1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <unistd.h>
30 #include <ctype.h>
31 #include "gsscred.h"
32
33 /*
34 * gsscred utility
35 * Manages mapping between a security principal name and unix uid.
36 * Implementation file for the file based gsscred utility.
37 */
38
39 #define MAX_ENTRY_LEN 1024
40
41 static const char credFile[] = "/etc/gss/gsscred_db";
42 static const char credFileTmp[] = "/etc/gss/gsscred_db.tmp";
43 static const int expNameTokIdLen = 2;
44 static const int mechOidLenLen = 2;
45 static const int krb5OidTagLen = 1;
46 static const int krb5OidLenLen = 1;
47 static const int nameLen = 4;
48 static const int krb5OidLen = 9;
49
50 /*
51 * Multiply by two given that the token has already gone through hex string
52 * expansion.
53 */
54 #define NAME_OFFSET (expNameTokIdLen + mechOidLenLen + krb5OidTagLen + \
55 krb5OidLenLen + krb5OidLen + nameLen) * 2
56
57 static int matchEntry(const char *entry, const gss_buffer_t name,
58 const char *uid, uid_t *uidOut);
59
60 /*
61 * file_addGssCredEntry
62 *
63 * Adds a new entry to the gsscred table.
64 * Does not check for duplicate entries.
65 */
file_addGssCredEntry(const gss_buffer_t hexName,const char * uid,const char * comment,char ** errDetails)66 int file_addGssCredEntry(const gss_buffer_t hexName, const char *uid,
67 const char *comment, char **errDetails)
68 {
69 FILE *fp;
70 char tmpBuf[256];
71
72 if ((fp = fopen(credFile, "a")) == NULL) {
73 if (errDetails) {
74 (void) snprintf(tmpBuf, sizeof (tmpBuf),
75 gettext("Unable to open gsscred file [%s]"),
76 credFile);
77 *errDetails = strdup(tmpBuf);
78 }
79 return (0);
80 }
81
82 (void) fprintf(fp,
83 "%s\t%s\t%s\n", (char *)hexName->value, uid, comment);
84 (void) fclose(fp);
85 return (1);
86 } /* ******* file_addGssCredEntry ****** */
87
88
89
90 /*
91 * file_getGssCredEntry
92 *
93 * Searches the file for the file matching the name. Since the name
94 * contains a mechanism identifier, to search for all names for a given
95 * mechanism just supply the mechanism portion in the name buffer.
96 * To search by uid only, supply a non-null value of uid.
97 */
file_getGssCredEntry(const gss_buffer_t name,const char * uid,char ** errDetails)98 int file_getGssCredEntry(const gss_buffer_t name, const char *uid,
99 char **errDetails)
100 {
101 FILE *fp;
102 char entry[MAX_ENTRY_LEN+1];
103
104 if ((fp = fopen(credFile, "r")) == NULL) {
105
106 if (errDetails) {
107 (void) snprintf(entry, sizeof (entry),
108 gettext("Unable to open gsscred file [%s]"),
109 credFile);
110 *errDetails = strdup(entry);
111 }
112
113 return (0);
114 }
115
116 /* go through the file in sequential order */
117 while (fgets(entry, MAX_ENTRY_LEN, fp) != NULL) {
118 /* is there any search criteria */
119 if (name == NULL && uid == NULL) {
120 (void) fprintf(stdout, "%s", entry);
121 continue;
122 }
123
124 if (matchEntry(entry, name, uid, NULL))
125 (void) fprintf(stdout, "%s", entry);
126
127 } /* while */
128
129 (void) fclose(fp);
130 return (1);
131 } /* file_getGssCredEntry */
132
133 /*
134 * file_getGssCredUid
135 *
136 * GSS entry point for retrieving user uid information.
137 * We need to go through the entire file to ensure that
138 * the last matching entry is retrieved - this is because
139 * new entries are added to the end, and in case of
140 * duplicates we want to get the latest entry.
141 */
142 int
file_getGssCredUid(const gss_buffer_t expName,uid_t * uidOut)143 file_getGssCredUid(const gss_buffer_t expName, uid_t *uidOut)
144 {
145 FILE *fp;
146 char entry[MAX_ENTRY_LEN+1];
147 int retVal = 0;
148
149 if ((fp = fopen(credFile, "r")) == NULL)
150 return (0);
151
152 /* go through the entire file in sequential order */
153 while (fgets(entry, MAX_ENTRY_LEN, fp) != NULL) {
154 if (matchEntry(entry, expName, NULL, uidOut)) {
155 retVal = 1;
156 }
157 } /* while */
158
159 (void) fclose(fp);
160 return (retVal);
161 } /* file_getGssCredUid */
162
163
164
165 /*
166 *
167 * file_deleteGssCredEntry
168 *
169 * removes entries form file that match the delete criteria
170 */
file_deleteGssCredEntry(const gss_buffer_t name,const char * uid,char ** errDetails)171 int file_deleteGssCredEntry(const gss_buffer_t name, const char *uid,
172 char **errDetails)
173 {
174 FILE *fp, *tempFp;
175 char entry[MAX_ENTRY_LEN+1];
176 int foundOne = 0;
177
178 /* are we deleting everyone? */
179 if (name == NULL && uid == NULL) {
180
181 if ((fp = fopen(credFile, "w")) == NULL) {
182
183 if (errDetails) {
184 (void) snprintf(entry, sizeof (entry),
185 gettext("Unable to open gsscred"
186 " file [%s]"),
187 credFile);
188 *errDetails = strdup(entry);
189 }
190 return (0);
191 }
192
193 (void) fclose(fp);
194 return (1);
195 }
196
197 /* selective delete - might still be everyone */
198 if ((fp = fopen(credFile, "r")) == NULL) {
199
200 if (errDetails) {
201 (void) snprintf(entry, sizeof (entry),
202 gettext("Unable to open gsscred file [%s]"),
203 credFile);
204 *errDetails = strdup(entry);
205 }
206 return (0);
207 }
208
209 /* also need to open temp file */
210 if ((tempFp = fopen(credFileTmp, "w")) == NULL) {
211 if (errDetails) {
212 (void) snprintf(entry, sizeof (entry),
213 gettext("Unable to open gsscred temporary"
214 " file [%s]"),
215 credFileTmp);
216 *errDetails = strdup(entry);
217 }
218
219 (void) fclose(fp);
220 return (0);
221 }
222
223 /* go through all the entries sequentially removing ones that match */
224 while (fgets(entry, MAX_ENTRY_LEN, fp) != NULL) {
225
226 if (!matchEntry(entry, name, uid, NULL))
227 (void) fputs(entry, tempFp);
228 else
229 foundOne = 1;
230 }
231 (void) fclose(tempFp);
232 (void) fclose(fp);
233
234 /* now make the tempfile the gsscred file */
235 (void) rename(credFileTmp, credFile);
236 (void) unlink(credFileTmp);
237
238 if (!foundOne) {
239 *errDetails = strdup(gettext("No users found"));
240 return (0);
241 }
242 return (1);
243 } /* file_deleteGssCredEntry */
244
245
246
247 /*
248 *
249 * match entry
250 *
251 * checks if the specified entry matches the supplied criteria
252 * returns 1 if yes, 0 if no
253 * uidOut value can be used to retrieve the uid from the entry
254 * when the uid string is passed in, the uidOut value is not set
255 */
matchEntry(const char * entry,const gss_buffer_t name,const char * uid,uid_t * uidOut)256 static int matchEntry(const char *entry, const gss_buffer_t name,
257 const char *uid, uid_t *uidOut)
258 {
259 char fullEntry[MAX_ENTRY_LEN+1], *item, *item_buf, *name_buf;
260 char dilims[] = "\t \n";
261 /*
262 * item_len is the length of the token in the gsscred_db.
263 * name_len is the length of the token passed to this function.
264 */
265 int item_len, name_len;
266 /*
267 * This is the hex encoding of the beginning of all exported name
268 * tokens for the Kerberos V mechanism. We need this to detect old,
269 * incorrectly exported name tokens; see below.
270 */
271 char *krb5_ntok_prefix = "0401000B06092A864886F712010202";
272 /*
273 * This is the hex encoded GSS_C_NT_USER_NAME OID, needed for the same
274 * reason as krb5_ntok_prefix.
275 */
276 char *gss_u_name = "2A864886F71201020101";
277
278 if (entry == NULL || isspace(*entry))
279 return (0);
280
281 /* save the entry since strtok will chop it up */
282 (void) strcpy(fullEntry, entry);
283
284 if ((item = strtok(fullEntry, dilims)) == NULL)
285 return (0);
286
287 /* do we need to search the name */
288 if (name != NULL) {
289
290 item_len = strlen(item);
291 name_len = name->length;
292 name_buf = name->value;
293
294 /* we can match the prefix of the string */
295 if (item_len < name_len)
296 return (0);
297
298 if (strncmp(item, name->value, name_len) != 0) {
299
300 /*
301 * The following section is needed in order to detect
302 * two existing errant formats in the gsscred db.
303 *
304 * 1. Exported names that have a trailing null byte
305 * ("00" in two hex characters) with the name length
306 * incremented to account for the extra null byte.
307 *
308 * 2. Exported names that have the name type length
309 * and name type OID prepended to the exported name.
310 *
311 */
312 if (strncmp(name->value, krb5_ntok_prefix,
313 strlen(krb5_ntok_prefix)) != 0)
314 return (0);
315
316 if (strncmp(item, krb5_ntok_prefix,
317 strlen(krb5_ntok_prefix)) != 0)
318 return (0);
319
320 if ((item_buf = strstr(item, gss_u_name)) == NULL)
321 return (0);
322
323 item_buf += strlen(gss_u_name);
324
325 name_buf += NAME_OFFSET;
326
327 if ((strlen(item_buf) != strlen(name_buf)) &&
328 (strncmp(item_buf + (strlen(item_buf) - 2), "00", 2)
329 != 0))
330 return (0);
331
332 /*
333 * Here we compare the end of name_len, given
334 * that item_len could have two extra "00"
335 * representing the null byte.
336 */
337 if (strncmp(item_buf, name_buf, name_len - NAME_OFFSET)
338 != 0)
339 return (0);
340 } else
341 /*
342 * We only strncmp() so we could check for old,
343 * broken exported name tokens for the krb5 mech.
344 * For any other exported name tokens we want exact
345 * matches only.
346 */
347 if (item_len != name_len)
348 return (0);
349
350 /* do we need to check the uid - if not then we found it */
351 if (uid == NULL) {
352 /* do we ned to parse out the uid ? */
353 if (uidOut) {
354 if ((item = strtok(NULL, dilims)) == NULL)
355 return (0);
356 *uidOut = atol(item);
357 }
358 return (1);
359 }
360
361 /* continue with checking the uid */
362 }
363
364 if (uid == NULL)
365 return (1);
366
367 /* get the next token from the string - the uid */
368 if ((item = strtok(NULL, dilims)) == NULL)
369 return (0);
370
371 if (strcmp(item, uid) == 0)
372 return (1);
373
374 return (0);
375 } /* ******* matchEntry ****** */
376