root/source4/heimdal/lib/krb5/keytab.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. krb5_kt_register
  2. krb5_kt_resolve
  3. krb5_kt_default_name
  4. krb5_kt_default_modify_name
  5. krb5_kt_default
  6. krb5_kt_read_service_key
  7. krb5_kt_get_type
  8. krb5_kt_get_name
  9. krb5_kt_get_full_name
  10. krb5_kt_close
  11. krb5_kt_compare
  12. krb5_kt_get_entry
  13. krb5_kt_copy_entry_contents
  14. krb5_kt_free_entry
  15. krb5_kt_start_seq_get
  16. krb5_kt_next_entry
  17. krb5_kt_end_seq_get
  18. krb5_kt_add_entry
  19. krb5_kt_remove_entry

   1 /*
   2  * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33 
  34 #include "krb5_locl.h"
  35 
  36 RCSID("$Id$");
  37 
  38 /*
  39  * Register a new keytab in `ops'
  40  * Return 0 or an error.
  41  */
  42 
  43 krb5_error_code KRB5_LIB_FUNCTION
  44 krb5_kt_register(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  45                  const krb5_kt_ops *ops)
  46 {
  47     struct krb5_keytab_data *tmp;
  48 
  49     if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) {
  50         krb5_set_error_message(context, KRB5_KT_BADNAME,
  51                                N_("can't register cache type, prefix too long", ""));
  52         return KRB5_KT_BADNAME;
  53     }
  54 
  55     tmp = realloc(context->kt_types,
  56                   (context->num_kt_types + 1) * sizeof(*context->kt_types));
  57     if(tmp == NULL) {
  58         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
  59         return ENOMEM;
  60     }
  61     memcpy(&tmp[context->num_kt_types], ops,
  62            sizeof(tmp[context->num_kt_types]));
  63     context->kt_types = tmp;
  64     context->num_kt_types++;
  65     return 0;
  66 }
  67 
  68 /*
  69  * Resolve the keytab name (of the form `type:residual') in `name'
  70  * into a keytab in `id'.
  71  * Return 0 or an error
  72  */
  73 
  74 krb5_error_code KRB5_LIB_FUNCTION
  75 krb5_kt_resolve(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  76                 const char *name,
  77                 krb5_keytab *id)
  78 {
  79     krb5_keytab k;
  80     int i;
  81     const char *type, *residual;
  82     size_t type_len;
  83     krb5_error_code ret;
  84 
  85     residual = strchr(name, ':');
  86     if(residual == NULL) {
  87         type = "FILE";
  88         type_len = strlen(type);
  89         residual = name;
  90     } else {
  91         type = name;
  92         type_len = residual - name;
  93         residual++;
  94     }
  95 
  96     for(i = 0; i < context->num_kt_types; i++) {
  97         if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0)
  98             break;
  99     }
 100     if(i == context->num_kt_types) {
 101         krb5_set_error_message(context, KRB5_KT_UNKNOWN_TYPE,
 102                                N_("unknown keytab type %.*s", "type"),
 103                                (int)type_len, type);
 104         return KRB5_KT_UNKNOWN_TYPE;
 105     }
 106 
 107     k = malloc (sizeof(*k));
 108     if (k == NULL) {
 109         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
 110         return ENOMEM;
 111     }
 112     memcpy(k, &context->kt_types[i], sizeof(*k));
 113     k->data = NULL;
 114     ret = (*k->resolve)(context, residual, k);
 115     if(ret) {
 116         free(k);
 117         k = NULL;
 118     }
 119     *id = k;
 120     return ret;
 121 }
 122 
 123 /*
 124  * copy the name of the default keytab into `name'.
 125  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
 126  */
 127 
 128 krb5_error_code KRB5_LIB_FUNCTION
 129 krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
     /* [<][>][^][v][top][bottom][index][help] */
 130 {
 131     if (strlcpy (name, context->default_keytab, namesize) >= namesize) {
 132         krb5_clear_error_message (context);
 133         return KRB5_CONFIG_NOTENUFSPACE;
 134     }
 135     return 0;
 136 }
 137 
 138 /*
 139  * copy the name of the default modify keytab into `name'.
 140  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
 141  */
 142 
 143 krb5_error_code KRB5_LIB_FUNCTION
 144 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
     /* [<][>][^][v][top][bottom][index][help] */
 145 {
 146     const char *kt = NULL;
 147     if(context->default_keytab_modify == NULL) {
 148         if(strncasecmp(context->default_keytab, "ANY:", 4) != 0)
 149             kt = context->default_keytab;
 150         else {
 151             size_t len = strcspn(context->default_keytab + 4, ",");
 152             if(len >= namesize) {
 153                 krb5_clear_error_message(context);
 154                 return KRB5_CONFIG_NOTENUFSPACE;
 155             }
 156             strlcpy(name, context->default_keytab + 4, namesize);
 157             name[len] = '\0';
 158             return 0;
 159         }
 160     } else
 161         kt = context->default_keytab_modify;
 162     if (strlcpy (name, kt, namesize) >= namesize) {
 163         krb5_clear_error_message (context);
 164         return KRB5_CONFIG_NOTENUFSPACE;
 165     }
 166     return 0;
 167 }
 168 
 169 /*
 170  * Set `id' to the default keytab.
 171  * Return 0 or an error.
 172  */
 173 
 174 krb5_error_code KRB5_LIB_FUNCTION
 175 krb5_kt_default(krb5_context context, krb5_keytab *id)
     /* [<][>][^][v][top][bottom][index][help] */
 176 {
 177     return krb5_kt_resolve (context, context->default_keytab, id);
 178 }
 179 
 180 /*
 181  * Read the key identified by `(principal, vno, enctype)' from the
 182  * keytab in `keyprocarg' (the default if == NULL) into `*key'.
 183  * Return 0 or an error.
 184  */
 185 
 186 krb5_error_code KRB5_LIB_FUNCTION
 187 krb5_kt_read_service_key(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 188                          krb5_pointer keyprocarg,
 189                          krb5_principal principal,
 190                          krb5_kvno vno,
 191                          krb5_enctype enctype,
 192                          krb5_keyblock **key)
 193 {
 194     krb5_keytab keytab;
 195     krb5_keytab_entry entry;
 196     krb5_error_code ret;
 197 
 198     if (keyprocarg)
 199         ret = krb5_kt_resolve (context, keyprocarg, &keytab);
 200     else
 201         ret = krb5_kt_default (context, &keytab);
 202 
 203     if (ret)
 204         return ret;
 205 
 206     ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
 207     krb5_kt_close (context, keytab);
 208     if (ret)
 209         return ret;
 210     ret = krb5_copy_keyblock (context, &entry.keyblock, key);
 211     krb5_kt_free_entry(context, &entry);
 212     return ret;
 213 }
 214 
 215 /*
 216  * Return the type of the `keytab' in the string `prefix of length
 217  * `prefixsize'.
 218  */
 219 
 220 krb5_error_code KRB5_LIB_FUNCTION
 221 krb5_kt_get_type(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 222                  krb5_keytab keytab,
 223                  char *prefix,
 224                  size_t prefixsize)
 225 {
 226     strlcpy(prefix, keytab->prefix, prefixsize);
 227     return 0;
 228 }
 229 
 230 /*
 231  * Retrieve the name of the keytab `keytab' into `name', `namesize'
 232  * Return 0 or an error.
 233  */
 234 
 235 krb5_error_code KRB5_LIB_FUNCTION
 236 krb5_kt_get_name(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 237                  krb5_keytab keytab,
 238                  char *name,
 239                  size_t namesize)
 240 {
 241     return (*keytab->get_name)(context, keytab, name, namesize);
 242 }
 243 
 244 /*
 245  * Retrieve the full name of the keytab `keytab' and store the name in
 246  * `str'. `str' needs to be freed by the caller using free(3).
 247  * Returns 0 or an error. On error, *str is set to NULL.
 248  */
 249 
 250 krb5_error_code KRB5_LIB_FUNCTION
 251 krb5_kt_get_full_name(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 252                       krb5_keytab keytab,
 253                       char **str)
 254 {
 255     char type[KRB5_KT_PREFIX_MAX_LEN];
 256     char name[MAXPATHLEN];
 257     krb5_error_code ret;
 258         
 259     *str = NULL;
 260 
 261     ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
 262     if (ret)
 263         return ret;
 264 
 265     ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
 266     if (ret)
 267         return ret;
 268 
 269     if (asprintf(str, "%s:%s", type, name) == -1) {
 270         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
 271         *str = NULL;
 272         return ENOMEM;
 273     }
 274 
 275     return 0;
 276 }
 277 
 278 /*
 279  * Finish using the keytab in `id'.  All resources will be released,
 280  * even on errors.  Return 0 or an error.
 281  */
 282 
 283 krb5_error_code KRB5_LIB_FUNCTION
 284 krb5_kt_close(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 285               krb5_keytab id)
 286 {
 287     krb5_error_code ret;
 288 
 289     ret = (*id->close)(context, id);
 290     memset(id, 0, sizeof(*id));
 291     free(id);
 292     return ret;
 293 }
 294 
 295 /*
 296  * Compare `entry' against `principal, vno, enctype'.
 297  * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
 298  * Return TRUE if they compare the same, FALSE otherwise.
 299  */
 300 
 301 krb5_boolean KRB5_LIB_FUNCTION
 302 krb5_kt_compare(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 303                 krb5_keytab_entry *entry,
 304                 krb5_const_principal principal,
 305                 krb5_kvno vno,
 306                 krb5_enctype enctype)
 307 {
 308     if(principal != NULL &&
 309        !krb5_principal_compare(context, entry->principal, principal))
 310         return FALSE;
 311     if(vno && vno != entry->vno)
 312         return FALSE;
 313     if(enctype && enctype != entry->keyblock.keytype)
 314         return FALSE;
 315     return TRUE;
 316 }
 317 
 318 /*
 319  * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
 320  * from the keytab `id'.
 321  * kvno == 0 is a wildcard and gives the keytab with the highest vno.
 322  * Return 0 or an error.
 323  */
 324 
 325 krb5_error_code KRB5_LIB_FUNCTION
 326 krb5_kt_get_entry(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 327                   krb5_keytab id,
 328                   krb5_const_principal principal,
 329                   krb5_kvno kvno,
 330                   krb5_enctype enctype,
 331                   krb5_keytab_entry *entry)
 332 {
 333     krb5_keytab_entry tmp;
 334     krb5_error_code ret;
 335     krb5_kt_cursor cursor;
 336 
 337     if(id->get)
 338         return (*id->get)(context, id, principal, kvno, enctype, entry);
 339 
 340     ret = krb5_kt_start_seq_get (context, id, &cursor);
 341     if (ret) {
 342         /* This is needed for krb5_verify_init_creds, but keep error
 343          * string from previous error for the human. */
 344         context->error_code = KRB5_KT_NOTFOUND;
 345         return KRB5_KT_NOTFOUND;
 346     }
 347 
 348     entry->vno = 0;
 349     while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
 350         if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
 351             /* the file keytab might only store the lower 8 bits of
 352                the kvno, so only compare those bits */
 353             if (kvno == tmp.vno
 354                 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) {
 355                 krb5_kt_copy_entry_contents (context, &tmp, entry);
 356                 krb5_kt_free_entry (context, &tmp);
 357                 krb5_kt_end_seq_get(context, id, &cursor);
 358                 return 0;
 359             } else if (kvno == 0 && tmp.vno > entry->vno) {
 360                 if (entry->vno)
 361                     krb5_kt_free_entry (context, entry);
 362                 krb5_kt_copy_entry_contents (context, &tmp, entry);
 363             }
 364         }
 365         krb5_kt_free_entry(context, &tmp);
 366     }
 367     krb5_kt_end_seq_get (context, id, &cursor);
 368     if (entry->vno) {
 369         return 0;
 370     } else {
 371         char princ[256], kvno_str[25], *kt_name;
 372         char *enctype_str = NULL;
 373 
 374         krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
 375         krb5_kt_get_full_name (context, id, &kt_name);
 376         krb5_enctype_to_string(context, enctype, &enctype_str);
 377 
 378         if (kvno)
 379             snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
 380         else
 381             kvno_str[0] = '\0';
 382 
 383         krb5_set_error_message (context, KRB5_KT_NOTFOUND,
 384                                 N_("Failed to find %s%s in keytab %s (%s)",
 385                                    "principal, kvno, keytab file, enctype"),
 386                                 princ,
 387                                 kvno_str,
 388                                 kt_name ? kt_name : "unknown keytab",
 389                                 enctype_str ? enctype_str : "unknown enctype");
 390         free(kt_name);
 391         free(enctype_str);
 392         return KRB5_KT_NOTFOUND;
 393     }
 394 }
 395 
 396 /*
 397  * Copy the contents of `in' into `out'.
 398  * Return 0 or an error.  */
 399 
 400 krb5_error_code KRB5_LIB_FUNCTION
 401 krb5_kt_copy_entry_contents(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 402                             const krb5_keytab_entry *in,
 403                             krb5_keytab_entry *out)
 404 {
 405     krb5_error_code ret;
 406 
 407     memset(out, 0, sizeof(*out));
 408     out->vno = in->vno;
 409 
 410     ret = krb5_copy_principal (context, in->principal, &out->principal);
 411     if (ret)
 412         goto fail;
 413     ret = krb5_copy_keyblock_contents (context,
 414                                        &in->keyblock,
 415                                        &out->keyblock);
 416     if (ret)
 417         goto fail;
 418     out->timestamp = in->timestamp;
 419     return 0;
 420 fail:
 421     krb5_kt_free_entry (context, out);
 422     return ret;
 423 }
 424 
 425 /*
 426  * Free the contents of `entry'.
 427  */
 428 
 429 krb5_error_code KRB5_LIB_FUNCTION
 430 krb5_kt_free_entry(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 431                    krb5_keytab_entry *entry)
 432 {
 433     krb5_free_principal (context, entry->principal);
 434     krb5_free_keyblock_contents (context, &entry->keyblock);
 435     memset(entry, 0, sizeof(*entry));
 436     return 0;
 437 }
 438 
 439 /*
 440  * Set `cursor' to point at the beginning of `id'.
 441  * Return 0 or an error.
 442  */
 443 
 444 krb5_error_code KRB5_LIB_FUNCTION
 445 krb5_kt_start_seq_get(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 446                       krb5_keytab id,
 447                       krb5_kt_cursor *cursor)
 448 {
 449     if(id->start_seq_get == NULL) {
 450         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
 451                                N_("start_seq_get is not supported "
 452                                   "in the %s keytab type", ""),
 453                                id->prefix);
 454         return HEIM_ERR_OPNOTSUPP;
 455     }
 456     return (*id->start_seq_get)(context, id, cursor);
 457 }
 458 
 459 /*
 460  * Get the next entry from `id' pointed to by `cursor' and advance the
 461  * `cursor'.
 462  * Return 0 or an error.
 463  */
 464 
 465 krb5_error_code KRB5_LIB_FUNCTION
 466 krb5_kt_next_entry(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 467                    krb5_keytab id,
 468                    krb5_keytab_entry *entry,
 469                    krb5_kt_cursor *cursor)
 470 {
 471     if(id->next_entry == NULL) {
 472         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
 473                                N_("next_entry is not supported in the %s "
 474                                   " keytab", ""),
 475                                id->prefix);
 476         return HEIM_ERR_OPNOTSUPP;
 477     }
 478     return (*id->next_entry)(context, id, entry, cursor);
 479 }
 480 
 481 /*
 482  * Release all resources associated with `cursor'.
 483  */
 484 
 485 krb5_error_code KRB5_LIB_FUNCTION
 486 krb5_kt_end_seq_get(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 487                     krb5_keytab id,
 488                     krb5_kt_cursor *cursor)
 489 {
 490     if(id->end_seq_get == NULL) {
 491         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
 492                                "end_seq_get is not supported in the %s "
 493                                " keytab", id->prefix);
 494         return HEIM_ERR_OPNOTSUPP;
 495     }
 496     return (*id->end_seq_get)(context, id, cursor);
 497 }
 498 
 499 /*
 500  * Add the entry in `entry' to the keytab `id'.
 501  * Return 0 or an error.
 502  */
 503 
 504 krb5_error_code KRB5_LIB_FUNCTION
 505 krb5_kt_add_entry(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 506                   krb5_keytab id,
 507                   krb5_keytab_entry *entry)
 508 {
 509     if(id->add == NULL) {
 510         krb5_set_error_message(context, KRB5_KT_NOWRITE,
 511                                N_("Add is not supported in the %s keytab", ""),
 512                                id->prefix);
 513         return KRB5_KT_NOWRITE;
 514     }
 515     entry->timestamp = time(NULL);
 516     return (*id->add)(context, id,entry);
 517 }
 518 
 519 /*
 520  * Remove the entry `entry' from the keytab `id'.
 521  * Return 0 or an error.
 522  */
 523 
 524 krb5_error_code KRB5_LIB_FUNCTION
 525 krb5_kt_remove_entry(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 526                      krb5_keytab id,
 527                      krb5_keytab_entry *entry)
 528 {
 529     if(id->remove == NULL) {
 530         krb5_set_error_message(context, KRB5_KT_NOWRITE,
 531                                N_("Remove is not supported in the %s keytab", ""),
 532                                id->prefix);
 533         return KRB5_KT_NOWRITE;
 534     }
 535     return (*id->remove)(context, id, entry);
 536 }

/* [<][>][^][v][top][bottom][index][help] */