search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / lib / krb5 / kdb / kdb_cpw.c
blob1e0d781cefc07a28cdbd57d8daa5823b61682750
1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * lib/kdb/kdb_cpw.c
8 *
9 * Copyright 1995 by the Massachusetts Institute of Technology.
10 * All Rights Reserved.
11 *
12 * Export of this software from the United States of America may
13 * require a specific license from the United States Government.
14 * It is the responsibility of any person or organization contemplating
15 * export to obtain such a license before exporting.
16 *
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 * distribute this software and its documentation for any purpose and
19 * without fee is hereby granted, provided that the above copyright
20 * notice appear in all copies and that both that copyright notice and
21 * this permission notice appear in supporting documentation, and that
22 * the name of M.I.T. not be used in advertising or publicity pertaining
23 * to distribution of the software without specific, written prior
24 * permission. Furthermore if you modify this software you must label
25 * your software as modified software and not distribute it in such a
26 * fashion that it might be confused with the original M.I.T. software.
27 * M.I.T. makes no representations about the suitability of
28 * this software for any purpose. It is provided "as is" without express
29 * or implied warranty.
30 *
31 */
32
33 /*
34 * Copyright (C) 1998 by the FundsXpress, INC.
35 *
36 * All rights reserved.
37 *
38 * Export of this software from the United States of America may require
39 * a specific license from the United States Government. It is the
40 * responsibility of any person or organization contemplating export to
41 * obtain such a license before exporting.
42 *
43 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
44 * distribute this software and its documentation for any purpose and
45 * without fee is hereby granted, provided that the above copyright
46 * notice appear in all copies and that both that copyright notice and
47 * this permission notice appear in supporting documentation, and that
48 * the name of FundsXpress. not be used in advertising or publicity pertaining
49 * to distribution of the software without specific, written prior
50 * permission. FundsXpress makes no representations about the suitability of
51 * this software for any purpose. It is provided "as is" without express
52 * or implied warranty.
53 *
54 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
55 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
56 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
57 */
58
59 #include "k5-int.h"
60 #include "kdb.h"
61 #include <stdio.h>
62 #include <errno.h>
63
64 static int
65 get_key_data_kvno(context, count, data)
66 krb5_context context;
67 int count;
68 krb5_key_data * data;
69 {
70 int i, kvno;
71 /* Find last key version number */
72 for (kvno = i = 0; i < count; i++) {
73 if (kvno < data[i].key_data_kvno) {
74 kvno = data[i].key_data_kvno;
75 }
76 }
77 return(kvno);
78 }
79
80 static void
81 cleanup_key_data(context, count, data)
82 krb5_context context;
83 int count;
84 krb5_key_data * data;
85 {
86 int i, j;
87
88 /* If data is NULL, count is always 0 */
89 if (data == NULL) return;
90
91 for (i = 0; i < count; i++) {
92 for (j = 0; j < data[i].key_data_ver; j++) {
93 if (data[i].key_data_length[j]) {
94 krb5_db_free(context, data[i].key_data_contents[j]);
95 }
96 }
97 }
98 krb5_db_free(context, data);
99 }
100
101 static krb5_error_code
102 add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
103 krb5_context context;
104 krb5_keyblock * master_key;
105 krb5_key_salt_tuple * ks_tuple;
106 int ks_tuple_count;
107 krb5_db_entry * db_entry;
108 int kvno;
109 {
110 krb5_principal krbtgt_princ;
111 krb5_keyblock key;
112 krb5_db_entry krbtgt_entry;
113 krb5_boolean more;
114 int max_kvno, one, i, j, k;
115 krb5_error_code retval;
116 krb5_key_data tmp_key_data;
117 krb5_key_data *tptr;
118
119 memset( &tmp_key_data, 0, sizeof(tmp_key_data));
120
121
122 retval = krb5_build_principal_ext(context, &krbtgt_princ,
123 db_entry->princ->realm.length,
124 db_entry->princ->realm.data,
125 KRB5_TGS_NAME_SIZE,
126 KRB5_TGS_NAME,
127 db_entry->princ->realm.length,
128 db_entry->princ->realm.data,
129 0);
130 if (retval)
131 return retval;
132
133 /* Get tgt from database */
134 retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry,
135 &one, &more);
136 krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */
137 if (retval)
138 return(retval);
139 if ((one > 1) || (more)) {
140 krb5_db_free_principal(context, &krbtgt_entry, one);
141 return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
142 }
143 if (!one)
144 return KRB5_KDB_NOENTRY;
145
146 /* Get max kvno */
147 for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) {
148 if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) {
149 max_kvno = krbtgt_entry.key_data[j].key_data_kvno;
150 }
151 }
152
153 for (i = 0; i < ks_tuple_count; i++) {
154 krb5_boolean similar;
155
156 similar = 0;
157
158 /*
159 * We could use krb5_keysalt_iterate to replace this loop, or use
160 * krb5_keysalt_is_present for the loop below, but we want to avoid
161 * circular library dependencies.
162 */
163 for (j = 0; j < i; j++) {
164 if ((retval = krb5_c_enctype_compare(context,
165 ks_tuple[i].ks_enctype,
166 ks_tuple[j].ks_enctype,
167 &similar)))
168 return(retval);
169
170 if (similar)
171 break;
172 }
173
174 if (similar)
175 continue;
176
177 if ((retval = krb5_dbe_create_key_data(context, db_entry)))
178 goto add_key_rnd_err;
179
180 /* there used to be code here to extract the old key, and derive
181 a new key from it. Now that there's a unified prng, that isn't
182 necessary. */
183
184 /* make new key */
185 if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype,
186 &key)))
187 goto add_key_rnd_err;
188
189
190 /* db library will free this. Since, its a so, it could actually be using different memory management
191 function. So, its better if the memory is allocated by the db's malloc. So, a temporary memory is used
192 here which will later be copied to the db_entry */
193 retval = krb5_dbekd_encrypt_key_data(context, master_key,
194 &key, NULL, kvno,
195 &tmp_key_data);
196
197 krb5_free_keyblock_contents(context, &key);
198 if( retval )
199 goto add_key_rnd_err;
200
201 tptr = &db_entry->key_data[db_entry->n_key_data-1];
202
203 tptr->key_data_ver = tmp_key_data.key_data_ver;
204 tptr->key_data_kvno = tmp_key_data.key_data_kvno;
205
206 for( k = 0; k < tmp_key_data.key_data_ver; k++ )
207 {
208 tptr->key_data_type[k] = tmp_key_data.key_data_type[k];
209 tptr->key_data_length[k] = tmp_key_data.key_data_length[k];
210 if( tmp_key_data.key_data_contents[k] )
211 {
212 tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]);
213 if( tptr->key_data_contents[k] == NULL )
214 {
215 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
216 db_entry->key_data = NULL;
217 db_entry->n_key_data = 0;
218 retval = ENOMEM;
219 goto add_key_rnd_err;
220 }
221 memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
222
223 memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
224 free( tmp_key_data.key_data_contents[k] );
225 tmp_key_data.key_data_contents[k] = NULL;
226 }
227 }
228
229 }
230
231 add_key_rnd_err:
232 krb5_db_free_principal(context, &krbtgt_entry, one);
233
234 for( i = 0; i < tmp_key_data.key_data_ver; i++ )
235 {
236 if( tmp_key_data.key_data_contents[i] )
237 {
238 memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
239 free( tmp_key_data.key_data_contents[i] );
240 }
241 }
242 return(retval);
243 }
244
245 /*
246 * Change random key for a krb5_db_entry
247 * Assumes the max kvno
248 *
249 * As a side effect all old keys are nuked if keepold is false.
250 */
251 krb5_error_code
252 krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, keepold, db_entry)
253 krb5_context context;
254 krb5_keyblock * master_key;
255 krb5_key_salt_tuple * ks_tuple;
256 int ks_tuple_count;
257 krb5_boolean keepold;
258 krb5_db_entry * db_entry;
259 {
260 int key_data_count;
261 int n_new_key_data;
262 krb5_key_data * key_data;
263 krb5_error_code retval;
264 int kvno;
265 int i;
266
267 /* First save the old keydata */
268 kvno = get_key_data_kvno(context, db_entry->n_key_data, db_entry->key_data);
269 key_data_count = db_entry->n_key_data;
270 key_data = db_entry->key_data;
271 db_entry->key_data = NULL;
272 db_entry->n_key_data = 0;
273
274 /* increment the kvno */
275 kvno++;
276
277 retval = add_key_rnd(context, master_key, ks_tuple,
278 ks_tuple_count, db_entry, kvno);
279 if (retval) {
280 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
281 db_entry->n_key_data = key_data_count;
282 db_entry->key_data = key_data;
283 } else if (keepold) {
284 n_new_key_data = db_entry->n_key_data;
285 for (i = 0; i < key_data_count; i++) {
286 retval = krb5_dbe_create_key_data(context, db_entry);
287 if (retval) {
288 cleanup_key_data(context, db_entry->n_key_data,
289 db_entry->key_data);
290 break;
291 }
292 db_entry->key_data[i+n_new_key_data] = key_data[i];
293 memset(&key_data[i], 0, sizeof(krb5_key_data));
294 }
295 krb5_db_free(context, key_data); /* we moved the cotents to new memory. But, the original block which contained the data */
296 } else {
297 cleanup_key_data(context, key_data_count, key_data);
298 }
299 return(retval);
300 }
301
302 /*
303 * Add random key for a krb5_db_entry
304 * Assumes the max kvno
305 *
306 * As a side effect all old keys older than the max kvno are nuked.
307 */
308 krb5_error_code
309 krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry)
310 krb5_context context;
311 krb5_keyblock * master_key;
312 krb5_key_salt_tuple * ks_tuple;
313 int ks_tuple_count;
314 krb5_db_entry * db_entry;
315 {
316 int key_data_count;
317 krb5_key_data * key_data;
318 krb5_error_code retval;
319 int kvno;
320 int i;
321
322 /* First save the old keydata */
323 kvno = get_key_data_kvno(context, db_entry->n_key_data, db_entry->key_data);
324 key_data_count = db_entry->n_key_data;
325 key_data = db_entry->key_data;
326 db_entry->key_data = NULL;
327 db_entry->n_key_data = 0;
328
329 /* increment the kvno */
330 kvno++;
331
332 if ((retval = add_key_rnd(context, master_key, ks_tuple,
333 ks_tuple_count, db_entry, kvno))) {
334 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
335 db_entry->n_key_data = key_data_count;
336 db_entry->key_data = key_data;
337 } else {
338 /* Copy keys with key_data_kvno == kvno - 1 ( = old kvno ) */
339 for (i = 0; i < key_data_count; i++) {
340 if (key_data[i].key_data_kvno == (kvno - 1)) {
341 if ((retval = krb5_dbe_create_key_data(context, db_entry))) {
342 cleanup_key_data(context, db_entry->n_key_data,
343 db_entry->key_data);
344 break;
345 }
346 /* We should decrypt/re-encrypt the data to use the same mkvno*/
347 db_entry->key_data[db_entry->n_key_data - 1] = key_data[i];
348 memset(&key_data[i], 0, sizeof(krb5_key_data));
349 }
350 }
351 cleanup_key_data(context, key_data_count, key_data);
352 }
353 return(retval);
354 }
355
356 /*
357 * Add key_data for a krb5_db_entry
358 * If passwd is NULL the assumes that the caller wants a random password.
359 */
360 static krb5_error_code
361 add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
362 db_entry, kvno)
363 krb5_context context;
364 krb5_keyblock * master_key;
365 krb5_key_salt_tuple * ks_tuple;
366 int ks_tuple_count;
367 char * passwd;
368 krb5_db_entry * db_entry;
369 int kvno;
370 {
371 krb5_error_code retval;
372 krb5_keysalt key_salt;
373 krb5_keyblock key;
374 krb5_data pwd;
375 int i, j, k;
376 krb5_key_data tmp_key_data;
377 krb5_key_data *tptr;
378
379 memset( &tmp_key_data, 0, sizeof(tmp_key_data));
380
381 retval = 0;
382
383 for (i = 0; i < ks_tuple_count; i++) {
384 krb5_boolean similar;
385
386 similar = 0;
387
388 /*
389 * We could use krb5_keysalt_iterate to replace this loop, or use
390 * krb5_keysalt_is_present for the loop below, but we want to avoid
391 * circular library dependencies.
392 */
393 for (j = 0; j < i; j++) {
394 if ((retval = krb5_c_enctype_compare(context,
395 ks_tuple[i].ks_enctype,
396 ks_tuple[j].ks_enctype,
397 &similar)))
398 return(retval);
399
400 if (similar &&
401 (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
402 break;
403 }
404
405 if (j < i)
406 continue;
407
408 if ((retval = krb5_dbe_create_key_data(context, db_entry)))
409 return(retval);
410
411 /* Convert password string to key using appropriate salt */
412 switch (key_salt.type = ks_tuple[i].ks_salttype) {
413 case KRB5_KDB_SALTTYPE_ONLYREALM: {
414 krb5_data * saltdata;
415 if ((retval = krb5_copy_data(context, krb5_princ_realm(context,
416 db_entry->princ), &saltdata)))
417 return(retval);
418
419 key_salt.data = *saltdata;
420 krb5_xfree(saltdata);
421 }
422 break;
423 case KRB5_KDB_SALTTYPE_NOREALM:
424 if ((retval=krb5_principal2salt_norealm(context, db_entry->princ,
425 &key_salt.data)))
426 return(retval);
427 break;
428 case KRB5_KDB_SALTTYPE_NORMAL:
429 if ((retval = krb5_principal2salt(context, db_entry->princ,
430 &key_salt.data)))
431 return(retval);
432 break;
433 case KRB5_KDB_SALTTYPE_V4:
434 key_salt.data.length = 0;
435 key_salt.data.data = 0;
436 break;
437 case KRB5_KDB_SALTTYPE_AFS3: {
438 #if 0
439 krb5_data * saltdata;
440 if (retval = krb5_copy_data(context, krb5_princ_realm(context,
441 db_entry->princ), &saltdata))
442 return(retval);
443
444 key_salt.data = *saltdata;
445 key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
446 krb5_xfree(saltdata);
447 #else
448 /* Why do we do this? Well, the afs_mit_string_to_key needs to
449 use strlen, and the realm is not NULL terminated.... */
450 unsigned int slen =
451 (*krb5_princ_realm(context,db_entry->princ)).length;
452 if(!(key_salt.data.data = (char *) malloc(slen+1)))
453 return ENOMEM;
454 key_salt.data.data[slen] = 0;
455 memcpy((char *)key_salt.data.data,
456 (char *)(*krb5_princ_realm(context,db_entry->princ)).data,
457 slen);
458 key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
459 #endif
460
461 }
462 break;
463 default:
464 return(KRB5_KDB_BAD_SALTTYPE);
465 }
466
467 pwd.data = passwd;
468 pwd.length = strlen(passwd);
469
470 /* Solaris Kerberos */
471 memset(&key, 0, sizeof (krb5_keyblock));
472
473 /* AFS string to key will happen here */
474 if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype,
475 &pwd, &key_salt.data, &key))) {
476 if (key_salt.data.data)
477 free(key_salt.data.data);
478 return(retval);
479 }
480
481 if (key_salt.data.length == SALT_TYPE_AFS_LENGTH)
482 key_salt.data.length =
483 krb5_princ_realm(context, db_entry->princ)->length;
484
485 /* memory allocation to be done by db. So, use temporary block and later copy
486 it to the memory allocated by db */
487 retval = krb5_dbekd_encrypt_key_data(context, master_key, &key,
488 (const krb5_keysalt *)&key_salt,
489 kvno, &tmp_key_data);
490 if (key_salt.data.data)
491 free(key_salt.data.data);
492
493 /* Solaris Kerberos */
494 krb5_free_keyblock_contents(context, &key);
495
496 if( retval )
497 return retval;
498
499 tptr = &db_entry->key_data[db_entry->n_key_data-1];
500
501 tptr->key_data_ver = tmp_key_data.key_data_ver;
502 tptr->key_data_kvno = tmp_key_data.key_data_kvno;
503
504 for( k = 0; k < tmp_key_data.key_data_ver; k++ )
505 {
506 tptr->key_data_type[k] = tmp_key_data.key_data_type[k];
507 tptr->key_data_length[k] = tmp_key_data.key_data_length[k];
508 if( tmp_key_data.key_data_contents[k] )
509 {
510 tptr->key_data_contents[k] = krb5_db_alloc(context, NULL, tmp_key_data.key_data_length[k]);
511 if( tptr->key_data_contents[k] == NULL )
512 {
513 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
514 db_entry->key_data = NULL;
515 db_entry->n_key_data = 0;
516 retval = ENOMEM;
517 goto add_key_pwd_err;
518 }
519 memcpy( tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
520
521 memset( tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
522 free( tmp_key_data.key_data_contents[k] );
523 tmp_key_data.key_data_contents[k] = NULL;
524 }
525 }
526 }
527 add_key_pwd_err:
528 for( i = 0; i < tmp_key_data.key_data_ver; i++ )
529 {
530 if( tmp_key_data.key_data_contents[i] )
531 {
532 memset( tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
533 free( tmp_key_data.key_data_contents[i] );
534 }
535 }
536
537 return(retval);
538 }
539
540 /*
541 * Change password for a krb5_db_entry
542 * Assumes the max kvno
543 *
544 * As a side effect all old keys are nuked if keepold is false.
545 */
546 krb5_error_code
547 krb5_dbe_def_cpw(context, master_key, ks_tuple, ks_tuple_count, passwd,
548 new_kvno, keepold, db_entry)
549 krb5_context context;
550 krb5_keyblock * master_key;
551 krb5_key_salt_tuple * ks_tuple;
552 int ks_tuple_count;
553 char * passwd;
554 int new_kvno;
555 krb5_boolean keepold;
556 krb5_db_entry * db_entry;
557 {
558 int key_data_count;
559 int n_new_key_data;
560 krb5_key_data * key_data;
561 krb5_error_code retval;
562 int old_kvno;
563 int i;
564
565 /* First save the old keydata */
566 old_kvno = get_key_data_kvno(context, db_entry->n_key_data,
567 db_entry->key_data);
568 key_data_count = db_entry->n_key_data;
569 key_data = db_entry->key_data;
570 db_entry->key_data = NULL;
571 db_entry->n_key_data = 0;
572
573 /* increment the kvno. if the requested kvno is too small,
574 increment the old kvno */
575 if (new_kvno < old_kvno+1)
576 new_kvno = old_kvno+1;
577
578 retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
579 passwd, db_entry, new_kvno);
580 if (retval) {
581 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
582 db_entry->n_key_data = key_data_count;
583 db_entry->key_data = key_data;
584 } else if (keepold) {
585 n_new_key_data = db_entry->n_key_data;
586 for (i = 0; i < key_data_count; i++) {
587 retval = krb5_dbe_create_key_data(context, db_entry);
588 if (retval) {
589 cleanup_key_data(context, db_entry->n_key_data,
590 db_entry->key_data);
591 break;
592 }
593 db_entry->key_data[i+n_new_key_data] = key_data[i];
594 memset(&key_data[i], 0, sizeof(krb5_key_data));
595 }
596 krb5_db_free( context, key_data );
597 } else {
598 cleanup_key_data(context, key_data_count, key_data);
599 }
600 return(retval);
601 }
602
603 /*
604 * Add password for a krb5_db_entry
605 * Assumes the max kvno
606 *
607 * As a side effect all old keys older than the max kvno are nuked.
608 */
609 krb5_error_code
610 krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry)
611 krb5_context context;
612 krb5_keyblock * master_key;
613 krb5_key_salt_tuple * ks_tuple;
614 int ks_tuple_count;
615 char * passwd;
616 krb5_db_entry * db_entry;
617 {
618 int key_data_count;
619 krb5_key_data * key_data;
620 krb5_error_code retval;
621 int old_kvno, new_kvno;
622 int i;
623
624 /* First save the old keydata */
625 old_kvno = get_key_data_kvno(context, db_entry->n_key_data,
626 db_entry->key_data);
627 key_data_count = db_entry->n_key_data;
628 key_data = db_entry->key_data;
629 db_entry->key_data = NULL;
630 db_entry->n_key_data = 0;
631
632 /* increment the kvno */
633 new_kvno = old_kvno+1;
634
635 if ((retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
636 passwd, db_entry, new_kvno))) {
637 cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
638 db_entry->n_key_data = key_data_count;
639 db_entry->key_data = key_data;
640 } else {
641 /* Copy keys with key_data_kvno == old_kvno */
642 for (i = 0; i < key_data_count; i++) {
643 if (key_data[i].key_data_kvno == old_kvno) {
644 if ((retval = krb5_dbe_create_key_data(context, db_entry))) {
645 cleanup_key_data(context, db_entry->n_key_data,
646 db_entry->key_data);
647 break;
648 }
649 /* We should decrypt/re-encrypt the data to use the same mkvno*/
650 db_entry->key_data[db_entry->n_key_data - 1] = key_data[i];
651 memset(&key_data[i], 0, sizeof(krb5_key_data));
652 }
653 }
654 cleanup_key_data(context, key_data_count, key_data);
655 }
656 return(retval);
657 }
658
659
unleashed repo fork