xref: /illumos-gate/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c (revision 4e93fb0f6383eaac21897dcdae56b87118131e4d)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 
9 /*
10  * kadmin/ktutil/ktutil_funcs.c
11  *
12  *(C) Copyright 1995, 1996 by the Massachusetts Institute of Technology.
13  * All Rights Reserved.
14  *
15  * Export of this software from the United States of America may
16  *   require a specific license from the United States Government.
17  *   It is the responsibility of any person or organization contemplating
18  *   export to obtain such a license before exporting.
19  *
20  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
21  * distribute this software and its documentation for any purpose and
22  * without fee is hereby granted, provided that the above copyright
23  * notice appear in all copies and that both that copyright notice and
24  * this permission notice appear in supporting documentation, and that
25  * the name of M.I.T. not be used in advertising or publicity pertaining
26  * to distribution of the software without specific, written prior
27  * permission.  Furthermore if you modify this software you must label
28  * your software as modified software and not distribute it in such a
29  * fashion that it might be confused with the original M.I.T. software.
30  * M.I.T. makes no representations about the suitability of
31  * this software for any purpose.  It is provided "as is" without express
32  * or implied warranty.
33  *
34  * Utility functions for ktutil.
35  */
36 
37 #include "k5-int.h"
38 #include "ktutil.h"
39 #ifdef KRB5_KRB4_COMPAT
40 #include "kerberosIV/krb.h"
41 #include <stdio.h>
42 #endif
43 #include <string.h>
44 #include <ctype.h>
45 #include <libintl.h>
46 
47 /*
48  * Free a kt_list
49  */
50 krb5_error_code ktutil_free_kt_list(context, list)
51     krb5_context context;
52     krb5_kt_list list;
53 {
54     krb5_kt_list lp, prev;
55     krb5_error_code retval = 0;
56 
57     for (lp = list; lp;) {
58 	retval = krb5_kt_free_entry(context, lp->entry);
59 	free((char *)lp->entry);
60 	if (retval)
61 	    break;
62 	prev = lp;
63 	lp = lp->next;
64 	free((char *)prev);
65     }
66     return retval;
67 }
68 
69 /*
70  * Delete a numbered entry in a kt_list.  Takes a pointer to a kt_list
71  * in case head gets deleted.
72  */
73 krb5_error_code ktutil_delete(context, list, idx)
74     krb5_context context;
75     krb5_kt_list *list;
76     int idx;
77 {
78     krb5_kt_list lp, prev;
79     int i;
80 
81     for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) {
82 	if (i == idx) {
83 	    if (i == 1)
84 		*list = lp->next;
85 	    else
86 		prev->next = lp->next;
87 	    lp->next = NULL;
88 	    return ktutil_free_kt_list(context, lp);
89 	}
90     }
91     return EINVAL;
92 }
93 
94 /*
95  * Create a new keytab entry and add it to the keytab list.
96  * Based on the value of use_pass, either prompt the user for a
97  * password or key.  If the keytab list is NULL, allocate a new
98  * one first.
99  */
100 krb5_error_code ktutil_add(context, list, princ_str, kvno,
101 			   enctype_str, use_pass)
102     krb5_context context;
103     krb5_kt_list *list;
104     char *princ_str;
105     krb5_kvno kvno;
106     char *enctype_str;
107     int use_pass;
108 {
109     krb5_keytab_entry *entry;
110     krb5_kt_list lp = NULL, prev = NULL;
111     krb5_principal princ;
112     krb5_enctype enctype;
113     krb5_timestamp now;
114     krb5_error_code retval;
115     krb5_data password, salt;
116     krb5_keyblock key;
117     char buf[BUFSIZ];
118     char promptstr[1024];
119 
120     char *cp;
121     int i, tmp;
122     unsigned int pwsize = BUFSIZ;
123 
124     retval = krb5_parse_name(context, princ_str, &princ);
125     if (retval)
126         return retval;
127     /* now unparse in order to get the default realm appended
128        to princ_str, if no realm was specified */
129     retval = krb5_unparse_name(context, princ, &princ_str);
130     if (retval)
131         return retval;
132     retval = krb5_string_to_enctype(enctype_str, &enctype);
133     if (retval)
134         return KRB5_BAD_ENCTYPE;
135     retval = krb5_timeofday(context, &now);
136     if (retval)
137         return retval;
138 
139     if (*list) {
140         /* point lp at the tail of the list */
141         for (lp = *list; lp->next; lp = lp->next);
142     }
143     entry = (krb5_keytab_entry *) malloc(sizeof(krb5_keytab_entry));
144     if (!entry) {
145         return ENOMEM;
146     }
147     memset((char *) entry, 0, sizeof(*entry));
148 
149     if (!lp) {		/* if list is empty, start one */
150         lp = (krb5_kt_list) malloc(sizeof(*lp));
151 	if (!lp) {
152 	    return ENOMEM;
153 	}
154     } else {
155         lp->next = (krb5_kt_list) malloc(sizeof(*lp));
156 	if (!lp->next) {
157 	    return ENOMEM;
158 	}
159 	prev = lp;
160 	lp = lp->next;
161     }
162     lp->next = NULL;
163     lp->entry = entry;
164 
165     if (use_pass) {
166         password.length = pwsize;
167 	password.data = (char *) malloc(pwsize);
168 	if (!password.data) {
169 	    retval = ENOMEM;
170 	    goto cleanup;
171 	}
172 
173 	(void) snprintf(promptstr, sizeof(promptstr),
174 		gettext("Password for %.1000s"), princ_str);
175         retval = krb5_read_password(context, promptstr, NULL, password.data,
176 				    &password.length);
177 	if (retval)
178 	    goto cleanup;
179 	retval = krb5_principal2salt(context, princ, &salt);
180 	if (retval)
181 	    goto cleanup;
182 	retval = krb5_c_string_to_key(context, enctype, &password,
183 				      &salt, &key);
184 	if (retval)
185 	    goto cleanup;
186 	memset(password.data, 0, password.length);
187 	password.length = 0;
188 	memcpy(&lp->entry->key, &key, sizeof(krb5_keyblock));
189     } else {
190         printf(gettext("Key for %s (hex): "), princ_str);
191 	fgets(buf, BUFSIZ, stdin);
192 	/*
193 	 * We need to get rid of the trailing '\n' from fgets.
194 	 * If we have an even number of hex digits (as we should),
195 	 * write a '\0' over the '\n'.  If for some reason we have
196 	 * an odd number of hex digits, force an even number of hex
197 	 * digits by writing a '0' into the last position (the string
198 	 * will still be null-terminated).
199 	 */
200 	buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0';
201 	if (strlen(buf) == 0) {
202 	    fprintf(stderr, "addent: %s", gettext("Error reading key.\n"));
203 	    retval = 0;
204 	    goto cleanup;
205 	}
206 
207         lp->entry->key.enctype = enctype;
208 	lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2);
209 	if (!lp->entry->key.contents) {
210 	    retval = ENOMEM;
211 	    goto cleanup;
212 	}
213 
214 	i = 0;
215 	for (cp = buf; *cp; cp += 2) {
216 	    if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) {
217 	        fprintf(stderr, "addent: %s",
218 			gettext("Illegal character in key.\n"));
219 		retval = 0;
220 		goto cleanup;
221 	    }
222 	    sscanf(cp, "%02x", &tmp);
223 	    lp->entry->key.contents[i++] = (krb5_octet) tmp;
224 	}
225 	lp->entry->key.length = i;
226     }
227     lp->entry->principal = princ;
228     lp->entry->vno = kvno;
229     lp->entry->timestamp = now;
230 
231     if (!*list)
232 	*list = lp;
233 
234     return 0;
235 
236  cleanup:
237     if (prev)
238         prev->next = NULL;
239     ktutil_free_kt_list(context, lp);
240     return retval;
241 }
242 
243 /*
244  * Read in a keytab and append it to list.  If list starts as NULL,
245  * allocate a new one if necessary.
246  */
247 krb5_error_code ktutil_read_keytab(context, name, list)
248     krb5_context context;
249     char *name;
250     krb5_kt_list *list;
251 {
252     krb5_kt_list lp = NULL, tail = NULL, back = NULL;
253     krb5_keytab kt;
254     krb5_keytab_entry *entry;
255     krb5_kt_cursor cursor;
256     krb5_error_code retval = 0;
257 
258     if (*list) {
259 	/* point lp at the tail of the list */
260 	for (lp = *list; lp->next; lp = lp->next);
261 	back = lp;
262     }
263     retval = krb5_kt_resolve(context, name, &kt);
264     if (retval)
265 	return retval;
266     retval = krb5_kt_start_seq_get(context, kt, &cursor);
267     if (retval)
268 	goto close_kt;
269     for (;;) {
270 	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
271 	if (!entry) {
272 	    retval = ENOMEM;
273 	    break;
274 	}
275 	memset((char *)entry, 0, sizeof (*entry));
276 	retval = krb5_kt_next_entry(context, kt, entry, &cursor);
277 	if (retval)
278 	    break;
279 
280 	if (!lp) {		/* if list is empty, start one */
281 	    lp = (krb5_kt_list)malloc(sizeof (*lp));
282 	    if (!lp) {
283 		retval = ENOMEM;
284 		break;
285 	    }
286 	} else {
287 	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
288 	    if (!lp->next) {
289 		retval = ENOMEM;
290 		break;
291 	    }
292 	    lp = lp->next;
293 	}
294 	if (!tail)
295 	    tail = lp;
296 	lp->next = NULL;
297 	lp->entry = entry;
298     }
299     if (entry)
300 	free((char *)entry);
301     if (retval) {
302 	if (retval == KRB5_KT_END)
303 	    retval = 0;
304 	else {
305 	    ktutil_free_kt_list(context, tail);
306 	    tail = NULL;
307 	    if (back)
308 		back->next = NULL;
309 	}
310     }
311     if (!*list)
312 	*list = tail;
313     krb5_kt_end_seq_get(context, kt, &cursor);
314  close_kt:
315     krb5_kt_close(context, kt);
316     return retval;
317 }
318 
319 /*
320  * Takes a kt_list and writes it to the named keytab.
321  */
322 krb5_error_code ktutil_write_keytab(context, list, name)
323     krb5_context context;
324     krb5_kt_list list;
325     char *name;
326 {
327     krb5_kt_list lp;
328     krb5_keytab kt;
329     char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];
330     krb5_error_code retval = 0;
331 
332     strcpy(ktname, "WRFILE:");
333     if (strlen (name) >= MAXPATHLEN)
334 	return ENAMETOOLONG;
335     strncat (ktname, name, MAXPATHLEN);
336     retval = krb5_kt_resolve(context, ktname, &kt);
337     if (retval)
338 	return retval;
339     for (lp = list; lp; lp = lp->next) {
340 	retval = krb5_kt_add_entry(context, kt, lp->entry);
341 	if (retval)
342 	    break;
343     }
344     krb5_kt_close(context, kt);
345     return retval;
346 }
347 
348 #ifdef KRB5_KRB4_COMPAT
349 /*
350  * getstr() takes a file pointer, a string and a count.  It reads from
351  * the file until either it has read "count" characters, or until it
352  * reads a null byte.  When finished, what has been read exists in the
353  * given string "s".  If "count" characters were actually read, the
354  * last is changed to a null, so the returned string is always null-
355  * terminated.  getstr() returns the number of characters read,
356  * including the null terminator.
357  */
358 
359 static int getstr(fp, s, n)
360     FILE *fp;
361     register char *s;
362     int n;
363 {
364     register int count = n;
365     while (fread(s, 1, 1, fp) > 0 && --count)
366         if (*s++ == '\0')
367             return (n - count);
368     *s = '\0';
369     return (n - count);
370 }
371 
372 /*
373  * Read in a named krb4 srvtab and append to list.  Allocate new list
374  * if needed.
375  */
376 krb5_error_code ktutil_read_srvtab(context, name, list)
377     krb5_context context;
378     char *name;
379     krb5_kt_list *list;
380 {
381     krb5_kt_list lp = NULL, tail = NULL, back = NULL;
382     krb5_keytab_entry *entry;
383     krb5_error_code retval = 0;
384     char sname[SNAME_SZ];	/* name of service */
385     char sinst[INST_SZ];	/* instance of service */
386     char srealm[REALM_SZ];	/* realm of service */
387     unsigned char kvno;		/* key version number */
388     des_cblock key;
389     FILE *fp;
390 
391     if (*list) {
392 	/* point lp at the tail of the list */
393 	for (lp = *list; lp->next; lp = lp->next);
394 	back = lp;
395     }
396     fp = fopen(name, "r");
397     if (!fp)
398 	return EIO;
399     for (;;) {
400 	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
401 	if (!entry) {
402 	    retval = ENOMEM;
403 	    break;
404 	}
405 	memset((char *)entry, 0, sizeof (*entry));
406 	memset(sname, 0, sizeof (sname));
407 	memset(sinst, 0, sizeof (sinst));
408 	memset(srealm, 0, sizeof (srealm));
409 	if (!(getstr(fp, sname, SNAME_SZ) > 0 &&
410 	      getstr(fp, sinst, INST_SZ) > 0 &&
411 	      getstr(fp, srealm, REALM_SZ) > 0 &&
412 	      fread(&kvno, 1, 1, fp) > 0 &&
413 	      fread((char *)key, sizeof (key), 1, fp) > 0))
414 	    break;
415 	entry->magic = KV5M_KEYTAB_ENTRY;
416 	entry->timestamp = 0;	/* XXX */
417 	entry->vno = kvno;
418 	retval = krb5_425_conv_principal(context,
419 					 sname, sinst, srealm,
420 					 &entry->principal);
421 	if (retval)
422 	    break;
423 	entry->key.magic = KV5M_KEYBLOCK;
424 	entry->key.enctype = ENCTYPE_DES_CBC_CRC;
425 	entry->key.length = sizeof (key);
426 	entry->key.contents = (krb5_octet *)malloc(sizeof (key));
427 	if (!entry->key.contents) {
428 	    retval = ENOMEM;
429 	    break;
430 	}
431 	memcpy((char *)entry->key.contents, (char *)key, sizeof (key));
432 	if (!lp) {		/* if list is empty, start one */
433 	    lp = (krb5_kt_list)malloc(sizeof (*lp));
434 	    if (!lp) {
435 		retval = ENOMEM;
436 		break;
437 	    }
438 	} else {
439 	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
440 	    if (!lp->next) {
441 		retval = ENOMEM;
442 		break;
443 	    }
444 	    lp = lp->next;
445 	}
446 	lp->next = NULL;
447 	lp->entry = entry;
448 	if (!tail)
449 	    tail = lp;
450     }
451     if (entry) {
452 	if (entry->magic == KV5M_KEYTAB_ENTRY)
453 	    krb5_kt_free_entry(context, entry);
454 	free((char *)entry);
455     }
456     if (retval) {
457 	ktutil_free_kt_list(context, tail);
458 	tail = NULL;
459 	if (back)
460 	    back->next = NULL;
461     }
462     if (!*list)
463 	*list = tail;
464     fclose(fp);
465     return retval;
466 }
467 
468 /*
469  * Writes a kt_list out to a krb4 srvtab file.  Note that it first
470  * prunes the kt_list so that it won't contain any keys that are not
471  * the most recent, and ignores keys that are not ENCTYPE_DES.
472  */
473 krb5_error_code ktutil_write_srvtab(context, list, name)
474     krb5_context context;
475     krb5_kt_list list;
476     char *name;
477 {
478     krb5_kt_list lp, lp1, prev, pruned = NULL;
479     krb5_error_code retval = 0;
480     FILE *fp;
481     char sname[SNAME_SZ];
482     char sinst[INST_SZ];
483     char srealm[REALM_SZ];
484 
485     /* First do heinous stuff to prune the list. */
486     for (lp = list; lp; lp = lp->next) {
487 	if ((lp->entry->key.enctype != ENCTYPE_DES_CBC_CRC) &&
488 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD5) &&
489 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD4) &&
490 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_RAW))
491 	    continue;
492 
493 	for (lp1 = pruned; lp1; prev = lp1, lp1 = lp1->next) {
494 	    /* Hunt for the current principal in the pruned list */
495 	    if (krb5_principal_compare(context,
496 				       lp->entry->principal,
497 				       lp1->entry->principal))
498 		    break;
499 	}
500 	if (!lp1) {		/* need to add entry to tail of pruned list */
501 	    if (!pruned) {
502 		pruned = (krb5_kt_list) malloc(sizeof (*pruned));
503 		if (!pruned)
504 		    return ENOMEM;
505 		memset((char *) pruned, 0, sizeof(*pruned));
506 		lp1 = pruned;
507 	    } else {
508 		prev->next
509 		    = (krb5_kt_list) malloc(sizeof (*pruned));
510 		if (!prev->next) {
511 		    retval = ENOMEM;
512 		    goto free_pruned;
513 		}
514 		memset((char *) prev->next, 0, sizeof(*pruned));
515 		lp1 = prev->next;
516 	    }
517 	    lp1->entry = lp->entry;
518 	} else {
519 	    /* This heuristic should be roughly the same as in the
520 	       keytab-reading code in libkrb5.  */
521 	    int offset = 0;
522 	    if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
523 		offset = 128;
524 	    }
525 #define M(X) (((X) + offset) % 256)
526 	    if (M(lp1->entry->vno) < M(lp->entry->vno))
527 		/* Check if lp->entry is newer kvno; if so, update */
528 		lp1->entry = lp->entry;
529 	}
530     }
531     umask(0077); /*Changing umask for all of ktutil is OK
532 		  * We don't ever write out anything that should use
533 		  * default umask.*/
534     fp = fopen(name, "w");
535     if (!fp) {
536 	retval = EIO;
537 	goto free_pruned;
538     }
539     for (lp = pruned; lp; lp = lp->next) {
540 	unsigned char  kvno;
541 	kvno = (unsigned char) lp->entry->vno;
542 	retval = krb5_524_conv_principal(context,
543 					 lp->entry->principal,
544 					 sname, sinst, srealm);
545 	if (retval)
546 	    break;
547 	fwrite(sname, strlen(sname) + 1, 1, fp);
548 	fwrite(sinst, strlen(sinst) + 1, 1, fp);
549 	fwrite(srealm, strlen(srealm) + 1, 1, fp);
550 	fwrite((char *)&kvno, 1, 1, fp);
551 	fwrite((char *)lp->entry->key.contents,
552 	       sizeof (des_cblock), 1, fp);
553     }
554     fclose(fp);
555  free_pruned:
556     /*
557      * Loop over and free the pruned list; don't use free_kt_list
558      * because that kills the entries.
559      */
560     for (lp = pruned; lp;) {
561 	prev = lp;
562 	lp = lp->next;
563 	free((char *)prev);
564     }
565     return retval;
566 }
567 #endif /* KRB5_KRB4_COMPAT */
568