/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- krb5_kt_register
- krb5_kt_resolve
- krb5_kt_default_name
- krb5_kt_default_modify_name
- krb5_kt_default
- krb5_kt_read_service_key
- krb5_kt_get_type
- krb5_kt_get_name
- krb5_kt_get_full_name
- krb5_kt_close
- krb5_kt_compare
- krb5_kt_get_entry
- krb5_kt_copy_entry_contents
- krb5_kt_free_entry
- krb5_kt_start_seq_get
- krb5_kt_next_entry
- krb5_kt_end_seq_get
- krb5_kt_add_entry
- krb5_kt_remove_entry
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35
36 RCSID("$Id$");
37
38 /*
39 * Register a new keytab in `ops'
40 * Return 0 or an error.
41 */
42
43 krb5_error_code KRB5_LIB_FUNCTION
44 krb5_kt_register(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
45 const krb5_kt_ops *ops)
46 {
47 struct krb5_keytab_data *tmp;
48
49 if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) {
50 krb5_set_error_message(context, KRB5_KT_BADNAME,
51 N_("can't register cache type, prefix too long", ""));
52 return KRB5_KT_BADNAME;
53 }
54
55 tmp = realloc(context->kt_types,
56 (context->num_kt_types + 1) * sizeof(*context->kt_types));
57 if(tmp == NULL) {
58 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
59 return ENOMEM;
60 }
61 memcpy(&tmp[context->num_kt_types], ops,
62 sizeof(tmp[context->num_kt_types]));
63 context->kt_types = tmp;
64 context->num_kt_types++;
65 return 0;
66 }
67
68 /*
69 * Resolve the keytab name (of the form `type:residual') in `name'
70 * into a keytab in `id'.
71 * Return 0 or an error
72 */
73
74 krb5_error_code KRB5_LIB_FUNCTION
75 krb5_kt_resolve(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
76 const char *name,
77 krb5_keytab *id)
78 {
79 krb5_keytab k;
80 int i;
81 const char *type, *residual;
82 size_t type_len;
83 krb5_error_code ret;
84
85 residual = strchr(name, ':');
86 if(residual == NULL) {
87 type = "FILE";
88 type_len = strlen(type);
89 residual = name;
90 } else {
91 type = name;
92 type_len = residual - name;
93 residual++;
94 }
95
96 for(i = 0; i < context->num_kt_types; i++) {
97 if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0)
98 break;
99 }
100 if(i == context->num_kt_types) {
101 krb5_set_error_message(context, KRB5_KT_UNKNOWN_TYPE,
102 N_("unknown keytab type %.*s", "type"),
103 (int)type_len, type);
104 return KRB5_KT_UNKNOWN_TYPE;
105 }
106
107 k = malloc (sizeof(*k));
108 if (k == NULL) {
109 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
110 return ENOMEM;
111 }
112 memcpy(k, &context->kt_types[i], sizeof(*k));
113 k->data = NULL;
114 ret = (*k->resolve)(context, residual, k);
115 if(ret) {
116 free(k);
117 k = NULL;
118 }
119 *id = k;
120 return ret;
121 }
122
123 /*
124 * copy the name of the default keytab into `name'.
125 * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
126 */
127
128 krb5_error_code KRB5_LIB_FUNCTION
129 krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
/* [<][>][^][v][top][bottom][index][help] */
130 {
131 if (strlcpy (name, context->default_keytab, namesize) >= namesize) {
132 krb5_clear_error_message (context);
133 return KRB5_CONFIG_NOTENUFSPACE;
134 }
135 return 0;
136 }
137
138 /*
139 * copy the name of the default modify keytab into `name'.
140 * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
141 */
142
143 krb5_error_code KRB5_LIB_FUNCTION
144 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
/* [<][>][^][v][top][bottom][index][help] */
145 {
146 const char *kt = NULL;
147 if(context->default_keytab_modify == NULL) {
148 if(strncasecmp(context->default_keytab, "ANY:", 4) != 0)
149 kt = context->default_keytab;
150 else {
151 size_t len = strcspn(context->default_keytab + 4, ",");
152 if(len >= namesize) {
153 krb5_clear_error_message(context);
154 return KRB5_CONFIG_NOTENUFSPACE;
155 }
156 strlcpy(name, context->default_keytab + 4, namesize);
157 name[len] = '\0';
158 return 0;
159 }
160 } else
161 kt = context->default_keytab_modify;
162 if (strlcpy (name, kt, namesize) >= namesize) {
163 krb5_clear_error_message (context);
164 return KRB5_CONFIG_NOTENUFSPACE;
165 }
166 return 0;
167 }
168
169 /*
170 * Set `id' to the default keytab.
171 * Return 0 or an error.
172 */
173
174 krb5_error_code KRB5_LIB_FUNCTION
175 krb5_kt_default(krb5_context context, krb5_keytab *id)
/* [<][>][^][v][top][bottom][index][help] */
176 {
177 return krb5_kt_resolve (context, context->default_keytab, id);
178 }
179
180 /*
181 * Read the key identified by `(principal, vno, enctype)' from the
182 * keytab in `keyprocarg' (the default if == NULL) into `*key'.
183 * Return 0 or an error.
184 */
185
186 krb5_error_code KRB5_LIB_FUNCTION
187 krb5_kt_read_service_key(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
188 krb5_pointer keyprocarg,
189 krb5_principal principal,
190 krb5_kvno vno,
191 krb5_enctype enctype,
192 krb5_keyblock **key)
193 {
194 krb5_keytab keytab;
195 krb5_keytab_entry entry;
196 krb5_error_code ret;
197
198 if (keyprocarg)
199 ret = krb5_kt_resolve (context, keyprocarg, &keytab);
200 else
201 ret = krb5_kt_default (context, &keytab);
202
203 if (ret)
204 return ret;
205
206 ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
207 krb5_kt_close (context, keytab);
208 if (ret)
209 return ret;
210 ret = krb5_copy_keyblock (context, &entry.keyblock, key);
211 krb5_kt_free_entry(context, &entry);
212 return ret;
213 }
214
215 /*
216 * Return the type of the `keytab' in the string `prefix of length
217 * `prefixsize'.
218 */
219
220 krb5_error_code KRB5_LIB_FUNCTION
221 krb5_kt_get_type(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
222 krb5_keytab keytab,
223 char *prefix,
224 size_t prefixsize)
225 {
226 strlcpy(prefix, keytab->prefix, prefixsize);
227 return 0;
228 }
229
230 /*
231 * Retrieve the name of the keytab `keytab' into `name', `namesize'
232 * Return 0 or an error.
233 */
234
235 krb5_error_code KRB5_LIB_FUNCTION
236 krb5_kt_get_name(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
237 krb5_keytab keytab,
238 char *name,
239 size_t namesize)
240 {
241 return (*keytab->get_name)(context, keytab, name, namesize);
242 }
243
244 /*
245 * Retrieve the full name of the keytab `keytab' and store the name in
246 * `str'. `str' needs to be freed by the caller using free(3).
247 * Returns 0 or an error. On error, *str is set to NULL.
248 */
249
250 krb5_error_code KRB5_LIB_FUNCTION
251 krb5_kt_get_full_name(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
252 krb5_keytab keytab,
253 char **str)
254 {
255 char type[KRB5_KT_PREFIX_MAX_LEN];
256 char name[MAXPATHLEN];
257 krb5_error_code ret;
258
259 *str = NULL;
260
261 ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
262 if (ret)
263 return ret;
264
265 ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
266 if (ret)
267 return ret;
268
269 if (asprintf(str, "%s:%s", type, name) == -1) {
270 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
271 *str = NULL;
272 return ENOMEM;
273 }
274
275 return 0;
276 }
277
278 /*
279 * Finish using the keytab in `id'. All resources will be released,
280 * even on errors. Return 0 or an error.
281 */
282
283 krb5_error_code KRB5_LIB_FUNCTION
284 krb5_kt_close(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
285 krb5_keytab id)
286 {
287 krb5_error_code ret;
288
289 ret = (*id->close)(context, id);
290 memset(id, 0, sizeof(*id));
291 free(id);
292 return ret;
293 }
294
295 /*
296 * Compare `entry' against `principal, vno, enctype'.
297 * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
298 * Return TRUE if they compare the same, FALSE otherwise.
299 */
300
301 krb5_boolean KRB5_LIB_FUNCTION
302 krb5_kt_compare(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
303 krb5_keytab_entry *entry,
304 krb5_const_principal principal,
305 krb5_kvno vno,
306 krb5_enctype enctype)
307 {
308 if(principal != NULL &&
309 !krb5_principal_compare(context, entry->principal, principal))
310 return FALSE;
311 if(vno && vno != entry->vno)
312 return FALSE;
313 if(enctype && enctype != entry->keyblock.keytype)
314 return FALSE;
315 return TRUE;
316 }
317
318 /*
319 * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
320 * from the keytab `id'.
321 * kvno == 0 is a wildcard and gives the keytab with the highest vno.
322 * Return 0 or an error.
323 */
324
325 krb5_error_code KRB5_LIB_FUNCTION
326 krb5_kt_get_entry(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
327 krb5_keytab id,
328 krb5_const_principal principal,
329 krb5_kvno kvno,
330 krb5_enctype enctype,
331 krb5_keytab_entry *entry)
332 {
333 krb5_keytab_entry tmp;
334 krb5_error_code ret;
335 krb5_kt_cursor cursor;
336
337 if(id->get)
338 return (*id->get)(context, id, principal, kvno, enctype, entry);
339
340 ret = krb5_kt_start_seq_get (context, id, &cursor);
341 if (ret) {
342 /* This is needed for krb5_verify_init_creds, but keep error
343 * string from previous error for the human. */
344 context->error_code = KRB5_KT_NOTFOUND;
345 return KRB5_KT_NOTFOUND;
346 }
347
348 entry->vno = 0;
349 while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
350 if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
351 /* the file keytab might only store the lower 8 bits of
352 the kvno, so only compare those bits */
353 if (kvno == tmp.vno
354 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) {
355 krb5_kt_copy_entry_contents (context, &tmp, entry);
356 krb5_kt_free_entry (context, &tmp);
357 krb5_kt_end_seq_get(context, id, &cursor);
358 return 0;
359 } else if (kvno == 0 && tmp.vno > entry->vno) {
360 if (entry->vno)
361 krb5_kt_free_entry (context, entry);
362 krb5_kt_copy_entry_contents (context, &tmp, entry);
363 }
364 }
365 krb5_kt_free_entry(context, &tmp);
366 }
367 krb5_kt_end_seq_get (context, id, &cursor);
368 if (entry->vno) {
369 return 0;
370 } else {
371 char princ[256], kvno_str[25], *kt_name;
372 char *enctype_str = NULL;
373
374 krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
375 krb5_kt_get_full_name (context, id, &kt_name);
376 krb5_enctype_to_string(context, enctype, &enctype_str);
377
378 if (kvno)
379 snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
380 else
381 kvno_str[0] = '\0';
382
383 krb5_set_error_message (context, KRB5_KT_NOTFOUND,
384 N_("Failed to find %s%s in keytab %s (%s)",
385 "principal, kvno, keytab file, enctype"),
386 princ,
387 kvno_str,
388 kt_name ? kt_name : "unknown keytab",
389 enctype_str ? enctype_str : "unknown enctype");
390 free(kt_name);
391 free(enctype_str);
392 return KRB5_KT_NOTFOUND;
393 }
394 }
395
396 /*
397 * Copy the contents of `in' into `out'.
398 * Return 0 or an error. */
399
400 krb5_error_code KRB5_LIB_FUNCTION
401 krb5_kt_copy_entry_contents(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
402 const krb5_keytab_entry *in,
403 krb5_keytab_entry *out)
404 {
405 krb5_error_code ret;
406
407 memset(out, 0, sizeof(*out));
408 out->vno = in->vno;
409
410 ret = krb5_copy_principal (context, in->principal, &out->principal);
411 if (ret)
412 goto fail;
413 ret = krb5_copy_keyblock_contents (context,
414 &in->keyblock,
415 &out->keyblock);
416 if (ret)
417 goto fail;
418 out->timestamp = in->timestamp;
419 return 0;
420 fail:
421 krb5_kt_free_entry (context, out);
422 return ret;
423 }
424
425 /*
426 * Free the contents of `entry'.
427 */
428
429 krb5_error_code KRB5_LIB_FUNCTION
430 krb5_kt_free_entry(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
431 krb5_keytab_entry *entry)
432 {
433 krb5_free_principal (context, entry->principal);
434 krb5_free_keyblock_contents (context, &entry->keyblock);
435 memset(entry, 0, sizeof(*entry));
436 return 0;
437 }
438
439 /*
440 * Set `cursor' to point at the beginning of `id'.
441 * Return 0 or an error.
442 */
443
444 krb5_error_code KRB5_LIB_FUNCTION
445 krb5_kt_start_seq_get(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
446 krb5_keytab id,
447 krb5_kt_cursor *cursor)
448 {
449 if(id->start_seq_get == NULL) {
450 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
451 N_("start_seq_get is not supported "
452 "in the %s keytab type", ""),
453 id->prefix);
454 return HEIM_ERR_OPNOTSUPP;
455 }
456 return (*id->start_seq_get)(context, id, cursor);
457 }
458
459 /*
460 * Get the next entry from `id' pointed to by `cursor' and advance the
461 * `cursor'.
462 * Return 0 or an error.
463 */
464
465 krb5_error_code KRB5_LIB_FUNCTION
466 krb5_kt_next_entry(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
467 krb5_keytab id,
468 krb5_keytab_entry *entry,
469 krb5_kt_cursor *cursor)
470 {
471 if(id->next_entry == NULL) {
472 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
473 N_("next_entry is not supported in the %s "
474 " keytab", ""),
475 id->prefix);
476 return HEIM_ERR_OPNOTSUPP;
477 }
478 return (*id->next_entry)(context, id, entry, cursor);
479 }
480
481 /*
482 * Release all resources associated with `cursor'.
483 */
484
485 krb5_error_code KRB5_LIB_FUNCTION
486 krb5_kt_end_seq_get(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
487 krb5_keytab id,
488 krb5_kt_cursor *cursor)
489 {
490 if(id->end_seq_get == NULL) {
491 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
492 "end_seq_get is not supported in the %s "
493 " keytab", id->prefix);
494 return HEIM_ERR_OPNOTSUPP;
495 }
496 return (*id->end_seq_get)(context, id, cursor);
497 }
498
499 /*
500 * Add the entry in `entry' to the keytab `id'.
501 * Return 0 or an error.
502 */
503
504 krb5_error_code KRB5_LIB_FUNCTION
505 krb5_kt_add_entry(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
506 krb5_keytab id,
507 krb5_keytab_entry *entry)
508 {
509 if(id->add == NULL) {
510 krb5_set_error_message(context, KRB5_KT_NOWRITE,
511 N_("Add is not supported in the %s keytab", ""),
512 id->prefix);
513 return KRB5_KT_NOWRITE;
514 }
515 entry->timestamp = time(NULL);
516 return (*id->add)(context, id,entry);
517 }
518
519 /*
520 * Remove the entry `entry' from the keytab `id'.
521 * Return 0 or an error.
522 */
523
524 krb5_error_code KRB5_LIB_FUNCTION
525 krb5_kt_remove_entry(krb5_context context,
/* [<][>][^][v][top][bottom][index][help] */
526 krb5_keytab id,
527 krb5_keytab_entry *entry)
528 {
529 if(id->remove == NULL) {
530 krb5_set_error_message(context, KRB5_KT_NOWRITE,
531 N_("Remove is not supported in the %s keytab", ""),
532 id->prefix);
533 return KRB5_KT_NOWRITE;
534 }
535 return (*id->remove)(context, id, entry);
536 }