xref: /freebsd/crypto/heimdal/kdc/mit_dump.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*
2  * Copyright (c) 2000 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "hprop.h"
35 
36 RCSID("$Id: mit_dump.c 21745 2007-07-31 16:11:25Z lha $");
37 
38 /*
39 can have any number of princ stanzas.
40 format is as follows (only \n indicates newlines)
41 princ\t%d\t (%d is KRB5_KDB_V1_BASE_LENGTH, always 38)
42 %d\t (strlen of principal e.g. shadow/foo@ANDREW.CMU.EDU)
43 %d\t (number of tl_data)
44 %d\t (number of key data, e.g. how many keys for this user)
45 %d\t (extra data length)
46 %s\t (principal name)
47 %d\t (attributes)
48 %d\t (max lifetime, seconds)
49 %d\t (max renewable life, seconds)
50 %d\t (expiration, seconds since epoch or 2145830400 for never)
51 %d\t (password expiration, seconds, 0 for never)
52 %d\t (last successful auth, seconds since epoch)
53 %d\t (last failed auth, per above)
54 %d\t (failed auth count)
55 foreach tl_data 0 to number of tl_data - 1 as above
56   %d\t%d\t (data type, data length)
57   foreach tl_data 0 to length-1
58     %02x (tl data contents[element n])
59   except if tl_data length is 0
60     %d (always -1)
61   \t
62 foreach key 0 to number of keys - 1 as above
63   %d\t%d\t (key data version, kvno)
64   foreach version 0 to key data version - 1 (a key or a salt)
65     %d\t%d\t(data type for this key, data length for this key)
66     foreach key data length 0 to length-1
67       %02x (key data contents[element n])
68     except if key_data length is 0
69       %d (always -1)
70     \t
71 foreach extra data length 0 to length - 1
72   %02x (extra data part)
73 unless no extra data
74   %d (always -1)
75 ;\n
76 
77 */
78 
79 static int
80 hex_to_octet_string(const char *ptr, krb5_data *data)
81 {
82     int i;
83     unsigned int v;
84     for(i = 0; i < data->length; i++) {
85 	if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
86 	    return -1;
87 	((unsigned char*)data->data)[i] = v;
88     }
89     return 2 * i;
90 }
91 
92 static char *
93 nexttoken(char **p)
94 {
95     char *q;
96     do {
97 	q = strsep(p, " \t");
98     } while(q && *q == '\0');
99     return q;
100 }
101 
102 static size_t
103 getdata(char **p, unsigned char *buf, size_t len)
104 {
105     size_t i;
106     int v;
107     char *q = nexttoken(p);
108     i = 0;
109     while(*q && i < len) {
110 	if(sscanf(q, "%02x", &v) != 1)
111 	    break;
112 	buf[i++] = v;
113 	q += 2;
114     }
115     return i;
116 }
117 
118 static int
119 getint(char **p)
120 {
121     int val;
122     char *q = nexttoken(p);
123     sscanf(q, "%d", &val);
124     return val;
125 }
126 
127 #include <kadm5/admin.h>
128 
129 static void
130 attr_to_flags(unsigned attr, HDBFlags *flags)
131 {
132     flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
133     flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
134     flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
135     flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
136     flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
137     /* DUP_SKEY */
138     flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
139     flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
140     /* HW_AUTH */
141     flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
142     flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
143     flags->client =	        1; /* XXX */
144 }
145 
146 #define KRB5_KDB_SALTTYPE_NORMAL	0
147 #define KRB5_KDB_SALTTYPE_V4		1
148 #define KRB5_KDB_SALTTYPE_NOREALM	2
149 #define KRB5_KDB_SALTTYPE_ONLYREALM	3
150 #define KRB5_KDB_SALTTYPE_SPECIAL	4
151 #define KRB5_KDB_SALTTYPE_AFS3		5
152 
153 static krb5_error_code
154 fix_salt(krb5_context context, hdb_entry *ent, int key_num)
155 {
156     krb5_error_code ret;
157     Salt *salt = ent->keys.val[key_num].salt;
158     /* fix salt type */
159     switch((int)salt->type) {
160     case KRB5_KDB_SALTTYPE_NORMAL:
161 	salt->type = KRB5_PADATA_PW_SALT;
162 	break;
163     case KRB5_KDB_SALTTYPE_V4:
164 	krb5_data_free(&salt->salt);
165 	salt->type = KRB5_PADATA_PW_SALT;
166 	break;
167     case KRB5_KDB_SALTTYPE_NOREALM:
168     {
169 	size_t len;
170 	int i;
171 	char *p;
172 
173 	len = 0;
174 	for (i = 0; i < ent->principal->name.name_string.len; ++i)
175 	    len += strlen(ent->principal->name.name_string.val[i]);
176 	ret = krb5_data_alloc (&salt->salt, len);
177 	if (ret)
178 	    return ret;
179 	p = salt->salt.data;
180 	for (i = 0; i < ent->principal->name.name_string.len; ++i) {
181 	    memcpy (p,
182 		    ent->principal->name.name_string.val[i],
183 		    strlen(ent->principal->name.name_string.val[i]));
184 	    p += strlen(ent->principal->name.name_string.val[i]);
185 	}
186 
187 	salt->type = KRB5_PADATA_PW_SALT;
188 	break;
189     }
190     case KRB5_KDB_SALTTYPE_ONLYREALM:
191 	krb5_data_free(&salt->salt);
192 	ret = krb5_data_copy(&salt->salt,
193 			     ent->principal->realm,
194 			     strlen(ent->principal->realm));
195 	if(ret)
196 	    return ret;
197 	salt->type = KRB5_PADATA_PW_SALT;
198 	break;
199     case KRB5_KDB_SALTTYPE_SPECIAL:
200 	salt->type = KRB5_PADATA_PW_SALT;
201 	break;
202     case KRB5_KDB_SALTTYPE_AFS3:
203 	krb5_data_free(&salt->salt);
204 	ret = krb5_data_copy(&salt->salt,
205 		       ent->principal->realm,
206 		       strlen(ent->principal->realm));
207 	if(ret)
208 	    return ret;
209 	salt->type = KRB5_PADATA_AFS3_SALT;
210 	break;
211     default:
212 	abort();
213     }
214     return 0;
215 }
216 
217 int
218 mit_prop_dump(void *arg, const char *file)
219 {
220     krb5_error_code ret;
221     char line [2048];
222     FILE *f;
223     int lineno = 0;
224     struct hdb_entry_ex ent;
225 
226     struct prop_data *pd = arg;
227 
228     f = fopen(file, "r");
229     if(f == NULL)
230 	return errno;
231 
232     while(fgets(line, sizeof(line), f)) {
233 	char *p = line, *q;
234 
235 	int i;
236 
237 	int num_tl_data;
238 	int num_key_data;
239 	int extra_data_length;
240 	int attributes;
241 
242 	int tmp;
243 
244 	lineno++;
245 
246 	memset(&ent, 0, sizeof(ent));
247 
248 	q = nexttoken(&p);
249 	if(strcmp(q, "kdb5_util") == 0) {
250 	    int major;
251 	    q = nexttoken(&p); /* load_dump */
252 	    if(strcmp(q, "load_dump"))
253 		errx(1, "line %d: unknown version", lineno);
254 	    q = nexttoken(&p); /* load_dump */
255 	    if(strcmp(q, "version"))
256 		errx(1, "line %d: unknown version", lineno);
257 	    q = nexttoken(&p); /* x.0 */
258 	    if(sscanf(q, "%d", &major) != 1)
259 		errx(1, "line %d: unknown version", lineno);
260 	    if(major != 4)
261 		errx(1, "unknown dump file format, got %d, expected 4", major);
262 	    continue;
263 	} else if(strcmp(q, "princ") != 0) {
264 	    warnx("line %d: not a principal", lineno);
265 	    continue;
266 	}
267 	tmp = getint(&p);
268 	if(tmp != 38) {
269 	    warnx("line %d: bad base length %d != 38", lineno, tmp);
270 	    continue;
271 	}
272 	q = nexttoken(&p); /* length of principal */
273 	num_tl_data = getint(&p); /* number of tl-data */
274 	num_key_data = getint(&p); /* number of key-data */
275 	extra_data_length = getint(&p);  /* length of extra data */
276 	q = nexttoken(&p); /* principal name */
277 	krb5_parse_name(pd->context, q, &ent.entry.principal);
278 	attributes = getint(&p); /* attributes */
279 	attr_to_flags(attributes, &ent.entry.flags);
280 	tmp = getint(&p); /* max life */
281 	if(tmp != 0) {
282 	    ALLOC(ent.entry.max_life);
283 	    *ent.entry.max_life = tmp;
284 	}
285 	tmp = getint(&p); /* max renewable life */
286 	if(tmp != 0) {
287 	    ALLOC(ent.entry.max_renew);
288 	    *ent.entry.max_renew = tmp;
289 	}
290 	tmp = getint(&p); /* expiration */
291 	if(tmp != 0 && tmp != 2145830400) {
292 	    ALLOC(ent.entry.valid_end);
293 	    *ent.entry.valid_end = tmp;
294 	}
295 	tmp = getint(&p); /* pw expiration */
296 	if(tmp != 0) {
297 	    ALLOC(ent.entry.pw_end);
298 	    *ent.entry.pw_end = tmp;
299 	}
300 	q = nexttoken(&p); /* last auth */
301 	q = nexttoken(&p); /* last failed auth */
302 	q = nexttoken(&p); /* fail auth count */
303 	for(i = 0; i < num_tl_data; i++) {
304 	    unsigned long val;
305 	    int tl_type, tl_length;
306 	    unsigned char *buf;
307 	    krb5_principal princ;
308 
309 	    tl_type = getint(&p); /* data type */
310 	    tl_length = getint(&p); /* data length */
311 
312 #define mit_KRB5_TL_LAST_PWD_CHANGE	1
313 #define mit_KRB5_TL_MOD_PRINC		2
314 	    switch(tl_type) {
315 	    case mit_KRB5_TL_MOD_PRINC:
316 		buf = malloc(tl_length);
317 		if (buf == NULL)
318 		    errx(ENOMEM, "malloc");
319 		getdata(&p, buf, tl_length); /* data itself */
320 		val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24);
321 		ret = krb5_parse_name(pd->context, (char *)buf + 4, &princ);
322 		free(buf);
323 		ALLOC(ent.entry.modified_by);
324 		ent.entry.modified_by->time = val;
325 		ent.entry.modified_by->principal = princ;
326 		break;
327 	    default:
328 		nexttoken(&p);
329 		break;
330 	    }
331 	}
332 	ALLOC_SEQ(&ent.entry.keys, num_key_data);
333 	for(i = 0; i < num_key_data; i++) {
334 	    int key_versions;
335 	    key_versions = getint(&p); /* key data version */
336 	    ent.entry.kvno = getint(&p); /* XXX kvno */
337 
338 	    ALLOC(ent.entry.keys.val[i].mkvno);
339 	    *ent.entry.keys.val[i].mkvno = 0;
340 
341 	    /* key version 0 -- actual key */
342 	    ent.entry.keys.val[i].key.keytype = getint(&p); /* key type */
343 	    tmp = getint(&p); /* key length */
344 	    /* the first two bytes of the key is the key length --
345 	       skip it */
346 	    krb5_data_alloc(&ent.entry.keys.val[i].key.keyvalue, tmp - 2);
347 	    q = nexttoken(&p); /* key itself */
348 	    hex_to_octet_string(q + 4, &ent.entry.keys.val[i].key.keyvalue);
349 
350 	    if(key_versions > 1) {
351 		/* key version 1 -- optional salt */
352 		ALLOC(ent.entry.keys.val[i].salt);
353 		ent.entry.keys.val[i].salt->type = getint(&p); /* salt type */
354 		tmp = getint(&p); /* salt length */
355 		if(tmp > 0) {
356 		    krb5_data_alloc(&ent.entry.keys.val[i].salt->salt, tmp - 2);
357 		    q = nexttoken(&p); /* salt itself */
358 		    hex_to_octet_string(q + 4,
359 					&ent.entry.keys.val[i].salt->salt);
360 		} else {
361 		    ent.entry.keys.val[i].salt->salt.length = 0;
362 		    ent.entry.keys.val[i].salt->salt.data = NULL;
363 		    tmp = getint(&p);	/* -1, if no data. */
364 		}
365 		fix_salt(pd->context, &ent.entry, i);
366 	    }
367 	}
368 	q = nexttoken(&p); /* extra data */
369 	v5_prop(pd->context, NULL, &ent, arg);
370     }
371     fclose(f);
372     return 0;
373 }
374