crypto/dist/heimdal/lib/krb5/keytab.c

   1 /*
   2  * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "krb5_locl.h"
  35
  36 __RCSID("$Heimdal: keytab.c 20211 2007-02-09 07:11:03Z lha $"
  37         "$NetBSD$");
  38
  39 /*
  40  * Register a new keytab in `ops'
  41  * Return 0 or an error.
  42  */
  43
  44 krb5_error_code KRB5_LIB_FUNCTION
  45 krb5_kt_register(krb5_context context,
  46                  const krb5_kt_ops *ops)
  47 {
  48     struct krb5_keytab_data *tmp;
  49
  50     if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) {
  51         krb5_set_error_string(context, "krb5_kt_register; prefix too long");
  52         return KRB5_KT_BADNAME;
  53     }
  54
  55     tmp = realloc(context->kt_types,
  56                   (context->num_kt_types + 1) * sizeof(*context->kt_types));
  57     if(tmp == NULL) {
  58         krb5_set_error_string(context, "malloc: out of memory");
  59         return ENOMEM;
  60     }
  61     memcpy(&tmp[context->num_kt_types], ops,
  62            sizeof(tmp[context->num_kt_types]));
  63     context->kt_types = tmp;
  64     context->num_kt_types++;
  65     return 0;
  66 }
  67
  68 /*
  69  * Resolve the keytab name (of the form `type:residual') in `name'
  70  * into a keytab in `id'.
  71  * Return 0 or an error
  72  */
  73
  74 krb5_error_code KRB5_LIB_FUNCTION
  75 krb5_kt_resolve(krb5_context context,
  76                 const char *name,
  77                 krb5_keytab *id)
  78 {
  79     krb5_keytab k;
  80     int i;
  81     const char *type, *residual;
  82     size_t type_len;
  83     krb5_error_code ret;
  84
  85     residual = strchr(name, ':');
  86     if(residual == NULL) {
  87         type = "FILE";
  88         type_len = strlen(type);
  89         residual = name;
  90     } else {
  91         type = name;
  92         type_len = residual - name;
  93         residual++;
  94     }
  95
  96     for(i = 0; i < context->num_kt_types; i++) {
  97         if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0)
  98             break;
  99     }
 100     if(i == context->num_kt_types) {
 101         krb5_set_error_string(context, "unknown keytab type %.*s",
 102                               (int)type_len, type);
 103         return KRB5_KT_UNKNOWN_TYPE;
 104     }
 105
 106     k = malloc (sizeof(*k));
 107     if (k == NULL) {
 108         krb5_set_error_string(context, "malloc: out of memory");
 109         return ENOMEM;
 110     }
 111     memcpy(k, &context->kt_types[i], sizeof(*k));
 112     k->data = NULL;
 113     ret = (*k->resolve)(context, residual, k);
 114     if(ret) {
 115         free(k);
 116         k = NULL;
 117     }
 118     *id = k;
 119     return ret;
 120 }
 121
 122 /*
 123  * copy the name of the default keytab into `name'.
 124  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
 125  */
 126
 127 krb5_error_code KRB5_LIB_FUNCTION
 128 krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
 129 {
 130     if (strlcpy (name, context->default_keytab, namesize) >= namesize) {
 131         krb5_clear_error_string (context);
 132         return KRB5_CONFIG_NOTENUFSPACE;
 133     }
 134     return 0;
 135 }
 136
 137 /*
 138  * copy the name of the default modify keytab into `name'.
 139  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
 140  */
 141
 142 krb5_error_code KRB5_LIB_FUNCTION
 143 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
 144 {
 145     const char *kt = NULL;
 146     if(context->default_keytab_modify == NULL) {
 147         if(strncasecmp(context->default_keytab, "ANY:", 4) != 0)
 148             kt = context->default_keytab;
 149         else {
 150             size_t len = strcspn(context->default_keytab + 4, ",");
 151             if(len >= namesize) {
 152                 krb5_clear_error_string(context);
 153                 return KRB5_CONFIG_NOTENUFSPACE;
 154             }
 155             strlcpy(name, context->default_keytab + 4, namesize);
 156             name[len] = '\0';
 157             return 0;
 158         }
 159     } else
 160         kt = context->default_keytab_modify;
 161     if (strlcpy (name, kt, namesize) >= namesize) {
 162         krb5_clear_error_string (context);
 163         return KRB5_CONFIG_NOTENUFSPACE;
 164     }
 165     return 0;
 166 }
 167
 168 /*
 169  * Set `id' to the default keytab.
 170  * Return 0 or an error.
 171  */
 172
 173 krb5_error_code KRB5_LIB_FUNCTION
 174 krb5_kt_default(krb5_context context, krb5_keytab *id)
 175 {
 176     return krb5_kt_resolve (context, context->default_keytab, id);
 177 }
 178
 179 /*
 180  * Read the key identified by `(principal, vno, enctype)' from the
 181  * keytab in `keyprocarg' (the default if == NULL) into `*key'.
 182  * Return 0 or an error.
 183  */
 184
 185 krb5_error_code KRB5_LIB_FUNCTION
 186 krb5_kt_read_service_key(krb5_context context,
 187                          krb5_pointer keyprocarg,
 188                          krb5_principal principal,
 189                          krb5_kvno vno,
 190                          krb5_enctype enctype,
 191                          krb5_keyblock **key)
 192 {
 193     krb5_keytab keytab;
 194     krb5_keytab_entry entry;
 195     krb5_error_code ret;
 196
 197     if (keyprocarg)
 198         ret = krb5_kt_resolve (context, keyprocarg, &keytab);
 199     else
 200         ret = krb5_kt_default (context, &keytab);
 201
 202     if (ret)
 203         return ret;
 204
 205     ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
 206     krb5_kt_close (context, keytab);
 207     if (ret)
 208         return ret;
 209     ret = krb5_copy_keyblock (context, &entry.keyblock, key);
 210     krb5_kt_free_entry(context, &entry);
 211     return ret;
 212 }
 213
 214 /*
 215  * Return the type of the `keytab' in the string `prefix of length
 216  * `prefixsize'.
 217  */
 218
 219 krb5_error_code KRB5_LIB_FUNCTION
 220 krb5_kt_get_type(krb5_context context,
 221                  krb5_keytab keytab,
 222                  char *prefix,
 223                  size_t prefixsize)
 224 {
 225     strlcpy(prefix, keytab->prefix, prefixsize);
 226     return 0;
 227 }
 228
 229 /*
 230  * Retrieve the name of the keytab `keytab' into `name', `namesize'
 231  * Return 0 or an error.
 232  */
 233
 234 krb5_error_code KRB5_LIB_FUNCTION
 235 krb5_kt_get_name(krb5_context context,
 236                  krb5_keytab keytab,
 237                  char *name,
 238                  size_t namesize)
 239 {
 240     return (*keytab->get_name)(context, keytab, name, namesize);
 241 }
 242
 243 /*
 244  * Retrieve the full name of the keytab `keytab' and store the name in
 245  * `str'. `str' needs to be freed by the caller using free(3).
 246  * Returns 0 or an error. On error, *str is set to NULL.
 247  */
 248
 249 krb5_error_code KRB5_LIB_FUNCTION
 250 krb5_kt_get_full_name(krb5_context context,
 251                       krb5_keytab keytab,
 252                       char **str)
 253 {
 254     char type[KRB5_KT_PREFIX_MAX_LEN];
 255     char name[MAXPATHLEN];
 256     krb5_error_code ret;
 257
 258     *str = NULL;
 259
 260     ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
 261     if (ret)
 262         return ret;
 263
 264     ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
 265     if (ret)
 266         return ret;
 267
 268     if (asprintf(str, "%s:%s", type, name) == -1) {
 269         krb5_set_error_string(context, "malloc - out of memory");
 270         *str = NULL;
 271         return ENOMEM;
 272     }
 273
 274     return 0;
 275 }
 276
 277 /*
 278  * Finish using the keytab in `id'.  All resources will be released,
 279  * even on errors.  Return 0 or an error.
 280  */
 281
 282 krb5_error_code KRB5_LIB_FUNCTION
 283 krb5_kt_close(krb5_context context,
 284               krb5_keytab id)
 285 {
 286     krb5_error_code ret;
 287
 288     ret = (*id->close)(context, id);
 289     memset(id, 0, sizeof(*id));
 290     free(id);
 291     return ret;
 292 }
 293
 294 /*
 295  * Compare `entry' against `principal, vno, enctype'.
 296  * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
 297  * Return TRUE if they compare the same, FALSE otherwise.
 298  */
 299
 300 krb5_boolean KRB5_LIB_FUNCTION
 301 krb5_kt_compare(krb5_context context,
 302                 krb5_keytab_entry *entry,
 303                 krb5_const_principal principal,
 304                 krb5_kvno vno,
 305                 krb5_enctype enctype)
 306 {
 307     if(principal != NULL &&
 308        !krb5_principal_compare(context, entry->principal, principal))
 309         return FALSE;
 310     if(vno && vno != entry->vno)
 311         return FALSE;
 312     if(enctype && enctype != entry->keyblock.keytype)
 313         return FALSE;
 314     return TRUE;
 315 }
 316
 317 /*
 318  * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
 319  * from the keytab `id'.
 320  * kvno == 0 is a wildcard and gives the keytab with the highest vno.
 321  * Return 0 or an error.
 322  */
 323
 324 krb5_error_code KRB5_LIB_FUNCTION
 325 krb5_kt_get_entry(krb5_context context,
 326                   krb5_keytab id,
 327                   krb5_const_principal principal,
 328                   krb5_kvno kvno,
 329                   krb5_enctype enctype,
 330                   krb5_keytab_entry *entry)
 331 {
 332     krb5_keytab_entry tmp;
 333     krb5_error_code ret;
 334     krb5_kt_cursor cursor;
 335
 336     if(id->get)
 337         return (*id->get)(context, id, principal, kvno, enctype, entry);
 338
 339     ret = krb5_kt_start_seq_get (context, id, &cursor);
 340     if (ret) {
 341         krb5_clear_error_string(context);
 342         return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
 343     }
 344
 345     entry->vno = 0;
 346     while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
 347         if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
 348             /* the file keytab might only store the lower 8 bits of
 349                the kvno, so only compare those bits */
 350             if (kvno == tmp.vno
 351                 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) {
 352                 krb5_kt_copy_entry_contents (context, &tmp, entry);
 353                 krb5_kt_free_entry (context, &tmp);
 354                 krb5_kt_end_seq_get(context, id, &cursor);
 355                 return 0;
 356             } else if (kvno == 0 && tmp.vno > entry->vno) {
 357                 if (entry->vno)
 358                     krb5_kt_free_entry (context, entry);
 359                 krb5_kt_copy_entry_contents (context, &tmp, entry);
 360             }
 361         }
 362         krb5_kt_free_entry(context, &tmp);
 363     }
 364     krb5_kt_end_seq_get (context, id, &cursor);
 365     if (entry->vno) {
 366         return 0;
 367     } else {
 368         char princ[256], kvno_str[25], *kt_name;
 369         char *enctype_str = NULL;
 370
 371         krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
 372         krb5_kt_get_full_name (context, id, &kt_name);
 373         krb5_enctype_to_string(context, enctype, &enctype_str);
 374
 375         if (kvno)
 376             snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
 377         else
 378             kvno_str[0] = '\0';
 379
 380         krb5_set_error_string (context,
 381                                "Failed to find %s%s in keytab %s (%s)",
 382                                princ,
 383                                kvno_str,
 384                                kt_name ? kt_name : "unknown keytab",
 385                                enctype_str ? enctype_str : "unknown enctype");
 386         free(kt_name);
 387         free(enctype_str);
 388         return KRB5_KT_NOTFOUND;
 389     }
 390 }
 391
 392 /*
 393  * Copy the contents of `in' into `out'.
 394  * Return 0 or an error.  */
 395
 396 krb5_error_code KRB5_LIB_FUNCTION
 397 krb5_kt_copy_entry_contents(krb5_context context,
 398                             const krb5_keytab_entry *in,
 399                             krb5_keytab_entry *out)
 400 {
 401     krb5_error_code ret;
 402
 403     memset(out, 0, sizeof(*out));
 404     out->vno = in->vno;
 405
 406     ret = krb5_copy_principal (context, in->principal, &out->principal);
 407     if (ret)
 408         goto fail;
 409     ret = krb5_copy_keyblock_contents (context,
 410                                        &in->keyblock,
 411                                        &out->keyblock);
 412     if (ret)
 413         goto fail;
 414     out->timestamp = in->timestamp;
 415     return 0;
 416 fail:
 417     krb5_kt_free_entry (context, out);
 418     return ret;
 419 }
 420
 421 /*
 422  * Free the contents of `entry'.
 423  */
 424
 425 krb5_error_code KRB5_LIB_FUNCTION
 426 krb5_kt_free_entry(krb5_context context,
 427                    krb5_keytab_entry *entry)
 428 {
 429     krb5_free_principal (context, entry->principal);
 430     krb5_free_keyblock_contents (context, &entry->keyblock);
 431     memset(entry, 0, sizeof(*entry));
 432     return 0;
 433 }
 434
 435 /*
 436  * Set `cursor' to point at the beginning of `id'.
 437  * Return 0 or an error.
 438  */
 439
 440 krb5_error_code KRB5_LIB_FUNCTION
 441 krb5_kt_start_seq_get(krb5_context context,
 442                       krb5_keytab id,
 443                       krb5_kt_cursor *cursor)
 444 {
 445     if(id->start_seq_get == NULL) {
 446         krb5_set_error_string(context,
 447                               "start_seq_get is not supported in the %s "
 448                               " keytab", id->prefix);
 449         return HEIM_ERR_OPNOTSUPP;
 450     }
 451     return (*id->start_seq_get)(context, id, cursor);
 452 }
 453
 454 /*
 455  * Get the next entry from `id' pointed to by `cursor' and advance the
 456  * `cursor'.
 457  * Return 0 or an error.
 458  */
 459
 460 krb5_error_code KRB5_LIB_FUNCTION
 461 krb5_kt_next_entry(krb5_context context,
 462                    krb5_keytab id,
 463                    krb5_keytab_entry *entry,
 464                    krb5_kt_cursor *cursor)
 465 {
 466     if(id->next_entry == NULL) {
 467         krb5_set_error_string(context,
 468                               "next_entry is not supported in the %s "
 469                               " keytab", id->prefix);
 470         return HEIM_ERR_OPNOTSUPP;
 471     }
 472     return (*id->next_entry)(context, id, entry, cursor);
 473 }
 474
 475 /*
 476  * Release all resources associated with `cursor'.
 477  */
 478
 479 krb5_error_code KRB5_LIB_FUNCTION
 480 krb5_kt_end_seq_get(krb5_context context,
 481                     krb5_keytab id,
 482                     krb5_kt_cursor *cursor)
 483 {
 484     if(id->end_seq_get == NULL) {
 485         krb5_set_error_string(context,
 486                               "end_seq_get is not supported in the %s "
 487                               " keytab", id->prefix);
 488         return HEIM_ERR_OPNOTSUPP;
 489     }
 490     return (*id->end_seq_get)(context, id, cursor);
 491 }
 492
 493 /*
 494  * Add the entry in `entry' to the keytab `id'.
 495  * Return 0 or an error.
 496  */
 497
 498 krb5_error_code KRB5_LIB_FUNCTION
 499 krb5_kt_add_entry(krb5_context context,
 500                   krb5_keytab id,
 501                   krb5_keytab_entry *entry)
 502 {
 503     if(id->add == NULL) {
 504         krb5_set_error_string(context, "Add is not supported in the %s keytab",
 505                               id->prefix);
 506         return KRB5_KT_NOWRITE;
 507     }
 508     entry->timestamp = time(NULL);
 509     return (*id->add)(context, id,entry);
 510 }
 511
 512 /*
 513  * Remove the entry `entry' from the keytab `id'.
 514  * Return 0 or an error.
 515  */
 516
 517 krb5_error_code KRB5_LIB_FUNCTION
 518 krb5_kt_remove_entry(krb5_context context,
 519                      krb5_keytab id,
 520                      krb5_keytab_entry *entry)
 521 {
 522     if(id->remove == NULL) {
 523         krb5_set_error_string(context,
 524                               "Remove is not supported in the %s keytab",
 525                               id->prefix);
 526         return KRB5_KT_NOWRITE;
 527     }
 528     return (*id->remove)(context, id, entry);
 529 }