LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/hdb - keys.c (source / functions) Hit Total Coverage
Test: coverage report for vadcx-master-patch-75612 fe003de8 Lines: 31 443 7.0 %
Date: 2024-02-29 22:57:05 Functions: 1 15 6.7 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Redistribution and use in source and binary forms, with or without
       7             :  * modification, are permitted provided that the following conditions
       8             :  * are met:
       9             :  *
      10             :  * 1. Redistributions of source code must retain the above copyright
      11             :  *    notice, this list of conditions and the following disclaimer.
      12             :  *
      13             :  * 2. Redistributions in binary form must reproduce the above copyright
      14             :  *    notice, this list of conditions and the following disclaimer in the
      15             :  *    documentation and/or other materials provided with the distribution.
      16             :  *
      17             :  * 3. Neither the name of the Institute nor the names of its contributors
      18             :  *    may be used to endorse or promote products derived from this software
      19             :  *    without specific prior written permission.
      20             :  *
      21             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      22             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      23             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      24             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      25             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      26             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      27             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      28             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      29             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      30             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      31             :  * SUCH DAMAGE.
      32             :  */
      33             : 
      34             : #include "krb5_locl.h"
      35             : #include "hdb_locl.h"
      36             : 
      37             : #include <pkinit_asn1.h>
      38             : #include <base64.h>
      39             : 
      40             : /*
      41             :  * free all the memory used by (len, keys)
      42             :  */
      43             : 
      44             : void
      45           0 : hdb_free_keys(krb5_context context, int len, Key *keys)
      46             : {
      47           0 :     size_t i;
      48             : 
      49           0 :     for (i = 0; i < len; i++) {
      50           0 :         free(keys[i].mkvno);
      51           0 :         keys[i].mkvno = NULL;
      52           0 :         if (keys[i].salt != NULL) {
      53           0 :             free_Salt(keys[i].salt);
      54           0 :             free(keys[i].salt);
      55           0 :             keys[i].salt = NULL;
      56             :         }
      57           0 :         krb5_free_keyblock_contents(context, &keys[i].key);
      58             :     }
      59           0 :     free (keys);
      60           0 : }
      61             : 
      62             : /*
      63             :  * for each entry in `default_keys' try to parse it as a sequence
      64             :  * of etype:salttype:salt, syntax of this if something like:
      65             :  * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
      66             :  *      means all etypes, and if string is omitted is means the default
      67             :  * string (for that principal). Additional special values:
      68             :  *      v5 == pw-salt, and
      69             :  *      v4 == des:pw-salt:
      70             :  *      afs or afs3 == des:afs3-salt
      71             :  */
      72             : 
      73             : static const krb5_enctype des_etypes[] = {
      74             :     KRB5_ENCTYPE_DES_CBC_MD5,
      75             :     KRB5_ENCTYPE_DES_CBC_MD4,
      76             :     KRB5_ENCTYPE_DES_CBC_CRC
      77             : };
      78             : 
      79             : static const krb5_enctype all_etypes[] = {
      80             :     KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
      81             :     KRB5_ENCTYPE_DES3_CBC_SHA1,
      82             :     KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
      83             : };
      84             : 
      85             : static krb5_error_code
      86           0 : parse_key_set(krb5_context context, const char *key,
      87             :               krb5_enctype **ret_enctypes, size_t *ret_num_enctypes,
      88             :               krb5_salt *salt, krb5_principal principal)
      89             : {
      90           0 :     const char *p;
      91           0 :     char buf[3][256];
      92           0 :     int num_buf = 0;
      93           0 :     int i, num_enctypes = 0;
      94           0 :     krb5_enctype e;
      95           0 :     const krb5_enctype *enctypes = NULL;
      96           0 :     krb5_error_code ret;
      97             : 
      98           0 :     p = key;
      99             : 
     100           0 :     *ret_enctypes = NULL;
     101           0 :     *ret_num_enctypes = 0;
     102             : 
     103             :     /* split p in a list of :-separated strings */
     104           0 :     for(num_buf = 0; num_buf < 3; num_buf++)
     105           0 :         if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
     106           0 :             break;
     107             : 
     108           0 :     salt->saltvalue.data = NULL;
     109           0 :     salt->saltvalue.length = 0;
     110             : 
     111           0 :     for(i = 0; i < num_buf; i++) {
     112           0 :         if(enctypes == NULL && num_buf > 1) {
     113             :             /* this might be a etype specifier */
     114             :             /* XXX there should be a string_to_etypes handling
     115             :                special cases like `des' and `all' */
     116           0 :             if(strcmp(buf[i], "des") == 0) {
     117           0 :                 enctypes = des_etypes;
     118           0 :                 num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
     119           0 :             } else if(strcmp(buf[i], "des3") == 0) {
     120           0 :                 e = KRB5_ENCTYPE_DES3_CBC_SHA1;
     121           0 :                 enctypes = &e;
     122           0 :                 num_enctypes = 1;
     123             :             } else {
     124           0 :                 ret = krb5_string_to_enctype(context, buf[i], &e);
     125           0 :                 if (ret == 0) {
     126           0 :                     enctypes = &e;
     127           0 :                     num_enctypes = 1;
     128             :                 } else
     129           0 :                     return ret;
     130             :             }
     131           0 :             continue;
     132             :         }
     133           0 :         if(salt->salttype == 0) {
     134             :             /* interpret string as a salt specifier, if no etype
     135             :                is set, this sets default values */
     136             :             /* XXX should perhaps use string_to_salttype, but that
     137             :                interface sucks */
     138           0 :             if(strcmp(buf[i], "pw-salt") == 0) {
     139           0 :                 if(enctypes == NULL) {
     140           0 :                     enctypes = all_etypes;
     141           0 :                     num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
     142             :                 }
     143           0 :                 salt->salttype = KRB5_PW_SALT;
     144           0 :             } else if(strcmp(buf[i], "afs3-salt") == 0) {
     145           0 :                 if(enctypes == NULL) {
     146           0 :                     enctypes = des_etypes;
     147           0 :                     num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
     148             :                 }
     149           0 :                 salt->salttype = KRB5_AFS3_SALT;
     150             :             }
     151           0 :             continue;
     152             :         }
     153             : 
     154           0 :         if (salt->saltvalue.data != NULL)
     155           0 :             free(salt->saltvalue.data);
     156             :         /* if there is a final string, use it as the string to
     157             :            salt with, this is mostly useful with null salt for
     158             :            v4 compat, and a cell name for afs compat */
     159           0 :         salt->saltvalue.data = strdup(buf[i]);
     160           0 :         if (salt->saltvalue.data == NULL)
     161           0 :             return krb5_enomem(context);
     162           0 :         salt->saltvalue.length = strlen(buf[i]);
     163             :     }
     164             : 
     165           0 :     if(enctypes == NULL || salt->salttype == 0) {
     166           0 :         krb5_free_salt(context, *salt);
     167           0 :         krb5_set_error_message(context, EINVAL, "bad value for default_keys `%s'", key);
     168           0 :         return EINVAL;
     169             :     }
     170             : 
     171             :     /* if no salt was specified make up default salt */
     172           0 :     if(salt->saltvalue.data == NULL) {
     173           0 :         if(salt->salttype == KRB5_PW_SALT) {
     174           0 :             ret = krb5_get_pw_salt(context, principal, salt);
     175           0 :             if (ret)
     176           0 :                 return ret;
     177           0 :         } else if(salt->salttype == KRB5_AFS3_SALT) {
     178           0 :             krb5_const_realm realm = krb5_principal_get_realm(context, principal);
     179           0 :             salt->saltvalue.data = strdup(realm);
     180           0 :             if(salt->saltvalue.data == NULL) {
     181           0 :                 krb5_set_error_message(context, ENOMEM,
     182             :                                        "out of memory while "
     183             :                                        "parsing salt specifiers");
     184           0 :                 return ENOMEM;
     185             :             }
     186           0 :             strlwr(salt->saltvalue.data);
     187           0 :             salt->saltvalue.length = strlen(realm);
     188             :         }
     189             :     }
     190             : 
     191           0 :     *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
     192           0 :     if (*ret_enctypes == NULL) {
     193           0 :         krb5_free_salt(context, *salt);
     194           0 :         krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
     195           0 :         return ENOMEM;
     196             :     }
     197           0 :     memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
     198           0 :     *ret_num_enctypes = num_enctypes;
     199             : 
     200           0 :     return 0;
     201             : }
     202             : 
     203             : /**
     204             :  * This function prunes an HDB entry's historic keys by kvno.
     205             :  *
     206             :  * @param context   Context
     207             :  * @param entry     HDB entry
     208             :  * @param kvno      Keyset kvno to prune, or zero to prune all too-old keys
     209             :  */
     210             : krb5_error_code
     211           0 : hdb_prune_keys_kvno(krb5_context context, hdb_entry *entry, int kvno)
     212             : {
     213           0 :     HDB_extension *ext;
     214           0 :     HDB_Ext_KeySet *keys;
     215           0 :     hdb_keyset *elem;
     216           0 :     time_t keep_time = 0;
     217           0 :     size_t nelem;
     218           0 :     size_t i;
     219             : 
     220             :     /*
     221             :      * XXX Pruning old keys for namespace principals may not be desirable, but!
     222             :      * as long as the `set_time's of the base keys for a namespace principal
     223             :      * match the `epoch's of the corresponding KeyRotation periods, it will be
     224             :      * perfectly acceptable to prune old [base] keys for namespace principals
     225             :      * just as for any other principal.  Therefore, we may not need to make any
     226             :      * changes here w.r.t. namespace principals.
     227             :      */
     228             : 
     229           0 :     ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
     230           0 :     if (ext == NULL)
     231           0 :         return 0;
     232           0 :     keys = &ext->data.u.hist_keys;
     233           0 :     nelem = keys->len;
     234             : 
     235             :     /*
     236             :      * Optionally drop key history for keys older than now - max_life, which is
     237             :      * all the keys no longer needed to decrypt extant tickets.
     238             :      */
     239           0 :     if (kvno == 0 && entry->max_life != NULL && nelem > 0) {
     240           0 :         time_t ceiling = time(NULL) - *entry->max_life;
     241             : 
     242             :         /*
     243             :          * Compute most recent key timestamp that predates the current time
     244             :          * by at least the entry's maximum ticket lifetime.
     245             :          */
     246           0 :         for (i = 0; i < nelem; ++i) {
     247           0 :             elem = &keys->val[i];
     248           0 :             if (elem->set_time && *elem->set_time < ceiling
     249           0 :                 && (keep_time == 0 || *elem->set_time > keep_time))
     250           0 :                 keep_time = *elem->set_time;
     251             :         }
     252             :     }
     253             : 
     254           0 :     if (kvno == 0 && keep_time == 0)
     255           0 :         return 0;
     256             : 
     257           0 :     for (i = 0; i < nelem; /* see below */) {
     258           0 :         elem = &keys->val[i];
     259           0 :         if ((kvno && kvno == elem->kvno) ||
     260           0 :             (keep_time && elem->set_time && *elem->set_time < keep_time)) {
     261           0 :             remove_HDB_Ext_KeySet(keys, i);
     262             :             /*
     263             :              * Removing the i'th element shifts the tail down, continue
     264             :              * at same index with reduced upper bound.
     265             :              */
     266           0 :             --nelem;
     267           0 :             continue;
     268             :         }
     269           0 :         ++i;
     270             :     }
     271             : 
     272           0 :     return 0;
     273             : }
     274             : 
     275             : /**
     276             :  * This function prunes an HDB entry's keys that are too old to have been used
     277             :  * to mint still valid tickets (based on the entry's maximum ticket lifetime).
     278             :  * 
     279             :  * @param context   Context
     280             :  * @param entry     HDB entry
     281             :  */
     282             : krb5_error_code
     283           0 : hdb_prune_keys(krb5_context context, hdb_entry *entry)
     284             : {
     285           0 :     if (!krb5_config_get_bool_default(context, NULL, FALSE,
     286             :                                       "kadmin", "prune-key-history", NULL))
     287           0 :         return 0;
     288           0 :     return hdb_prune_keys_kvno(context, entry, 0);
     289             : }
     290             : 
     291             : /**
     292             :  * This function adds a keyset to an HDB entry's key history.
     293             :  *
     294             :  * @param context   Context
     295             :  * @param entry     HDB entry
     296             :  * @param kvno      Key version number of the key to add to the history
     297             :  * @param key       The Key to add
     298             :  */
     299             : krb5_error_code
     300           0 : hdb_add_history_keyset(krb5_context context,
     301             :                        hdb_entry *entry,
     302             :                        const hdb_keyset *ks)
     303             : {
     304           0 :     size_t i;
     305           0 :     HDB_Ext_KeySet *hist_keys;
     306           0 :     HDB_extension ext;
     307           0 :     HDB_extension *extp;
     308           0 :     krb5_error_code ret = 0;
     309             : 
     310           0 :     memset(&ext, 0, sizeof (ext));
     311             : 
     312           0 :     extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
     313           0 :     if (extp == NULL) {
     314           0 :         ext.mandatory = FALSE;
     315           0 :         ext.data.element = choice_HDB_extension_data_hist_keys;
     316           0 :         ext.data.u.hist_keys.len = 0;
     317           0 :         ext.data.u.hist_keys.val = 0;
     318           0 :         extp = &ext;
     319             :     }
     320           0 :     hist_keys = &extp->data.u.hist_keys;
     321             : 
     322           0 :     for (i = 0; i < hist_keys->len; i++) {
     323           0 :         if (hist_keys->val[i].kvno == ks->kvno) {
     324             :             /* Replace existing */
     325           0 :             free_HDB_keyset(&hist_keys->val[i]);
     326           0 :             ret = copy_HDB_keyset(ks, &hist_keys->val[i]);
     327           0 :             break;
     328             :         }
     329             :     }
     330           0 :     if (i >= hist_keys->len)
     331           0 :         ret = add_HDB_Ext_KeySet(hist_keys, ks); /* Append new */
     332           0 :     if (ret == 0 && extp == &ext)
     333           0 :         ret = hdb_replace_extension(context, entry, &ext);
     334           0 :     free_HDB_extension(&ext);
     335           0 :     return ret;
     336             : }
     337             : 
     338             : /**
     339             :  * This function adds an HDB entry's current keyset to the entry's key
     340             :  * history.  The current keyset is left alone; the caller is responsible
     341             :  * for freeing it.
     342             :  *
     343             :  * @param context   Context
     344             :  * @param entry     HDB entry
     345             :  *
     346             :  * @return Zero on success, or an error code otherwise.
     347             :  */
     348             : krb5_error_code
     349           0 : hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
     350             : {
     351           0 :     krb5_error_code ret;
     352           0 :     hdb_keyset ks;
     353           0 :     time_t newtime;
     354             : 
     355           0 :     if (entry->keys.len == 0)
     356           0 :         return 0; /* nothing to do */
     357             : 
     358           0 :     ret = hdb_entry_get_pw_change_time(entry, &newtime);
     359           0 :     if (ret)
     360           0 :         return ret;
     361             : 
     362           0 :     ks.keys = entry->keys;
     363           0 :     ks.kvno = entry->kvno;
     364           0 :     ks.set_time = &newtime;
     365             : 
     366           0 :     ret = hdb_add_history_keyset(context, entry, &ks);
     367           0 :     if (ret == 0)
     368           0 :         ret = hdb_prune_keys(context, entry);
     369           0 :     return ret;
     370             : }
     371             : 
     372             : /**
     373             :  * This function adds a key to an HDB entry's key history.
     374             :  *
     375             :  * @param context   Context
     376             :  * @param entry     HDB entry
     377             :  * @param kvno      Key version number of the key to add to the history
     378             :  * @param key       The Key to add
     379             :  *
     380             :  * @return Zero on success, or an error code otherwise.
     381             :  */
     382             : krb5_error_code
     383        5312 : hdb_add_history_key(krb5_context context, hdb_entry *entry, krb5_kvno kvno, Key *key)
     384             : {
     385          72 :     size_t i;
     386          72 :     hdb_keyset keyset;
     387          72 :     HDB_Ext_KeySet *hist_keys;
     388          72 :     HDB_extension ext;
     389          72 :     HDB_extension *extp;
     390          72 :     krb5_error_code ret;
     391             : 
     392        5312 :     memset(&keyset, 0, sizeof (keyset));
     393        5312 :     memset(&ext, 0, sizeof (ext));
     394             : 
     395        5312 :     extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
     396        5312 :     if (extp == NULL) {
     397        1297 :         ext.data.element = choice_HDB_extension_data_hist_keys;
     398        1297 :         extp = &ext;
     399             :     }
     400             : 
     401        5312 :     extp->mandatory = FALSE;
     402        5312 :     hist_keys = &extp->data.u.hist_keys;
     403             : 
     404        6930 :     for (i = 0; i < hist_keys->len; i++) {
     405        5031 :         if (hist_keys->val[i].kvno == kvno) {
     406        3413 :             ret = add_Keys(&hist_keys->val[i].keys, key);
     407        3413 :             goto out;
     408             :         }
     409             :     }
     410             : 
     411        1899 :     keyset.kvno = kvno;
     412        1899 :     ret = add_Keys(&keyset.keys, key);
     413        1899 :     if (ret)
     414           0 :         goto out;
     415        1899 :     ret = add_HDB_Ext_KeySet(hist_keys, &keyset);
     416        1899 :     if (ret)
     417           0 :         goto out;
     418        1899 :     if (extp == &ext) {
     419        1297 :         ret = hdb_replace_extension(context, entry, &ext);
     420        1297 :         if (ret)
     421           0 :             goto out;
     422             :     }
     423             : 
     424        1899 : out:
     425        5312 :     free_HDB_keyset(&keyset);
     426        5312 :     free_HDB_extension(&ext);
     427        5312 :     return ret;
     428             : }
     429             : 
     430             : /**
     431             :  * This function changes an hdb_entry's kvno, swapping the current key
     432             :  * set with a historical keyset.  If no historical keys are found then
     433             :  * an error is returned (the caller can still set entry->kvno directly).
     434             :  *
     435             :  * @param context       krb5_context
     436             :  * @param new_kvno      New kvno for the entry
     437             :  * @param entry         hdb_entry to modify
     438             :  */
     439             : krb5_error_code
     440           0 : hdb_change_kvno(krb5_context context, krb5_kvno new_kvno, hdb_entry *entry)
     441             : {
     442           0 :     HDB_extension ext;
     443           0 :     HDB_extension *extp;
     444           0 :     hdb_keyset keyset;
     445           0 :     HDB_Ext_KeySet *hist_keys;
     446           0 :     size_t i;
     447           0 :     int found = 0;
     448           0 :     krb5_error_code ret;
     449             : 
     450           0 :     if (entry->kvno == new_kvno)
     451           0 :         return 0;
     452             : 
     453           0 :     extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
     454           0 :     if (extp == NULL) {
     455           0 :         memset(&ext, 0, sizeof (ext));
     456           0 :         ext.data.element = choice_HDB_extension_data_hist_keys;
     457           0 :         extp = &ext;
     458             :     }
     459             : 
     460           0 :     memset(&keyset, 0, sizeof (keyset));
     461           0 :     hist_keys = &extp->data.u.hist_keys;
     462           0 :     for (i = 0; i < hist_keys->len; i++) {
     463           0 :         if (hist_keys->val[i].kvno == new_kvno) {
     464           0 :             found = 1;
     465           0 :             ret = copy_HDB_keyset(&hist_keys->val[i], &keyset);
     466           0 :             if (ret)
     467           0 :                 goto out;
     468           0 :             ret = remove_HDB_Ext_KeySet(hist_keys, i);
     469           0 :             if (ret)
     470           0 :                 goto out;
     471           0 :             break;
     472             :         }
     473             :     }
     474             : 
     475           0 :     if (!found)
     476           0 :         return HDB_ERR_KVNO_NOT_FOUND;
     477             : 
     478           0 :     ret = hdb_add_current_keys_to_history(context, entry);
     479           0 :     if (ret)
     480           0 :         goto out;
     481             : 
     482             :     /* Note: we do nothing with keyset.set_time */
     483           0 :     entry->kvno = new_kvno;
     484           0 :     entry->keys = keyset.keys; /* shortcut */
     485           0 :     memset(&keyset.keys, 0, sizeof (keyset.keys));
     486             : 
     487           0 : out:
     488           0 :     free_HDB_keyset(&keyset);
     489           0 :     return ret;
     490             : }
     491             : 
     492             : 
     493             : static krb5_error_code
     494           0 : add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
     495             :                        krb5_enctype enctype, krb5_salt *salt)
     496             : {
     497           0 :     krb5_error_code ret;
     498           0 :     Key key, *tmp;
     499             : 
     500           0 :     memset(&key, 0, sizeof(key));
     501             : 
     502           0 :     tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
     503           0 :     if (tmp == NULL)
     504           0 :         return ENOMEM;
     505             : 
     506           0 :     *key_set = tmp;
     507             : 
     508           0 :     key.key.keytype = enctype;
     509           0 :     key.key.keyvalue.length = 0;
     510           0 :     key.key.keyvalue.data = NULL;
     511             : 
     512           0 :     if (salt) {
     513           0 :         key.salt = calloc(1, sizeof(*key.salt));
     514           0 :         if (key.salt == NULL) {
     515           0 :             free_Key(&key);
     516           0 :             return ENOMEM;
     517             :         }
     518             : 
     519           0 :         key.salt->type = salt->salttype;
     520           0 :         krb5_data_zero (&key.salt->salt);
     521             : 
     522           0 :         ret = krb5_data_copy(&key.salt->salt,
     523           0 :                              salt->saltvalue.data,
     524             :                              salt->saltvalue.length);
     525           0 :         if (ret) {
     526           0 :             free_Key(&key);
     527           0 :             return ret;
     528             :         }
     529             :     } else
     530           0 :         key.salt = NULL;
     531             : 
     532           0 :     (*key_set)[*nkeyset] = key;
     533             : 
     534           0 :     *nkeyset += 1;
     535             : 
     536           0 :     return 0;
     537             : }
     538             : 
     539             : 
     540             : static
     541             : krb5_error_code
     542           0 : ks_tuple2str(krb5_context context, int n_ks_tuple,
     543             :              krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
     544             : {
     545           0 :         size_t i;
     546           0 :         char **ksnames;
     547           0 :         krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
     548             : 
     549           0 :         *ks_tuple_strs = NULL;
     550           0 :         if (n_ks_tuple < 1)
     551           0 :                 return 0;
     552             : 
     553           0 :         if ((ksnames = calloc(n_ks_tuple + 1, sizeof (*ksnames))) == NULL)
     554           0 :                 return (errno);
     555             : 
     556           0 :         for (i = 0; i < n_ks_tuple; i++) {
     557           0 :             char *ename, *sname;
     558             : 
     559           0 :             if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
     560           0 :                 goto out;
     561           0 :             if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
     562           0 :                                         ks_tuple[i].ks_salttype, &sname)) {
     563           0 :                 free(ename);
     564           0 :                 goto out;
     565             :             }
     566             : 
     567           0 :             if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
     568           0 :                     rc = errno;
     569           0 :                     free(ename);
     570           0 :                     free(sname);
     571           0 :                     goto out;
     572             :             }
     573           0 :             free(ename);
     574           0 :             free(sname);
     575             :         }
     576             : 
     577           0 :         ksnames[i] = NULL;
     578           0 :         *ks_tuple_strs = ksnames;
     579           0 :         return 0;
     580             : 
     581           0 : out:
     582           0 :         for (i = 0; i < n_ks_tuple; i++)
     583           0 :                 free(ksnames[i]);
     584           0 :         free(ksnames);
     585           0 :         return (rc);
     586             : }
     587             : 
     588             : /*
     589             :  *
     590             :  */
     591             : 
     592             : static char **
     593           0 : glob_rules_keys(krb5_context context, krb5_const_principal principal)
     594             : {
     595           0 :     const krb5_config_binding *list;
     596           0 :     krb5_principal pattern;
     597           0 :     krb5_error_code ret;
     598             : 
     599           0 :     list = krb5_config_get_list(context, NULL, "kadmin",
     600             :                                 "default_key_rules", NULL);
     601           0 :     if (list == NULL)
     602           0 :         return NULL;
     603             : 
     604           0 :     while (list) {
     605           0 :         if (list->type == krb5_config_string) {
     606           0 :             ret = krb5_parse_name(context, list->name, &pattern);
     607           0 :             if (ret == 0) {
     608           0 :                 ret = krb5_principal_match(context, principal, pattern);
     609           0 :                 krb5_free_principal(context, pattern);
     610           0 :                 if (ret) {
     611           0 :                     return krb5_config_get_strings(context, list, 
     612           0 :                                                    list->name, NULL);
     613             :                 }
     614             :             }
     615             :         }
     616           0 :         list = list->next;
     617             :     }
     618           0 :     return NULL;    
     619             : }
     620             : 
     621             : /*
     622             :  * NIST guidance in Section 5.1 of [SP800-132] requires that a portion
     623             :  * of the salt of at least 128 bits shall be randomly generated.
     624             :  */
     625             : static krb5_error_code
     626           0 : add_random_to_salt(krb5_context context, krb5_salt *in, krb5_salt *out)
     627             : {
     628           0 :     krb5_error_code ret;
     629           0 :     char *p;
     630           0 :     unsigned char random[16];
     631           0 :     char *s;
     632           0 :     int slen;
     633             : 
     634           0 :     krb5_generate_random_block(random, sizeof(random));
     635             : 
     636           0 :     slen = rk_base64_encode(random, sizeof(random), &s);
     637           0 :     if (slen < 0)
     638           0 :         return ENOMEM;
     639             : 
     640           0 :     ret = krb5_data_alloc(&out->saltvalue, slen + in->saltvalue.length);
     641           0 :     if (ret) {
     642           0 :         free(s);
     643           0 :         return ret;
     644             :     }
     645             : 
     646           0 :     p = out->saltvalue.data;
     647           0 :     memcpy(p, s, slen);
     648           0 :     memcpy(&p[slen], in->saltvalue.data, in->saltvalue.length);
     649             : 
     650           0 :     out->salttype = in->salttype;
     651           0 :     free(s);
     652             : 
     653           0 :     return 0;
     654             : }
     655             : 
     656             : /*
     657             :  * Generate the `key_set' from the [kadmin]default_keys statement. If
     658             :  * `no_salt' is set, salt is not important (and will not be set) since
     659             :  * it's random keys that is going to be created.
     660             :  */
     661             : 
     662             : krb5_error_code
     663           0 : hdb_generate_key_set(krb5_context context, krb5_principal principal,
     664             :                      krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
     665             :                      Key **ret_key_set, size_t *nkeyset, int no_salt)
     666             : {
     667           0 :     char **ktypes = NULL;
     668           0 :     char **kp;
     669           0 :     krb5_error_code ret;
     670           0 :     Key *k, *key_set;
     671           0 :     size_t i, j;
     672           0 :     char **ks_tuple_strs;
     673           0 :     char **config_ktypes = NULL;
     674           0 :     static const char *default_keytypes[] = {
     675             :         "aes256-cts-hmac-sha1-96:pw-salt",
     676             :         "des3-cbc-sha1:pw-salt",
     677             :         "arcfour-hmac-md5:pw-salt",
     678             :         NULL
     679             :     };
     680             : 
     681           0 :     if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
     682           0 :             return ret;
     683             : 
     684           0 :     ktypes = ks_tuple_strs;
     685           0 :     if (ktypes == NULL) {
     686           0 :         config_ktypes = glob_rules_keys(context, principal);
     687           0 :         ktypes = config_ktypes;
     688             :     }
     689           0 :     if (ktypes == NULL) {
     690           0 :         config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
     691             :                                                 "default_keys", NULL);
     692           0 :         ktypes = config_ktypes;
     693             :     }
     694           0 :     if (ktypes == NULL)
     695           0 :         ktypes = (char **)(intptr_t)default_keytypes;
     696             : 
     697           0 :     *ret_key_set = key_set = NULL;
     698           0 :     *nkeyset = 0;
     699             : 
     700           0 :     for(kp = ktypes; kp && *kp; kp++) {
     701           0 :         const char *p;
     702           0 :         krb5_salt salt;
     703           0 :         krb5_enctype *enctypes;
     704           0 :         size_t num_enctypes;
     705             : 
     706           0 :         p = *kp;
     707             :         /* check alias */
     708           0 :         if(strcmp(p, "v5") == 0)
     709           0 :             p = "pw-salt";
     710           0 :         else if(strcmp(p, "v4") == 0)
     711           0 :             p = "des:pw-salt:";
     712           0 :         else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
     713           0 :             p = "des:afs3-salt";
     714           0 :         else if (strcmp(p, "arcfour-hmac-md5") == 0)
     715           0 :             p = "arcfour-hmac-md5:pw-salt";
     716             : 
     717           0 :         memset(&salt, 0, sizeof(salt));
     718             : 
     719           0 :         ret = parse_key_set(context, p,
     720             :                             &enctypes, &num_enctypes, &salt, principal);
     721           0 :         if (ret) {
     722           0 :             krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
     723           0 :             ret = 0;
     724           0 :             krb5_free_salt(context, salt);
     725           0 :             continue;
     726             :         }
     727             : 
     728           0 :         for (i = 0; i < num_enctypes; i++) {
     729           0 :             krb5_salt *saltp = no_salt ? NULL : &salt;
     730           0 :             krb5_salt rsalt;
     731             : 
     732             :             /* find duplicates */
     733           0 :             for (j = 0; j < *nkeyset; j++) {
     734             : 
     735           0 :                 k = &key_set[j];
     736             : 
     737           0 :                 if (k->key.keytype == enctypes[i]) {
     738           0 :                     if (no_salt)
     739           0 :                         break;
     740           0 :                     if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
     741           0 :                         break;
     742           0 :                     if (k->salt->type == salt.salttype &&
     743           0 :                         k->salt->salt.length == salt.saltvalue.length &&
     744           0 :                         memcmp(k->salt->salt.data, salt.saltvalue.data,
     745             :                                salt.saltvalue.length) == 0)
     746           0 :                         break;
     747             :                 }
     748             :             }
     749             :             /* not a duplicate, lets add it */
     750           0 :             if (j < *nkeyset)
     751           0 :                 continue;
     752             : 
     753           0 :             memset(&rsalt, 0, sizeof(rsalt));
     754             : 
     755             :             /* prepend salt with randomness if required */
     756           0 :             if (!no_salt &&
     757           0 :                 _krb5_enctype_requires_random_salt(context, enctypes[i])) {
     758           0 :                 saltp = &rsalt;
     759           0 :                 ret = add_random_to_salt(context, &salt, &rsalt);
     760             :             }
     761             : 
     762           0 :             if (ret == 0)
     763           0 :                 ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i],
     764             :                                              saltp);
     765           0 :             krb5_free_salt(context, rsalt);
     766             : 
     767           0 :             if (ret) {
     768           0 :                 free(enctypes);
     769           0 :                 krb5_free_salt(context, salt);
     770           0 :                 goto out;
     771             :             }
     772             :         }
     773           0 :         free(enctypes);
     774           0 :         krb5_free_salt(context, salt);
     775             :     }
     776             : 
     777           0 :     *ret_key_set = key_set;
     778             : 
     779           0 :  out:
     780           0 :     if (config_ktypes != NULL)
     781           0 :         krb5_config_free_strings(config_ktypes);
     782             : 
     783           0 :     for(kp = ks_tuple_strs; kp && *kp; kp++)
     784           0 :         free(*kp);
     785           0 :     free(ks_tuple_strs);
     786             : 
     787           0 :     if (ret) {
     788           0 :         krb5_warn(context, ret,
     789             :                   "failed to parse the [kadmin]default_keys values");
     790             : 
     791           0 :         for (i = 0; i < *nkeyset; i++)
     792           0 :             free_Key(&key_set[i]);
     793           0 :         free(key_set);
     794           0 :     } else if (*nkeyset == 0) {
     795           0 :         krb5_warnx(context,
     796             :                    "failed to parse any of the [kadmin]default_keys values");
     797           0 :         ret = EINVAL; /* XXX */
     798             :     }
     799             : 
     800           0 :     return ret;
     801             : }
     802             : 
     803             : 
     804             : krb5_error_code
     805           0 : hdb_generate_key_set_password_with_ks_tuple(krb5_context context,
     806             :                                             krb5_principal principal,
     807             :                                             const char *password,
     808             :                                             krb5_key_salt_tuple *ks_tuple,
     809             :                                             int n_ks_tuple,
     810             :                                             Key **keys, size_t *num_keys)
     811             : {
     812           0 :     krb5_error_code ret;
     813           0 :     size_t i;
     814             : 
     815           0 :     ret = hdb_generate_key_set(context, principal, ks_tuple, n_ks_tuple,
     816             :                                 keys, num_keys, 0);
     817           0 :     if (ret)
     818           0 :         return ret;
     819             : 
     820           0 :     for (i = 0; i < (*num_keys); i++) {
     821           0 :         krb5_salt salt;
     822           0 :         Key *key = &(*keys)[i];
     823             : 
     824           0 :         salt.salttype = key->salt->type;
     825           0 :         salt.saltvalue.length = key->salt->salt.length;
     826           0 :         salt.saltvalue.data = key->salt->salt.data;
     827             : 
     828           0 :         ret = krb5_string_to_key_salt (context,
     829           0 :                                        key->key.keytype,
     830             :                                        password,
     831             :                                        salt,
     832           0 :                                        &key->key);
     833           0 :         if(ret)
     834           0 :             break;
     835             :     }
     836             : 
     837           0 :     if(ret) {
     838           0 :         hdb_free_keys (context, *num_keys, *keys);
     839           0 :         return ret;
     840             :     }
     841           0 :     return ret;
     842             : }
     843             : 
     844             : 
     845             : krb5_error_code
     846           0 : hdb_generate_key_set_password(krb5_context context,
     847             :                               krb5_principal principal,
     848             :                               const char *password,
     849             :                               Key **keys, size_t *num_keys)
     850             : {
     851             : 
     852           0 :     return hdb_generate_key_set_password_with_ks_tuple(context, principal,
     853             :                                                        password, NULL, 0,
     854             :                                                        keys, num_keys);
     855             : }

Generated by: LCOV version 1.14