printf("%d resources allocated\n", gss_resource_count); 272 273 return (gr->gr_id); 274 } 275 276 static void 277 gssd_delete_resource(uint64_t id) 278 { 279 struct gss_resource *gr; 280 281 LIST_FOREACH(gr, &gss_resources, gr_link) { 282 if (gr->gr_id == id) { 283 LIST_REMOVE(gr, gr_link); 284 free(gr); 285 gss_resource_count--; 286 if (debug_level > 1) 287 printf("%d resources allocated\n", 288 gss_resource_count); 289 return; 290 } 291 } 292 } 293 294 bool_t 295 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) 296 { 297 298 return (TRUE); 299 } 300 301 bool_t 302 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp) 303 { 304 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 305 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 306 gss_name_t name = GSS_C_NO_NAME; 307 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 308 int gotone; 309 310 memset(result, 0, sizeof(*result)); 311 if (ccfile_dirlist[0] != '\0' && argp->cred == 0) { 312 /* 313 * For the "-s" case and no credentials provided as an 314 * argument, search the directory list for an appropriate 315 * credential cache file. If the search fails, return failure. 316 */ 317 gotone = 0; 318 cp = ccfile_dirlist; 319 do { 320 cp2 = strchr(cp, ':'); 321 if (cp2 != NULL) 322 *cp2 = '\0'; 323 gotone = find_ccache_file(cp, argp->uid, ccname); 324 if (gotone != 0) 325 break; 326 if (cp2 != NULL) 327 *cp2++ = ':'; 328 cp = cp2; 329 } while (cp != NULL && *cp != '\0'); 330 if (gotone == 0) { 331 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 332 return (TRUE); 333 } 334 } else { 335 /* 336 * If there wasn't a "-s" option or the credentials have 337 * been provided as an argument, do it the old way. 338 * When credentials are provided, the uid should be root. 339 */ 340 if (argp->cred != 0 && argp->uid != 0) { 341 if (debug_level == 0) 342 syslog(LOG_ERR, "gss_init_sec_context:" 343 " cred for non-root"); 344 else 345 fprintf(stderr, "gss_init_sec_context:" 346 " cred for non-root\n"); 347 } 348 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 349 (int) argp->uid); 350 } 351 setenv("KRB5CCNAME", ccname, TRUE); 352 353 if (argp->cred) { 354 cred = gssd_find_resource(argp->cred); 355 if (!cred) { 356 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 357 return (TRUE); 358 } 359 } 360 if (argp->ctx) { 361 ctx = gssd_find_resource(argp->ctx); 362 if (!ctx) { 363 result->major_status = GSS_S_CONTEXT_EXPIRED; 364 return (TRUE); 365 } 366 } 367 if (argp->name) { 368 name = gssd_find_resource(argp->name); 369 if (!name) { 370 result->major_status = GSS_S_BAD_NAME; 371 return (TRUE); 372 } 373 } 374 375 result->major_status = gss_init_sec_context(&result->minor_status, 376 cred, &ctx, name, argp->mech_type, 377 argp->req_flags, argp->time_req, argp->input_chan_bindings, 378 &argp->input_token, &result->actual_mech_type, 379 &result->output_token, &result->ret_flags, &result->time_rec); 380 381 if (result->major_status == GSS_S_COMPLETE 382 || result->major_status == GSS_S_CONTINUE_NEEDED) { 383 if (argp->ctx) 384 result->ctx = argp->ctx; 385 else 386 result->ctx = gssd_make_resource(ctx); 387 } 388 389 return (TRUE); 390 } 391 392 bool_t 393 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp) 394 { 395 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 396 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 397 gss_name_t src_name; 398 gss_cred_id_t delegated_cred_handle; 399 400 memset(result, 0, sizeof(*result)); 401 if (argp->ctx) { 402 ctx = gssd_find_resource(argp->ctx); 403 if (!ctx) { 404 result->major_status = GSS_S_CONTEXT_EXPIRED; 405 return (TRUE); 406 } 407 } 408 if (argp->cred) { 409 cred = gssd_find_resource(argp->cred); 410 if (!cred) { 411 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 412 return (TRUE); 413 } 414 } 415 416 memset(result, 0, sizeof(*result)); 417 result->major_status = gss_accept_sec_context(&result->minor_status, 418 &ctx, cred, &argp->input_token, argp->input_chan_bindings, 419 &src_name, &result->mech_type, &result->output_token, 420 &result->ret_flags, &result->time_rec, 421 &delegated_cred_handle); 422 423 if (result->major_status == GSS_S_COMPLETE 424 || result->major_status == GSS_S_CONTINUE_NEEDED) { 425 if (argp->ctx) 426 result->ctx = argp->ctx; 427 else 428 result->ctx = gssd_make_resource(ctx); 429 result->src_name = gssd_make_resource(src_name); 430 result->delegated_cred_handle = 431 gssd_make_resource(delegated_cred_handle); 432 } 433 434 return (TRUE); 435 } 436 437 bool_t 438 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp) 439 { 440 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 441 442 if (ctx) { 443 result->major_status = gss_delete_sec_context( 444 &result->minor_status, &ctx, &result->output_token); 445 gssd_delete_resource(argp->ctx); 446 } else { 447 result->major_status = GSS_S_COMPLETE; 448 result->minor_status = 0; 449 } 450 451 return (TRUE); 452 } 453 454 bool_t 455 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp) 456 { 457 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 458 459 if (ctx) { 460 result->major_status = gss_export_sec_context( 461 &result->minor_status, &ctx, 462 &result->interprocess_token); 463 result->format = KGSS_HEIMDAL_1_1; 464 gssd_delete_resource(argp->ctx); 465 } else { 466 result->major_status = GSS_S_FAILURE; 467 result->minor_status = 0; 468 result->interprocess_token.length = 0; 469 result->interprocess_token.value = NULL; 470 } 471 472 return (TRUE); 473 } 474 475 bool_t 476 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp) 477 { 478 gss_name_t name; 479 480 result->major_status = gss_import_name(&result->minor_status, 481 &argp->input_name_buffer, argp->input_name_type, &name); 482 483 if (result->major_status == GSS_S_COMPLETE) 484 result->output_name = gssd_make_resource(name); 485 else 486 result->output_name = 0; 487 488 return (TRUE); 489 } 490 491 bool_t 492 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp) 493 { 494 gss_name_t name = gssd_find_resource(argp->input_name); 495 gss_name_t output_name; 496 497 memset(result, 0, sizeof(*result)); 498 if (!name) { 499 result->major_status = GSS_S_BAD_NAME; 500 return (TRUE); 501 } 502 503 result->major_status = gss_canonicalize_name(&result->minor_status, 504 name, argp->mech_type, &output_name); 505 506 if (result->major_status == GSS_S_COMPLETE) 507 result->output_name = gssd_make_resource(output_name); 508 else 509 result->output_name = 0; 510 511 return (TRUE); 512 } 513 514 bool_t 515 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp) 516 { 517 gss_name_t name = gssd_find_resource(argp->input_name); 518 519 memset(result, 0, sizeof(*result)); 520 if (!name) { 521 result->major_status = GSS_S_BAD_NAME; 522 return (TRUE); 523 } 524 525 result->major_status = gss_export_name(&result->minor_status, 526 name, &result->exported_name); 527 528 return (TRUE); 529 } 530 531 bool_t 532 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp) 533 { 534 gss_name_t name = gssd_find_resource(argp->input_name); 535 536 if (name) { 537 result->major_status = gss_release_name(&result->minor_status, 538 &name); 539 gssd_delete_resource(argp->input_name); 540 } else { 541 result->major_status = GSS_S_COMPLETE; 542 result->minor_status = 0; 543 } 544 545 return (TRUE); 546 } 547 548 bool_t 549 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp) 550 { 551 gss_name_t name = gssd_find_resource(argp->pname); 552 uid_t uid; 553 char buf[128]; 554 struct passwd pwd, *pw; 555 556 memset(result, 0, sizeof(*result)); 557 if (name) { 558 result->major_status = 559 gss_pname_to_uid(&result->minor_status, 560 name, argp->mech, &uid); 561 if (result->major_status == GSS_S_COMPLETE) { 562 result->uid = uid; 563 getpwuid_r(uid, &pwd, buf, sizeof(buf), &pw); 564 if (pw) { 565 int len = NGRPS; 566 int groups[NGRPS]; 567 result->gid = pw->pw_gid; 568 getgrouplist(pw->pw_name, pw->pw_gid, 569 groups, &len); 570 result->gidlist.gidlist_len = len; 571 result->gidlist.gidlist_val = 572 mem_alloc(len * sizeof(int)); 573 memcpy(result->gidlist.gidlist_val, groups, 574 len * sizeof(int)); 575 } else { 576 result->gid = 65534; 577 result->gidlist.gidlist_len = 0; 578 result->gidlist.gidlist_val = NULL; 579 } 580 } 581 } else { 582 result->major_status = GSS_S_BAD_NAME; 583 result->minor_status = 0; 584 } 585 586 return (TRUE); 587 } 588 589 bool_t 590 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp) 591 { 592 gss_name_t desired_name = GSS_C_NO_NAME; 593 gss_cred_id_t cred; 594 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 595 int gotone; 596 597 memset(result, 0, sizeof(*result)); 598 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) { 599 /* 600 * For the "-s" case and no name provided as an 601 * argument, search the directory list for an appropriate 602 * credential cache file. If the search fails, return failure. 603 */ 604 gotone = 0; 605 cp = ccfile_dirlist; 606 do { 607 cp2 = strchr(cp, ':'); 608 if (cp2 != NULL) 609 *cp2 = '\0'; 610 gotone = find_ccache_file(cp, argp->uid, ccname); 611 if (gotone != 0) 612 break; 613 if (cp2 != NULL) 614 *cp2++ = ':'; 615 cp = cp2; 616 } while (cp != NULL && *cp != '\0'); 617 if (gotone == 0) { 618 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 619 return (TRUE); 620 } 621 } else { 622 /* 623 * If there wasn't a "-s" option or the name has 624 * been provided as an argument, do it the old way. 625 * When a name is provided, it will normally exist in the 626 * default keytab file and the uid will be root. 627 */ 628 if (argp->desired_name != 0 && argp->uid != 0) { 629 if (debug_level == 0) 630 syslog(LOG_ERR, "gss_acquire_cred:" 631 " principal_name for non-root"); 632 else 633 fprintf(stderr, "gss_acquire_cred:" 634 " principal_name for non-root\n"); 635 } 636 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 637 (int) argp->uid); 638 } 639 setenv("KRB5CCNAME", ccname, TRUE); 640 641 if (argp->desired_name) { 642 desired_name = gssd_find_resource(argp->desired_name); 643 if (!desired_name) { 644 result->major_status = GSS_S_BAD_NAME; 645 return (TRUE); 646 } 647 } 648 649 result->major_status = gss_acquire_cred(&result->minor_status, 650 desired_name, argp->time_req, argp->desired_mechs, 651 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec); 652 653 if (result->major_status == GSS_S_COMPLETE) 654 result->output_cred = gssd_make_resource(cred); 655 else 656 result->output_cred = 0; 657 658 return (TRUE); 659 } 660 661 bool_t 662 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp) 663 { 664 gss_cred_id_t cred = gssd_find_resource(argp->cred); 665 666 memset(result, 0, sizeof(*result)); 667 if (!cred) { 668 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 669 return (TRUE); 670 } 671 672 result->major_status = gss_set_cred_option(&result->minor_status, 673 &cred, argp->option_name, &argp->option_value); 674 675 return (TRUE); 676 } 677 678 bool_t 679 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp) 680 { 681 gss_cred_id_t cred = gssd_find_resource(argp->cred); 682 683 if (cred) { 684 result->major_status = gss_release_cred(&result->minor_status, 685 &cred); 686 gssd_delete_resource(argp->cred); 687 } else { 688 result->major_status = GSS_S_COMPLETE; 689 result->minor_status = 0; 690 } 691 692 return (TRUE); 693 } 694 695 bool_t 696 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp) 697 { 698 699 result->message_context = argp->message_context; 700 result->major_status = gss_display_status(&result->minor_status, 701 argp->status_value, argp->status_type, argp->mech_type, 702 &result->message_context, &result->status_string); 703 704 return (TRUE); 705 } 706 707 int 708 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) 709 { 710 /* 711 * We don't use XDR to free the results - anything which was 712 * allocated came from GSS-API. We use xdr_result to figure 713 * out what to do. 714 */ 715 OM_uint32 junk; 716 717 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) { 718 init_sec_context_res *p = (init_sec_context_res *) result; 719 gss_release_buffer(&junk, &p->output_token); 720 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) { 721 accept_sec_context_res *p = (accept_sec_context_res *) result; 722 gss_release_buffer(&junk, &p->output_token); 723 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) { 724 delete_sec_context_res *p = (delete_sec_context_res *) result; 725 gss_release_buffer(&junk, &p->output_token); 726 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) { 727 export_sec_context_res *p = (export_sec_context_res *) result; 728 if (p->interprocess_token.length) 729 memset(p->interprocess_token.value, 0, 730 p->interprocess_token.length); 731 gss_release_buffer(&junk, &p->interprocess_token); 732 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) { 733 export_name_res *p = (export_name_res *) result; 734 gss_release_buffer(&junk, &p->exported_name); 735 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) { 736 acquire_cred_res *p = (acquire_cred_res *) result; 737 gss_release_oid_set(&junk, &p->actual_mechs); 738 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) { 739 pname_to_uid_res *p = (pname_to_uid_res *) result; 740 if (p->gidlist.gidlist_val) 741 free(p->gidlist.gidlist_val); 742 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) { 743 display_status_res *p = (display_status_res *) result; 744 gss_release_buffer(&junk, &p->status_string); 745 } 746 747 return (TRUE); 748 } 749 750 /* 751 * Search a directory for the most likely candidate to be used as the 752 * credential cache for a uid. If successful, return 1 and fill the 753 * file's path id into "rpath". Otherwise, return 0. 754 */ 755 static int 756 find_ccache_file(const char *dirpath, uid_t uid, char *rpath) 757 { 758 DIR *dirp; 759 struct dirent *dp; 760 struct stat sb; 761 time_t exptime, oexptime; 762 int gotone, len, rating, orating; 763 char namepath[PATH_MAX + 5 + 1]; 764 char retpath[PATH_MAX + 5 + 1]; 765 766 dirp = opendir(dirpath); 767 if (dirp == NULL) 768 return (0); 769 gotone = 0; 770 orating = 0; 771 oexptime = 0; 772 while ((dp = readdir(dirp)) != NULL) { 773 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath, 774 dp->d_name); 775 if (len < sizeof(namepath) && 776 strstr(dp->d_name, ccfile_substring) != NULL && 777 lstat(namepath, &sb) >= 0 && 778 sb.st_uid == uid && 779 S_ISREG(sb.st_mode)) { 780 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s", 781 dirpath, dp->d_name); 782 if (len < sizeof(namepath) && 783 is_a_valid_tgt_cache(namepath, uid, &rating, 784 &exptime) != 0) { 785 if (gotone == 0 || rating > orating || 786 (rating == orating && exptime > oexptime)) { 787 orating = rating; 788 oexptime = exptime; 789 strcpy(retpath, namepath); 790 gotone = 1; 791 } 792 } 793 } 794 } 795 closedir(dirp); 796 if (gotone != 0) { 797 strcpy(rpath, retpath); 798 return (1); 799 } 800 return (0); 801 } 802 803 /* 804 * Try to determine if the file is a valid tgt cache file. 805 * Check that the file has a valid tgt for a principal. 806 * If it does, return 1, otherwise return 0. 807 * It also returns a "rating" and the expiry time for the TGT, when found. 808 * This "rating" is higher based on heuristics that make it more 809 * likely to be the correct credential cache file to use. It can 810 * be used by the caller, along with expiry time, to select from 811 * multiple credential cache files. 812 */ 813 static int 814 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating, 815 time_t *retexptime) 816 { 817 krb5_context context; 818 krb5_principal princ; 819 krb5_ccache ccache; 820 krb5_error_code retval; 821 krb5_cc_cursor curse; 822 krb5_creds krbcred; 823 int gotone, orating, rating, ret; 824 struct passwd *pw; 825 char *cp, *cp2, *pname; 826 time_t exptime; 827 828 /* Find a likely name for the uid principal. */ 829 pw = getpwuid(uid); 830 831 /* 832 * Do a bunch of krb5 library stuff to try and determine if 833 * this file is a credentials cache with an appropriate TGT 834 * in it. 835 */ 836 retval = krb5_init_context(&context); 837 if (retval != 0) 838 return (0); 839 retval = krb5_cc_resolve(context, filepath, &ccache); 840 if (retval != 0) { 841 krb5_free_context(context); 842 return (0); 843 } 844 ret = 0; 845 orating = 0; 846 exptime = 0; 847 retval = krb5_cc_start_seq_get(context, ccache, &curse); 848 if (retval == 0) { 849 while ((retval = krb5_cc_next_cred(context, ccache, &curse, 850 &krbcred)) == 0) { 851 gotone = 0; 852 rating = 0; 853 retval = krb5_unparse_name(context, krbcred.server, 854 &pname); 855 if (retval == 0) { 856 cp = strchr(pname, '/'); 857 if (cp != NULL) { 858 *cp++ = '\0'; 859 if (strcmp(pname, "krbtgt") == 0 && 860 krbcred.times.endtime > time(NULL) 861 ) { 862 gotone = 1; 863 /* 864 * Test to see if this is a 865 * tgt for cross-realm auth. 866 * Rate it higher, if it is not. 867 */ 868 cp2 = strchr(cp, '@'); 869 if (cp2 != NULL) { 870 *cp2++ = '\0'; 871 if (strcmp(cp, cp2) == 872 0) 873 rating++; 874 } 875 } 876 } 877 free(pname); 878 } 879 if (gotone != 0) { 880 retval = krb5_unparse_name(context, 881 krbcred.client, &pname); 882 if (retval == 0) { 883 cp = strchr(pname, '@'); 884 if (cp != NULL) { 885 *cp++ = '\0'; 886 if (pw != NULL && strcmp(pname, 887 pw->pw_name) == 0) 888 rating++; 889 if (strchr(pname, '/') == NULL) 890 rating++; 891 if (pref_realm[0] != '\0' && 892 strcmp(cp, pref_realm) == 0) 893 rating++; 894 } 895 } 896 free(pname); 897 if (rating > orating) { 898 orating = rating; 899 exptime = krbcred.times.endtime; 900 } else if (rating == orating && 901 krbcred.times.endtime > exptime) 902 exptime = krbcred.times.endtime; 903 ret = 1; 904 } 905 krb5_free_cred_contents(context, &krbcred); 906 } 907 krb5_cc_end_seq_get(context, ccache, &curse); 908 } 909 krb5_cc_close(context, ccache); 910 krb5_free_context(context); 911 if (ret != 0) { 912 *retrating = orating; 913 *retexptime = exptime; 914 } 915 return (ret); 916 } 917 918