1 /* 2 * Copyright (c) 1997 - 2001, 2003 - 2004 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "hdb_locl.h" 35 36 RCSID("$Id: keys.c 22071 2007-11-14 20:04:50Z lha $"); 37 38 /* 39 * free all the memory used by (len, keys) 40 */ 41 42 void 43 hdb_free_keys (krb5_context context, int len, Key *keys) 44 { 45 int i; 46 47 for (i = 0; i < len; i++) { 48 free(keys[i].mkvno); 49 keys[i].mkvno = NULL; 50 if (keys[i].salt != NULL) { 51 free_Salt(keys[i].salt); 52 free(keys[i].salt); 53 keys[i].salt = NULL; 54 } 55 krb5_free_keyblock_contents(context, &keys[i].key); 56 } 57 free (keys); 58 } 59 60 /* 61 * for each entry in `default_keys' try to parse it as a sequence 62 * of etype:salttype:salt, syntax of this if something like: 63 * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it 64 * means all etypes, and if string is omitted is means the default 65 * string (for that principal). Additional special values: 66 * v5 == pw-salt, and 67 * v4 == des:pw-salt: 68 * afs or afs3 == des:afs3-salt 69 */ 70 71 /* the 3 DES types must be first */ 72 static const krb5_enctype all_etypes[] = { 73 ETYPE_DES_CBC_MD5, 74 ETYPE_DES_CBC_MD4, 75 ETYPE_DES_CBC_CRC, 76 ETYPE_AES256_CTS_HMAC_SHA1_96, 77 ETYPE_ARCFOUR_HMAC_MD5, 78 ETYPE_DES3_CBC_SHA1 79 }; 80 81 static krb5_error_code 82 parse_key_set(krb5_context context, const char *key, 83 krb5_enctype **ret_enctypes, size_t *ret_num_enctypes, 84 krb5_salt *salt, krb5_principal principal) 85 { 86 const char *p; 87 char buf[3][256]; 88 int num_buf = 0; 89 int i, num_enctypes = 0; 90 krb5_enctype e; 91 const krb5_enctype *enctypes = NULL; 92 krb5_error_code ret; 93 94 p = key; 95 96 *ret_enctypes = NULL; 97 *ret_num_enctypes = 0; 98 99 /* split p in a list of :-separated strings */ 100 for(num_buf = 0; num_buf < 3; num_buf++) 101 if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1) 102 break; 103 104 salt->saltvalue.data = NULL; 105 salt->saltvalue.length = 0; 106 107 for(i = 0; i < num_buf; i++) { 108 if(enctypes == NULL && num_buf > 1) { 109 /* this might be a etype specifier */ 110 /* XXX there should be a string_to_etypes handling 111 special cases like `des' and `all' */ 112 if(strcmp(buf[i], "des") == 0) { 113 enctypes = all_etypes; 114 num_enctypes = 3; 115 } else if(strcmp(buf[i], "des3") == 0) { 116 e = ETYPE_DES3_CBC_SHA1; 117 enctypes = &e; 118 num_enctypes = 1; 119 } else { 120 ret = krb5_string_to_enctype(context, buf[i], &e); 121 if (ret == 0) { 122 enctypes = &e; 123 num_enctypes = 1; 124 } else 125 return ret; 126 } 127 continue; 128 } 129 if(salt->salttype == 0) { 130 /* interpret string as a salt specifier, if no etype 131 is set, this sets default values */ 132 /* XXX should perhaps use string_to_salttype, but that 133 interface sucks */ 134 if(strcmp(buf[i], "pw-salt") == 0) { 135 if(enctypes == NULL) { 136 enctypes = all_etypes; 137 num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]); 138 } 139 salt->salttype = KRB5_PW_SALT; 140 } else if(strcmp(buf[i], "afs3-salt") == 0) { 141 if(enctypes == NULL) { 142 enctypes = all_etypes; 143 num_enctypes = 3; 144 } 145 salt->salttype = KRB5_AFS3_SALT; 146 } 147 continue; 148 } 149 150 { 151 /* if there is a final string, use it as the string to 152 salt with, this is mostly useful with null salt for 153 v4 compat, and a cell name for afs compat */ 154 salt->saltvalue.data = strdup(buf[i]); 155 if (salt->saltvalue.data == NULL) { 156 krb5_set_error_string(context, "out of memory"); 157 return ENOMEM; 158 } 159 salt->saltvalue.length = strlen(buf[i]); 160 } 161 } 162 163 if(enctypes == NULL || salt->salttype == 0) { 164 krb5_set_error_string(context, "bad value for default_keys `%s'", key); 165 return EINVAL; 166 } 167 168 /* if no salt was specified make up default salt */ 169 if(salt->saltvalue.data == NULL) { 170 if(salt->salttype == KRB5_PW_SALT) 171 ret = krb5_get_pw_salt(context, principal, salt); 172 else if(salt->salttype == KRB5_AFS3_SALT) { 173 krb5_realm *realm = krb5_princ_realm(context, principal); 174 salt->saltvalue.data = strdup(*realm); 175 if(salt->saltvalue.data == NULL) { 176 krb5_set_error_string(context, "out of memory while " 177 "parsing salt specifiers"); 178 return ENOMEM; 179 } 180 strlwr(salt->saltvalue.data); 181 salt->saltvalue.length = strlen(*realm); 182 } 183 } 184 185 *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes); 186 if (*ret_enctypes == NULL) { 187 krb5_free_salt(context, *salt); 188 krb5_set_error_string(context, "out of memory"); 189 return ENOMEM; 190 } 191 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes); 192 *ret_num_enctypes = num_enctypes; 193 194 return 0; 195 } 196 197 static krb5_error_code 198 add_enctype_to_key_set(Key **key_set, size_t *nkeyset, 199 krb5_enctype enctype, krb5_salt *salt) 200 { 201 krb5_error_code ret; 202 Key key, *tmp; 203 204 memset(&key, 0, sizeof(key)); 205 206 tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0])); 207 if (tmp == NULL) 208 return ENOMEM; 209 210 *key_set = tmp; 211 212 key.key.keytype = enctype; 213 key.key.keyvalue.length = 0; 214 key.key.keyvalue.data = NULL; 215 216 if (salt) { 217 key.salt = malloc(sizeof(*key.salt)); 218 if (key.salt == NULL) { 219 free_Key(&key); 220 return ENOMEM; 221 } 222 223 key.salt->type = salt->salttype; 224 krb5_data_zero (&key.salt->salt); 225 226 ret = krb5_data_copy(&key.salt->salt, 227 salt->saltvalue.data, 228 salt->saltvalue.length); 229 if (ret) { 230 free_Key(&key); 231 return ret; 232 } 233 } else 234 key.salt = NULL; 235 236 (*key_set)[*nkeyset] = key; 237 238 *nkeyset += 1; 239 240 return 0; 241 } 242 243 244 /* 245 * Generate the `key_set' from the [kadmin]default_keys statement. If 246 * `no_salt' is set, salt is not important (and will not be set) since 247 * it's random keys that is going to be created. 248 */ 249 250 krb5_error_code 251 hdb_generate_key_set(krb5_context context, krb5_principal principal, 252 Key **ret_key_set, size_t *nkeyset, int no_salt) 253 { 254 char **ktypes, **kp; 255 krb5_error_code ret; 256 Key *k, *key_set; 257 int i, j; 258 char *default_keytypes[] = { 259 "des:pw-salt", 260 "aes256-cts-hmac-sha1-96:pw-salt", 261 "des3-cbc-sha1:pw-salt", 262 "arcfour-hmac-md5:pw-salt", 263 NULL 264 }; 265 266 ktypes = krb5_config_get_strings(context, NULL, "kadmin", 267 "default_keys", NULL); 268 if (ktypes == NULL) 269 ktypes = default_keytypes; 270 271 if (ktypes == NULL) 272 abort(); 273 274 *ret_key_set = key_set = NULL; 275 *nkeyset = 0; 276 277 ret = 0; 278 279 for(kp = ktypes; kp && *kp; kp++) { 280 const char *p; 281 krb5_salt salt; 282 krb5_enctype *enctypes; 283 size_t num_enctypes; 284 285 p = *kp; 286 /* check alias */ 287 if(strcmp(p, "v5") == 0) 288 p = "pw-salt"; 289 else if(strcmp(p, "v4") == 0) 290 p = "des:pw-salt:"; 291 else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0) 292 p = "des:afs3-salt"; 293 else if (strcmp(p, "arcfour-hmac-md5") == 0) 294 p = "arcfour-hmac-md5:pw-salt"; 295 296 memset(&salt, 0, sizeof(salt)); 297 298 ret = parse_key_set(context, p, 299 &enctypes, &num_enctypes, &salt, principal); 300 if (ret) { 301 krb5_warn(context, ret, "bad value for default_keys `%s'", *kp); 302 ret = 0; 303 continue; 304 } 305 306 for (i = 0; i < num_enctypes; i++) { 307 /* find duplicates */ 308 for (j = 0; j < *nkeyset; j++) { 309 310 k = &key_set[j]; 311 312 if (k->key.keytype == enctypes[i]) { 313 if (no_salt) 314 break; 315 if (k->salt == NULL && salt.salttype == KRB5_PW_SALT) 316 break; 317 if (k->salt->type == salt.salttype && 318 k->salt->salt.length == salt.saltvalue.length && 319 memcmp(k->salt->salt.data, salt.saltvalue.data, 320 salt.saltvalue.length) == 0) 321 break; 322 } 323 } 324 /* not a duplicate, lets add it */ 325 if (j == *nkeyset) { 326 ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i], 327 no_salt ? NULL : &salt); 328 if (ret) { 329 free(enctypes); 330 krb5_free_salt(context, salt); 331 goto out; 332 } 333 } 334 } 335 free(enctypes); 336 krb5_free_salt(context, salt); 337 } 338 339 *ret_key_set = key_set; 340 341 out: 342 if (ktypes != default_keytypes) 343 krb5_config_free_strings(ktypes); 344 345 if (ret) { 346 krb5_warn(context, ret, 347 "failed to parse the [kadmin]default_keys values"); 348 349 for (i = 0; i < *nkeyset; i++) 350 free_Key(&key_set[i]); 351 free(key_set); 352 } else if (*nkeyset == 0) { 353 krb5_warnx(context, 354 "failed to parse any of the [kadmin]default_keys values"); 355 ret = EINVAL; /* XXX */ 356 } 357 358 return ret; 359 } 360 361 362 krb5_error_code 363 hdb_generate_key_set_password(krb5_context context, 364 krb5_principal principal, 365 const char *password, 366 Key **keys, size_t *num_keys) 367 { 368 krb5_error_code ret; 369 int i; 370 371 ret = hdb_generate_key_set(context, principal, 372 keys, num_keys, 0); 373 if (ret) 374 return ret; 375 376 for (i = 0; i < (*num_keys); i++) { 377 krb5_salt salt; 378 379 salt.salttype = (*keys)[i].salt->type; 380 salt.saltvalue.length = (*keys)[i].salt->salt.length; 381 salt.saltvalue.data = (*keys)[i].salt->salt.data; 382 383 ret = krb5_string_to_key_salt (context, 384 (*keys)[i].key.keytype, 385 password, 386 salt, 387 &(*keys)[i].key); 388 389 if(ret) 390 break; 391 } 392 393 if(ret) { 394 hdb_free_keys (context, *num_keys, *keys); 395 return ret; 396 } 397 return ret; 398 } 399