Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "krb5_locl.h"
35 : #include "hdb_locl.h"
36 :
37 : #include <pkinit_asn1.h>
38 : #include <base64.h>
39 :
40 : /*
41 : * free all the memory used by (len, keys)
42 : */
43 :
44 : void
45 0 : hdb_free_keys(krb5_context context, int len, Key *keys)
46 : {
47 0 : size_t i;
48 :
49 0 : for (i = 0; i < len; i++) {
50 0 : free(keys[i].mkvno);
51 0 : keys[i].mkvno = NULL;
52 0 : if (keys[i].salt != NULL) {
53 0 : free_Salt(keys[i].salt);
54 0 : free(keys[i].salt);
55 0 : keys[i].salt = NULL;
56 : }
57 0 : krb5_free_keyblock_contents(context, &keys[i].key);
58 : }
59 0 : free (keys);
60 0 : }
61 :
62 : /*
63 : * for each entry in `default_keys' try to parse it as a sequence
64 : * of etype:salttype:salt, syntax of this if something like:
65 : * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
66 : * means all etypes, and if string is omitted is means the default
67 : * string (for that principal). Additional special values:
68 : * v5 == pw-salt, and
69 : * v4 == des:pw-salt:
70 : * afs or afs3 == des:afs3-salt
71 : */
72 :
73 : static const krb5_enctype des_etypes[] = {
74 : KRB5_ENCTYPE_DES_CBC_MD5,
75 : KRB5_ENCTYPE_DES_CBC_MD4,
76 : KRB5_ENCTYPE_DES_CBC_CRC
77 : };
78 :
79 : static const krb5_enctype all_etypes[] = {
80 : KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
81 : KRB5_ENCTYPE_DES3_CBC_SHA1,
82 : KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
83 : };
84 :
85 : static krb5_error_code
86 0 : parse_key_set(krb5_context context, const char *key,
87 : krb5_enctype **ret_enctypes, size_t *ret_num_enctypes,
88 : krb5_salt *salt, krb5_principal principal)
89 : {
90 0 : const char *p;
91 0 : char buf[3][256];
92 0 : int num_buf = 0;
93 0 : int i, num_enctypes = 0;
94 0 : krb5_enctype e;
95 0 : const krb5_enctype *enctypes = NULL;
96 0 : krb5_error_code ret;
97 :
98 0 : p = key;
99 :
100 0 : *ret_enctypes = NULL;
101 0 : *ret_num_enctypes = 0;
102 :
103 : /* split p in a list of :-separated strings */
104 0 : for(num_buf = 0; num_buf < 3; num_buf++)
105 0 : if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
106 0 : break;
107 :
108 0 : salt->saltvalue.data = NULL;
109 0 : salt->saltvalue.length = 0;
110 :
111 0 : for(i = 0; i < num_buf; i++) {
112 0 : if(enctypes == NULL && num_buf > 1) {
113 : /* this might be a etype specifier */
114 : /* XXX there should be a string_to_etypes handling
115 : special cases like `des' and `all' */
116 0 : if(strcmp(buf[i], "des") == 0) {
117 0 : enctypes = des_etypes;
118 0 : num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
119 0 : } else if(strcmp(buf[i], "des3") == 0) {
120 0 : e = KRB5_ENCTYPE_DES3_CBC_SHA1;
121 0 : enctypes = &e;
122 0 : num_enctypes = 1;
123 : } else {
124 0 : ret = krb5_string_to_enctype(context, buf[i], &e);
125 0 : if (ret == 0) {
126 0 : enctypes = &e;
127 0 : num_enctypes = 1;
128 : } else
129 0 : return ret;
130 : }
131 0 : continue;
132 : }
133 0 : if(salt->salttype == 0) {
134 : /* interpret string as a salt specifier, if no etype
135 : is set, this sets default values */
136 : /* XXX should perhaps use string_to_salttype, but that
137 : interface sucks */
138 0 : if(strcmp(buf[i], "pw-salt") == 0) {
139 0 : if(enctypes == NULL) {
140 0 : enctypes = all_etypes;
141 0 : num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
142 : }
143 0 : salt->salttype = KRB5_PW_SALT;
144 0 : } else if(strcmp(buf[i], "afs3-salt") == 0) {
145 0 : if(enctypes == NULL) {
146 0 : enctypes = des_etypes;
147 0 : num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
148 : }
149 0 : salt->salttype = KRB5_AFS3_SALT;
150 : }
151 0 : continue;
152 : }
153 :
154 0 : if (salt->saltvalue.data != NULL)
155 0 : free(salt->saltvalue.data);
156 : /* if there is a final string, use it as the string to
157 : salt with, this is mostly useful with null salt for
158 : v4 compat, and a cell name for afs compat */
159 0 : salt->saltvalue.data = strdup(buf[i]);
160 0 : if (salt->saltvalue.data == NULL)
161 0 : return krb5_enomem(context);
162 0 : salt->saltvalue.length = strlen(buf[i]);
163 : }
164 :
165 0 : if(enctypes == NULL || salt->salttype == 0) {
166 0 : krb5_free_salt(context, *salt);
167 0 : krb5_set_error_message(context, EINVAL, "bad value for default_keys `%s'", key);
168 0 : return EINVAL;
169 : }
170 :
171 : /* if no salt was specified make up default salt */
172 0 : if(salt->saltvalue.data == NULL) {
173 0 : if(salt->salttype == KRB5_PW_SALT) {
174 0 : ret = krb5_get_pw_salt(context, principal, salt);
175 0 : if (ret)
176 0 : return ret;
177 0 : } else if(salt->salttype == KRB5_AFS3_SALT) {
178 0 : krb5_const_realm realm = krb5_principal_get_realm(context, principal);
179 0 : salt->saltvalue.data = strdup(realm);
180 0 : if(salt->saltvalue.data == NULL) {
181 0 : krb5_set_error_message(context, ENOMEM,
182 : "out of memory while "
183 : "parsing salt specifiers");
184 0 : return ENOMEM;
185 : }
186 0 : strlwr(salt->saltvalue.data);
187 0 : salt->saltvalue.length = strlen(realm);
188 : }
189 : }
190 :
191 0 : *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
192 0 : if (*ret_enctypes == NULL) {
193 0 : krb5_free_salt(context, *salt);
194 0 : krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
195 0 : return ENOMEM;
196 : }
197 0 : memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
198 0 : *ret_num_enctypes = num_enctypes;
199 :
200 0 : return 0;
201 : }
202 :
203 : /**
204 : * This function prunes an HDB entry's historic keys by kvno.
205 : *
206 : * @param context Context
207 : * @param entry HDB entry
208 : * @param kvno Keyset kvno to prune, or zero to prune all too-old keys
209 : */
210 : krb5_error_code
211 0 : hdb_prune_keys_kvno(krb5_context context, hdb_entry *entry, int kvno)
212 : {
213 0 : HDB_extension *ext;
214 0 : HDB_Ext_KeySet *keys;
215 0 : hdb_keyset *elem;
216 0 : time_t keep_time = 0;
217 0 : size_t nelem;
218 0 : size_t i;
219 :
220 : /*
221 : * XXX Pruning old keys for namespace principals may not be desirable, but!
222 : * as long as the `set_time's of the base keys for a namespace principal
223 : * match the `epoch's of the corresponding KeyRotation periods, it will be
224 : * perfectly acceptable to prune old [base] keys for namespace principals
225 : * just as for any other principal. Therefore, we may not need to make any
226 : * changes here w.r.t. namespace principals.
227 : */
228 :
229 0 : ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
230 0 : if (ext == NULL)
231 0 : return 0;
232 0 : keys = &ext->data.u.hist_keys;
233 0 : nelem = keys->len;
234 :
235 : /*
236 : * Optionally drop key history for keys older than now - max_life, which is
237 : * all the keys no longer needed to decrypt extant tickets.
238 : */
239 0 : if (kvno == 0 && entry->max_life != NULL && nelem > 0) {
240 0 : time_t ceiling = time(NULL) - *entry->max_life;
241 :
242 : /*
243 : * Compute most recent key timestamp that predates the current time
244 : * by at least the entry's maximum ticket lifetime.
245 : */
246 0 : for (i = 0; i < nelem; ++i) {
247 0 : elem = &keys->val[i];
248 0 : if (elem->set_time && *elem->set_time < ceiling
249 0 : && (keep_time == 0 || *elem->set_time > keep_time))
250 0 : keep_time = *elem->set_time;
251 : }
252 : }
253 :
254 0 : if (kvno == 0 && keep_time == 0)
255 0 : return 0;
256 :
257 0 : for (i = 0; i < nelem; /* see below */) {
258 0 : elem = &keys->val[i];
259 0 : if ((kvno && kvno == elem->kvno) ||
260 0 : (keep_time && elem->set_time && *elem->set_time < keep_time)) {
261 0 : remove_HDB_Ext_KeySet(keys, i);
262 : /*
263 : * Removing the i'th element shifts the tail down, continue
264 : * at same index with reduced upper bound.
265 : */
266 0 : --nelem;
267 0 : continue;
268 : }
269 0 : ++i;
270 : }
271 :
272 0 : return 0;
273 : }
274 :
275 : /**
276 : * This function prunes an HDB entry's keys that are too old to have been used
277 : * to mint still valid tickets (based on the entry's maximum ticket lifetime).
278 : *
279 : * @param context Context
280 : * @param entry HDB entry
281 : */
282 : krb5_error_code
283 0 : hdb_prune_keys(krb5_context context, hdb_entry *entry)
284 : {
285 0 : if (!krb5_config_get_bool_default(context, NULL, FALSE,
286 : "kadmin", "prune-key-history", NULL))
287 0 : return 0;
288 0 : return hdb_prune_keys_kvno(context, entry, 0);
289 : }
290 :
291 : /**
292 : * This function adds a keyset to an HDB entry's key history.
293 : *
294 : * @param context Context
295 : * @param entry HDB entry
296 : * @param kvno Key version number of the key to add to the history
297 : * @param key The Key to add
298 : */
299 : krb5_error_code
300 0 : hdb_add_history_keyset(krb5_context context,
301 : hdb_entry *entry,
302 : const hdb_keyset *ks)
303 : {
304 0 : size_t i;
305 0 : HDB_Ext_KeySet *hist_keys;
306 0 : HDB_extension ext;
307 0 : HDB_extension *extp;
308 0 : krb5_error_code ret = 0;
309 :
310 0 : memset(&ext, 0, sizeof (ext));
311 :
312 0 : extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
313 0 : if (extp == NULL) {
314 0 : ext.mandatory = FALSE;
315 0 : ext.data.element = choice_HDB_extension_data_hist_keys;
316 0 : ext.data.u.hist_keys.len = 0;
317 0 : ext.data.u.hist_keys.val = 0;
318 0 : extp = &ext;
319 : }
320 0 : hist_keys = &extp->data.u.hist_keys;
321 :
322 0 : for (i = 0; i < hist_keys->len; i++) {
323 0 : if (hist_keys->val[i].kvno == ks->kvno) {
324 : /* Replace existing */
325 0 : free_HDB_keyset(&hist_keys->val[i]);
326 0 : ret = copy_HDB_keyset(ks, &hist_keys->val[i]);
327 0 : break;
328 : }
329 : }
330 0 : if (i >= hist_keys->len)
331 0 : ret = add_HDB_Ext_KeySet(hist_keys, ks); /* Append new */
332 0 : if (ret == 0 && extp == &ext)
333 0 : ret = hdb_replace_extension(context, entry, &ext);
334 0 : free_HDB_extension(&ext);
335 0 : return ret;
336 : }
337 :
338 : /**
339 : * This function adds an HDB entry's current keyset to the entry's key
340 : * history. The current keyset is left alone; the caller is responsible
341 : * for freeing it.
342 : *
343 : * @param context Context
344 : * @param entry HDB entry
345 : *
346 : * @return Zero on success, or an error code otherwise.
347 : */
348 : krb5_error_code
349 0 : hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
350 : {
351 0 : krb5_error_code ret;
352 0 : hdb_keyset ks;
353 0 : time_t newtime;
354 :
355 0 : if (entry->keys.len == 0)
356 0 : return 0; /* nothing to do */
357 :
358 0 : ret = hdb_entry_get_pw_change_time(entry, &newtime);
359 0 : if (ret)
360 0 : return ret;
361 :
362 0 : ks.keys = entry->keys;
363 0 : ks.kvno = entry->kvno;
364 0 : ks.set_time = &newtime;
365 :
366 0 : ret = hdb_add_history_keyset(context, entry, &ks);
367 0 : if (ret == 0)
368 0 : ret = hdb_prune_keys(context, entry);
369 0 : return ret;
370 : }
371 :
372 : /**
373 : * This function adds a key to an HDB entry's key history.
374 : *
375 : * @param context Context
376 : * @param entry HDB entry
377 : * @param kvno Key version number of the key to add to the history
378 : * @param key The Key to add
379 : *
380 : * @return Zero on success, or an error code otherwise.
381 : */
382 : krb5_error_code
383 6950 : hdb_add_history_key(krb5_context context, hdb_entry *entry, krb5_kvno kvno, Key *key)
384 : {
385 72 : size_t i;
386 72 : hdb_keyset keyset;
387 72 : HDB_Ext_KeySet *hist_keys;
388 72 : HDB_extension ext;
389 72 : HDB_extension *extp;
390 72 : krb5_error_code ret;
391 :
392 6950 : memset(&keyset, 0, sizeof (keyset));
393 6950 : memset(&ext, 0, sizeof (ext));
394 :
395 6950 : extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
396 6950 : if (extp == NULL) {
397 1645 : ext.data.element = choice_HDB_extension_data_hist_keys;
398 1645 : extp = &ext;
399 : }
400 :
401 6950 : extp->mandatory = FALSE;
402 6950 : hist_keys = &extp->data.u.hist_keys;
403 :
404 9162 : for (i = 0; i < hist_keys->len; i++) {
405 6717 : if (hist_keys->val[i].kvno == kvno) {
406 4505 : ret = add_Keys(&hist_keys->val[i].keys, key);
407 4505 : goto out;
408 : }
409 : }
410 :
411 2445 : keyset.kvno = kvno;
412 2445 : ret = add_Keys(&keyset.keys, key);
413 2445 : if (ret)
414 0 : goto out;
415 2445 : ret = add_HDB_Ext_KeySet(hist_keys, &keyset);
416 2445 : if (ret)
417 0 : goto out;
418 2445 : if (extp == &ext) {
419 1645 : ret = hdb_replace_extension(context, entry, &ext);
420 1645 : if (ret)
421 0 : goto out;
422 : }
423 :
424 2445 : out:
425 6950 : free_HDB_keyset(&keyset);
426 6950 : free_HDB_extension(&ext);
427 6950 : return ret;
428 : }
429 :
430 : /**
431 : * This function changes an hdb_entry's kvno, swapping the current key
432 : * set with a historical keyset. If no historical keys are found then
433 : * an error is returned (the caller can still set entry->kvno directly).
434 : *
435 : * @param context krb5_context
436 : * @param new_kvno New kvno for the entry
437 : * @param entry hdb_entry to modify
438 : */
439 : krb5_error_code
440 0 : hdb_change_kvno(krb5_context context, krb5_kvno new_kvno, hdb_entry *entry)
441 : {
442 0 : HDB_extension ext;
443 0 : HDB_extension *extp;
444 0 : hdb_keyset keyset;
445 0 : HDB_Ext_KeySet *hist_keys;
446 0 : size_t i;
447 0 : int found = 0;
448 0 : krb5_error_code ret;
449 :
450 0 : if (entry->kvno == new_kvno)
451 0 : return 0;
452 :
453 0 : extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
454 0 : if (extp == NULL) {
455 0 : memset(&ext, 0, sizeof (ext));
456 0 : ext.data.element = choice_HDB_extension_data_hist_keys;
457 0 : extp = &ext;
458 : }
459 :
460 0 : memset(&keyset, 0, sizeof (keyset));
461 0 : hist_keys = &extp->data.u.hist_keys;
462 0 : for (i = 0; i < hist_keys->len; i++) {
463 0 : if (hist_keys->val[i].kvno == new_kvno) {
464 0 : found = 1;
465 0 : ret = copy_HDB_keyset(&hist_keys->val[i], &keyset);
466 0 : if (ret)
467 0 : goto out;
468 0 : ret = remove_HDB_Ext_KeySet(hist_keys, i);
469 0 : if (ret)
470 0 : goto out;
471 0 : break;
472 : }
473 : }
474 :
475 0 : if (!found)
476 0 : return HDB_ERR_KVNO_NOT_FOUND;
477 :
478 0 : ret = hdb_add_current_keys_to_history(context, entry);
479 0 : if (ret)
480 0 : goto out;
481 :
482 : /* Note: we do nothing with keyset.set_time */
483 0 : entry->kvno = new_kvno;
484 0 : entry->keys = keyset.keys; /* shortcut */
485 0 : memset(&keyset.keys, 0, sizeof (keyset.keys));
486 :
487 0 : out:
488 0 : free_HDB_keyset(&keyset);
489 0 : return ret;
490 : }
491 :
492 :
493 : static krb5_error_code
494 0 : add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
495 : krb5_enctype enctype, krb5_salt *salt)
496 : {
497 0 : krb5_error_code ret;
498 0 : Key key, *tmp;
499 :
500 0 : memset(&key, 0, sizeof(key));
501 :
502 0 : tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
503 0 : if (tmp == NULL)
504 0 : return ENOMEM;
505 :
506 0 : *key_set = tmp;
507 :
508 0 : key.key.keytype = enctype;
509 0 : key.key.keyvalue.length = 0;
510 0 : key.key.keyvalue.data = NULL;
511 :
512 0 : if (salt) {
513 0 : key.salt = calloc(1, sizeof(*key.salt));
514 0 : if (key.salt == NULL) {
515 0 : free_Key(&key);
516 0 : return ENOMEM;
517 : }
518 :
519 0 : key.salt->type = salt->salttype;
520 0 : krb5_data_zero (&key.salt->salt);
521 :
522 0 : ret = krb5_data_copy(&key.salt->salt,
523 0 : salt->saltvalue.data,
524 : salt->saltvalue.length);
525 0 : if (ret) {
526 0 : free_Key(&key);
527 0 : return ret;
528 : }
529 : } else
530 0 : key.salt = NULL;
531 :
532 0 : (*key_set)[*nkeyset] = key;
533 :
534 0 : *nkeyset += 1;
535 :
536 0 : return 0;
537 : }
538 :
539 :
540 : static
541 : krb5_error_code
542 0 : ks_tuple2str(krb5_context context, int n_ks_tuple,
543 : krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
544 : {
545 0 : size_t i;
546 0 : char **ksnames;
547 0 : krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
548 :
549 0 : *ks_tuple_strs = NULL;
550 0 : if (n_ks_tuple < 1)
551 0 : return 0;
552 :
553 0 : if ((ksnames = calloc(n_ks_tuple + 1, sizeof (*ksnames))) == NULL)
554 0 : return (errno);
555 :
556 0 : for (i = 0; i < n_ks_tuple; i++) {
557 0 : char *ename, *sname;
558 :
559 0 : if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
560 0 : goto out;
561 0 : if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
562 0 : ks_tuple[i].ks_salttype, &sname)) {
563 0 : free(ename);
564 0 : goto out;
565 : }
566 :
567 0 : if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
568 0 : rc = errno;
569 0 : free(ename);
570 0 : free(sname);
571 0 : goto out;
572 : }
573 0 : free(ename);
574 0 : free(sname);
575 : }
576 :
577 0 : ksnames[i] = NULL;
578 0 : *ks_tuple_strs = ksnames;
579 0 : return 0;
580 :
581 0 : out:
582 0 : for (i = 0; i < n_ks_tuple; i++)
583 0 : free(ksnames[i]);
584 0 : free(ksnames);
585 0 : return (rc);
586 : }
587 :
588 : /*
589 : *
590 : */
591 :
592 : static char **
593 0 : glob_rules_keys(krb5_context context, krb5_const_principal principal)
594 : {
595 0 : const krb5_config_binding *list;
596 0 : krb5_principal pattern;
597 0 : krb5_error_code ret;
598 :
599 0 : list = krb5_config_get_list(context, NULL, "kadmin",
600 : "default_key_rules", NULL);
601 0 : if (list == NULL)
602 0 : return NULL;
603 :
604 0 : while (list) {
605 0 : if (list->type == krb5_config_string) {
606 0 : ret = krb5_parse_name(context, list->name, &pattern);
607 0 : if (ret == 0) {
608 0 : ret = krb5_principal_match(context, principal, pattern);
609 0 : krb5_free_principal(context, pattern);
610 0 : if (ret) {
611 0 : return krb5_config_get_strings(context, list,
612 0 : list->name, NULL);
613 : }
614 : }
615 : }
616 0 : list = list->next;
617 : }
618 0 : return NULL;
619 : }
620 :
621 : /*
622 : * NIST guidance in Section 5.1 of [SP800-132] requires that a portion
623 : * of the salt of at least 128 bits shall be randomly generated.
624 : */
625 : static krb5_error_code
626 0 : add_random_to_salt(krb5_context context, krb5_salt *in, krb5_salt *out)
627 : {
628 0 : krb5_error_code ret;
629 0 : char *p;
630 0 : unsigned char random[16];
631 0 : char *s;
632 0 : int slen;
633 :
634 0 : krb5_generate_random_block(random, sizeof(random));
635 :
636 0 : slen = rk_base64_encode(random, sizeof(random), &s);
637 0 : if (slen < 0)
638 0 : return ENOMEM;
639 :
640 0 : ret = krb5_data_alloc(&out->saltvalue, slen + in->saltvalue.length);
641 0 : if (ret) {
642 0 : free(s);
643 0 : return ret;
644 : }
645 :
646 0 : p = out->saltvalue.data;
647 0 : memcpy(p, s, slen);
648 0 : memcpy(&p[slen], in->saltvalue.data, in->saltvalue.length);
649 :
650 0 : out->salttype = in->salttype;
651 0 : free(s);
652 :
653 0 : return 0;
654 : }
655 :
656 : /*
657 : * Generate the `key_set' from the [kadmin]default_keys statement. If
658 : * `no_salt' is set, salt is not important (and will not be set) since
659 : * it's random keys that is going to be created.
660 : */
661 :
662 : krb5_error_code
663 0 : hdb_generate_key_set(krb5_context context, krb5_principal principal,
664 : krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
665 : Key **ret_key_set, size_t *nkeyset, int no_salt)
666 : {
667 0 : char **ktypes = NULL;
668 0 : char **kp;
669 0 : krb5_error_code ret;
670 0 : Key *k, *key_set;
671 0 : size_t i, j;
672 0 : char **ks_tuple_strs;
673 0 : char **config_ktypes = NULL;
674 0 : static const char *default_keytypes[] = {
675 : "aes256-cts-hmac-sha1-96:pw-salt",
676 : "des3-cbc-sha1:pw-salt",
677 : "arcfour-hmac-md5:pw-salt",
678 : NULL
679 : };
680 :
681 0 : if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
682 0 : return ret;
683 :
684 0 : ktypes = ks_tuple_strs;
685 0 : if (ktypes == NULL) {
686 0 : config_ktypes = glob_rules_keys(context, principal);
687 0 : ktypes = config_ktypes;
688 : }
689 0 : if (ktypes == NULL) {
690 0 : config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
691 : "default_keys", NULL);
692 0 : ktypes = config_ktypes;
693 : }
694 0 : if (ktypes == NULL)
695 0 : ktypes = (char **)(intptr_t)default_keytypes;
696 :
697 0 : *ret_key_set = key_set = NULL;
698 0 : *nkeyset = 0;
699 :
700 0 : for(kp = ktypes; kp && *kp; kp++) {
701 0 : const char *p;
702 0 : krb5_salt salt;
703 0 : krb5_enctype *enctypes;
704 0 : size_t num_enctypes;
705 :
706 0 : p = *kp;
707 : /* check alias */
708 0 : if(strcmp(p, "v5") == 0)
709 0 : p = "pw-salt";
710 0 : else if(strcmp(p, "v4") == 0)
711 0 : p = "des:pw-salt:";
712 0 : else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
713 0 : p = "des:afs3-salt";
714 0 : else if (strcmp(p, "arcfour-hmac-md5") == 0)
715 0 : p = "arcfour-hmac-md5:pw-salt";
716 :
717 0 : memset(&salt, 0, sizeof(salt));
718 :
719 0 : ret = parse_key_set(context, p,
720 : &enctypes, &num_enctypes, &salt, principal);
721 0 : if (ret) {
722 0 : krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
723 0 : ret = 0;
724 0 : krb5_free_salt(context, salt);
725 0 : continue;
726 : }
727 :
728 0 : for (i = 0; i < num_enctypes; i++) {
729 0 : krb5_salt *saltp = no_salt ? NULL : &salt;
730 0 : krb5_salt rsalt;
731 :
732 : /* find duplicates */
733 0 : for (j = 0; j < *nkeyset; j++) {
734 :
735 0 : k = &key_set[j];
736 :
737 0 : if (k->key.keytype == enctypes[i]) {
738 0 : if (no_salt)
739 0 : break;
740 0 : if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
741 0 : break;
742 0 : if (k->salt->type == salt.salttype &&
743 0 : k->salt->salt.length == salt.saltvalue.length &&
744 0 : memcmp(k->salt->salt.data, salt.saltvalue.data,
745 : salt.saltvalue.length) == 0)
746 0 : break;
747 : }
748 : }
749 : /* not a duplicate, lets add it */
750 0 : if (j < *nkeyset)
751 0 : continue;
752 :
753 0 : memset(&rsalt, 0, sizeof(rsalt));
754 :
755 : /* prepend salt with randomness if required */
756 0 : if (!no_salt &&
757 0 : _krb5_enctype_requires_random_salt(context, enctypes[i])) {
758 0 : saltp = &rsalt;
759 0 : ret = add_random_to_salt(context, &salt, &rsalt);
760 : }
761 :
762 0 : if (ret == 0)
763 0 : ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i],
764 : saltp);
765 0 : krb5_free_salt(context, rsalt);
766 :
767 0 : if (ret) {
768 0 : free(enctypes);
769 0 : krb5_free_salt(context, salt);
770 0 : goto out;
771 : }
772 : }
773 0 : free(enctypes);
774 0 : krb5_free_salt(context, salt);
775 : }
776 :
777 0 : *ret_key_set = key_set;
778 :
779 0 : out:
780 0 : if (config_ktypes != NULL)
781 0 : krb5_config_free_strings(config_ktypes);
782 :
783 0 : for(kp = ks_tuple_strs; kp && *kp; kp++)
784 0 : free(*kp);
785 0 : free(ks_tuple_strs);
786 :
787 0 : if (ret) {
788 0 : krb5_warn(context, ret,
789 : "failed to parse the [kadmin]default_keys values");
790 :
791 0 : for (i = 0; i < *nkeyset; i++)
792 0 : free_Key(&key_set[i]);
793 0 : free(key_set);
794 0 : } else if (*nkeyset == 0) {
795 0 : krb5_warnx(context,
796 : "failed to parse any of the [kadmin]default_keys values");
797 0 : ret = EINVAL; /* XXX */
798 : }
799 :
800 0 : return ret;
801 : }
802 :
803 :
804 : krb5_error_code
805 0 : hdb_generate_key_set_password_with_ks_tuple(krb5_context context,
806 : krb5_principal principal,
807 : const char *password,
808 : krb5_key_salt_tuple *ks_tuple,
809 : int n_ks_tuple,
810 : Key **keys, size_t *num_keys)
811 : {
812 0 : krb5_error_code ret;
813 0 : size_t i;
814 :
815 0 : ret = hdb_generate_key_set(context, principal, ks_tuple, n_ks_tuple,
816 : keys, num_keys, 0);
817 0 : if (ret)
818 0 : return ret;
819 :
820 0 : for (i = 0; i < (*num_keys); i++) {
821 0 : krb5_salt salt;
822 0 : Key *key = &(*keys)[i];
823 :
824 0 : salt.salttype = key->salt->type;
825 0 : salt.saltvalue.length = key->salt->salt.length;
826 0 : salt.saltvalue.data = key->salt->salt.data;
827 :
828 0 : ret = krb5_string_to_key_salt (context,
829 0 : key->key.keytype,
830 : password,
831 : salt,
832 0 : &key->key);
833 0 : if(ret)
834 0 : break;
835 : }
836 :
837 0 : if(ret) {
838 0 : hdb_free_keys (context, *num_keys, *keys);
839 0 : return ret;
840 : }
841 0 : return ret;
842 : }
843 :
844 :
845 : krb5_error_code
846 0 : hdb_generate_key_set_password(krb5_context context,
847 : krb5_principal principal,
848 : const char *password,
849 : Key **keys, size_t *num_keys)
850 : {
851 :
852 0 : return hdb_generate_key_set_password_with_ks_tuple(context, principal,
853 : password, NULL, 0,
854 : keys, num_keys);
855 : }
|
