xref: /illumos-gate/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c (revision 7ae111d47a973fff4c6e231cc31f271dd9cef473)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * kadmin/ktutil/ktutil_funcs.c
10  *
11  *(C) Copyright 1995, 1996 by the Massachusetts Institute of Technology.
12  * All Rights Reserved.
13  *
14  * Export of this software from the United States of America may
15  *   require a specific license from the United States Government.
16  *   It is the responsibility of any person or organization contemplating
17  *   export to obtain such a license before exporting.
18  *
19  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
20  * distribute this software and its documentation for any purpose and
21  * without fee is hereby granted, provided that the above copyright
22  * notice appear in all copies and that both that copyright notice and
23  * this permission notice appear in supporting documentation, and that
24  * the name of M.I.T. not be used in advertising or publicity pertaining
25  * to distribution of the software without specific, written prior
26  * permission.  Furthermore if you modify this software you must label
27  * your software as modified software and not distribute it in such a
28  * fashion that it might be confused with the original M.I.T. software.
29  * M.I.T. makes no representations about the suitability of
30  * this software for any purpose.  It is provided "as is" without express
31  * or implied warranty.
32  *
33  * Utility functions for ktutil.
34  */
35 
36 #include "k5-int.h"
37 #include "ktutil.h"
38 #ifdef KRB5_KRB4_COMPAT
39 #include "kerberosIV/krb.h"
40 #include <stdio.h>
41 #endif
42 #include <string.h>
43 #include <ctype.h>
44 #include <libintl.h>
45 
46 /*
47  * Free a kt_list
48  */
49 krb5_error_code ktutil_free_kt_list(context, list)
50     krb5_context context;
51     krb5_kt_list list;
52 {
53     krb5_kt_list lp, prev;
54     krb5_error_code retval = 0;
55 
56     for (lp = list; lp;) {
57 	retval = krb5_kt_free_entry(context, lp->entry);
58 	free((char *)lp->entry);
59 	if (retval)
60 	    break;
61 	prev = lp;
62 	lp = lp->next;
63 	free((char *)prev);
64     }
65     return retval;
66 }
67 
68 /*
69  * Delete a numbered entry in a kt_list.  Takes a pointer to a kt_list
70  * in case head gets deleted.
71  */
72 krb5_error_code ktutil_delete(context, list, index)
73     krb5_context context;
74     krb5_kt_list *list;
75     int index;
76 {
77     krb5_kt_list lp, prev;
78     int i;
79 
80     for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) {
81 	if (i == index) {
82 	    if (i == 1)
83 		*list = lp->next;
84 	    else
85 		prev->next = lp->next;
86 	    lp->next = NULL;
87 	    return ktutil_free_kt_list(context, lp);
88 	}
89     }
90     return EINVAL;
91 }
92 
93 /*
94  * Create a new keytab entry and add it to the keytab list.
95  * Based on the value of use_pass, either prompt the user for a
96  * password or key.  If the keytab list is NULL, allocate a new
97  * one first.
98  */
99 krb5_error_code ktutil_add(context, list, princ_str, kvno,
100 			   enctype_str, use_pass)
101     krb5_context context;
102     krb5_kt_list *list;
103     char *princ_str;
104     krb5_kvno kvno;
105     char *enctype_str;
106     int use_pass;
107 {
108     krb5_keytab_entry *entry;
109     krb5_kt_list lp = NULL, prev = NULL;
110     krb5_principal princ;
111     krb5_enctype enctype;
112     krb5_timestamp now;
113     krb5_error_code retval;
114     krb5_data password, salt;
115     krb5_keyblock key;
116     char buf[BUFSIZ];
117     char promptstr[1024];
118 
119     char *cp;
120     int i, tmp, pwsize = BUFSIZ;
121 
122     retval = krb5_parse_name(context, princ_str, &princ);
123     if (retval)
124         return retval;
125     /* now unparse in order to get the default realm appended
126        to princ_str, if no realm was specified */
127     retval = krb5_unparse_name(context, princ, &princ_str);
128     if (retval)
129         return retval;
130     retval = krb5_string_to_enctype(enctype_str, &enctype);
131     if (retval)
132         return KRB5_BAD_ENCTYPE;
133     retval = krb5_timeofday(context, &now);
134     if (retval)
135         return retval;
136 
137     if (*list) {
138         /* point lp at the tail of the list */
139         for (lp = *list; lp->next; lp = lp->next);
140     }
141     entry = (krb5_keytab_entry *) malloc(sizeof(krb5_keytab_entry));
142     if (!entry) {
143         return ENOMEM;
144     }
145     memset((char *) entry, 0, sizeof(*entry));
146 
147     if (!lp) {		/* if list is empty, start one */
148         lp = (krb5_kt_list) malloc(sizeof(*lp));
149 	if (!lp) {
150 	    return ENOMEM;
151 	}
152     } else {
153         lp->next = (krb5_kt_list) malloc(sizeof(*lp));
154 	if (!lp->next) {
155 	    return ENOMEM;
156 	}
157 	prev = lp;
158 	lp = lp->next;
159     }
160     lp->next = NULL;
161     lp->entry = entry;
162 
163     if (use_pass) {
164         password.length = pwsize;
165 	password.data = (char *) malloc(pwsize);
166 	if (!password.data) {
167 	    retval = ENOMEM;
168 	    goto cleanup;
169 	}
170 
171 	(void) snprintf(promptstr, sizeof(promptstr),
172 		gettext("Password for %.1000s"), princ_str);
173         retval = krb5_read_password(context, promptstr, NULL, password.data,
174 				    &password.length);
175 	if (retval)
176 	    goto cleanup;
177 	retval = krb5_principal2salt(context, princ, &salt);
178 	if (retval)
179 	    goto cleanup;
180 	retval = krb5_c_string_to_key(context, enctype, &password,
181 				      &salt, &key);
182 	if (retval)
183 	    goto cleanup;
184 	memset(password.data, 0, password.length);
185 	password.length = 0;
186 	memcpy(&lp->entry->key, &key, sizeof(krb5_keyblock));
187     } else {
188         printf(gettext("Key for %s (hex): "), princ_str);
189 	fgets(buf, BUFSIZ, stdin);
190 	/*
191 	 * We need to get rid of the trailing '\n' from fgets.
192 	 * If we have an even number of hex digits (as we should),
193 	 * write a '\0' over the '\n'.  If for some reason we have
194 	 * an odd number of hex digits, force an even number of hex
195 	 * digits by writing a '0' into the last position (the string
196 	 * will still be null-terminated).
197 	 */
198 	buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0';
199 	if (strlen(buf) == 0) {
200 	    fprintf(stderr, "addent: %s", gettext("Error reading key.\n"));
201 	    retval = 0;
202 	    goto cleanup;
203 	}
204 
205         lp->entry->key.enctype = enctype;
206 	lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2);
207 	if (!lp->entry->key.contents) {
208 	    retval = ENOMEM;
209 	    goto cleanup;
210 	}
211 
212 	i = 0;
213 	for (cp = buf; *cp; cp += 2) {
214 	    if (!isxdigit(cp[0]) || !isxdigit(cp[1])) {
215 	        fprintf(stderr, "addent: %s",
216 			gettext("Illegal character in key.\n"));
217 		retval = 0;
218 		goto cleanup;
219 	    }
220 	    sscanf(cp, "%02x", &tmp);
221 	    lp->entry->key.contents[i++] = (krb5_octet) tmp;
222 	}
223 	lp->entry->key.length = i;
224     }
225     lp->entry->principal = princ;
226     lp->entry->vno = kvno;
227     lp->entry->timestamp = now;
228 
229     if (!*list)
230 	*list = lp;
231 
232     return 0;
233 
234  cleanup:
235     if (prev)
236         prev->next = NULL;
237     ktutil_free_kt_list(context, lp);
238     return retval;
239 }
240 
241 /*
242  * Read in a keytab and append it to list.  If list starts as NULL,
243  * allocate a new one if necessary.
244  */
245 krb5_error_code ktutil_read_keytab(context, name, list)
246     krb5_context context;
247     char *name;
248     krb5_kt_list *list;
249 {
250     krb5_kt_list lp = NULL, tail = NULL, back = NULL;
251     krb5_keytab kt;
252     krb5_keytab_entry *entry;
253     krb5_kt_cursor cursor;
254     krb5_error_code retval = 0;
255 
256     if (*list) {
257 	/* point lp at the tail of the list */
258 	for (lp = *list; lp->next; lp = lp->next);
259 	back = lp;
260     }
261     retval = krb5_kt_resolve(context, name, &kt);
262     if (retval)
263 	return retval;
264     retval = krb5_kt_start_seq_get(context, kt, &cursor);
265     if (retval)
266 	goto close_kt;
267     for (;;) {
268 	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
269 	if (!entry) {
270 	    retval = ENOMEM;
271 	    break;
272 	}
273 	memset((char *)entry, 0, sizeof (*entry));
274 	retval = krb5_kt_next_entry(context, kt, entry, &cursor);
275 	if (retval)
276 	    break;
277 
278 	if (!lp) {		/* if list is empty, start one */
279 	    lp = (krb5_kt_list)malloc(sizeof (*lp));
280 	    if (!lp) {
281 		retval = ENOMEM;
282 		break;
283 	    }
284 	} else {
285 	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
286 	    if (!lp->next) {
287 		retval = ENOMEM;
288 		break;
289 	    }
290 	    lp = lp->next;
291 	}
292 	if (!tail)
293 	    tail = lp;
294 	lp->next = NULL;
295 	lp->entry = entry;
296     }
297     if (entry)
298 	free((char *)entry);
299     if (retval)
300 	if (retval == KRB5_KT_END)
301 	    retval = 0;
302 	else {
303 	    ktutil_free_kt_list(context, tail);
304 	    tail = NULL;
305 	    if (back)
306 		back->next = NULL;
307 	}
308     if (!*list)
309 	*list = tail;
310     krb5_kt_end_seq_get(context, kt, &cursor);
311  close_kt:
312     krb5_kt_close(context, kt);
313     return retval;
314 }
315 
316 /*
317  * Takes a kt_list and writes it to the named keytab.
318  */
319 krb5_error_code ktutil_write_keytab(context, list, name)
320     krb5_context context;
321     krb5_kt_list list;
322     char *name;
323 {
324     krb5_kt_list lp;
325     krb5_keytab kt;
326     char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];
327     krb5_error_code retval = 0;
328 
329     strcpy(ktname, "WRFILE:");
330     if (strlen (name) >= MAXPATHLEN)
331 	return ENAMETOOLONG;
332     strncat (ktname, name, MAXPATHLEN);
333     retval = krb5_kt_resolve(context, ktname, &kt);
334     if (retval)
335 	return retval;
336     for (lp = list; lp; lp = lp->next) {
337 	retval = krb5_kt_add_entry(context, kt, lp->entry);
338 	if (retval)
339 	    break;
340     }
341     krb5_kt_close(context, kt);
342     return retval;
343 }
344 
345 #ifdef KRB5_KRB4_COMPAT
346 /*
347  * getstr() takes a file pointer, a string and a count.  It reads from
348  * the file until either it has read "count" characters, or until it
349  * reads a null byte.  When finished, what has been read exists in the
350  * given string "s".  If "count" characters were actually read, the
351  * last is changed to a null, so the returned string is always null-
352  * terminated.  getstr() returns the number of characters read,
353  * including the null terminator.
354  */
355 
356 int getstr(fp, s, n)
357     FILE *fp;
358     register char *s;
359     int n;
360 {
361     register count = n;
362     while (fread(s, 1, 1, fp) > 0 && --count)
363         if (*s++ == '\0')
364             return (n - count);
365     *s = '\0';
366     return (n - count);
367 }
368 
369 /*
370  * Read in a named krb4 srvtab and append to list.  Allocate new list
371  * if needed.
372  */
373 krb5_error_code ktutil_read_srvtab(context, name, list)
374     krb5_context context;
375     char *name;
376     krb5_kt_list *list;
377 {
378     krb5_kt_list lp = NULL, tail = NULL, back = NULL;
379     krb5_keytab_entry *entry;
380     krb5_error_code retval = 0;
381     char sname[SNAME_SZ];	/* name of service */
382     char sinst[INST_SZ];	/* instance of service */
383     char srealm[REALM_SZ];	/* realm of service */
384     unsigned char kvno;		/* key version number */
385     des_cblock key;
386     FILE *fp;
387 
388     if (*list) {
389 	/* point lp at the tail of the list */
390 	for (lp = *list; lp->next; lp = lp->next);
391 	back = lp;
392     }
393     fp = fopen(name, "r");
394     if (!fp)
395 	return EIO;
396     for (;;) {
397 	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
398 	if (!entry) {
399 	    retval = ENOMEM;
400 	    break;
401 	}
402 	memset((char *)entry, 0, sizeof (*entry));
403 	memset(sname, 0, sizeof (sname));
404 	memset(sinst, 0, sizeof (sinst));
405 	memset(srealm, 0, sizeof (srealm));
406 	if (!(getstr(fp, sname, SNAME_SZ) > 0 &&
407 	      getstr(fp, sinst, INST_SZ) > 0 &&
408 	      getstr(fp, srealm, REALM_SZ) > 0 &&
409 	      fread(&kvno, 1, 1, fp) > 0 &&
410 	      fread((char *)key, sizeof (key), 1, fp) > 0))
411 	    break;
412 	entry->magic = KV5M_KEYTAB_ENTRY;
413 	entry->timestamp = 0;	/* XXX */
414 	entry->vno = kvno;
415 	retval = krb5_425_conv_principal(context,
416 					 sname, sinst, srealm,
417 					 &entry->principal);
418 	if (retval)
419 	    break;
420 	entry->key.magic = KV5M_KEYBLOCK;
421 	entry->key.enctype = ENCTYPE_DES_CBC_CRC;
422 	entry->key.length = sizeof (key);
423 	entry->key.contents = (krb5_octet *)malloc(sizeof (key));
424 	if (!entry->key.contents) {
425 	    retval = ENOMEM;
426 	    break;
427 	}
428 	memcpy((char *)entry->key.contents, (char *)key, sizeof (key));
429 	if (!lp) {		/* if list is empty, start one */
430 	    lp = (krb5_kt_list)malloc(sizeof (*lp));
431 	    if (!lp) {
432 		retval = ENOMEM;
433 		break;
434 	    }
435 	} else {
436 	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
437 	    if (!lp->next) {
438 		retval = ENOMEM;
439 		break;
440 	    }
441 	    lp = lp->next;
442 	}
443 	lp->next = NULL;
444 	lp->entry = entry;
445 	if (!tail)
446 	    tail = lp;
447     }
448     if (entry) {
449 	if (entry->magic == KV5M_KEYTAB_ENTRY)
450 	    krb5_kt_free_entry(context, entry);
451 	free((char *)entry);
452     }
453     if (retval) {
454 	ktutil_free_kt_list(context, tail);
455 	tail = NULL;
456 	if (back)
457 	    back->next = NULL;
458     }
459     if (!*list)
460 	*list = tail;
461     fclose(fp);
462     return retval;
463 }
464 
465 /*
466  * Writes a kt_list out to a krb4 srvtab file.  Note that it first
467  * prunes the kt_list so that it won't contain any keys that are not
468  * the most recent, and ignores keys that are not ENCTYPE_DES.
469  */
470 krb5_error_code ktutil_write_srvtab(context, list, name)
471     krb5_context context;
472     krb5_kt_list list;
473     char *name;
474 {
475     krb5_kt_list lp, lp1, prev, pruned = NULL;
476     krb5_error_code retval = 0;
477     FILE *fp;
478     char sname[SNAME_SZ];
479     char sinst[INST_SZ];
480     char srealm[REALM_SZ];
481 
482     /* First do heinous stuff to prune the list. */
483     for (lp = list; lp; lp = lp->next) {
484 	if ((lp->entry->key.enctype != ENCTYPE_DES_CBC_CRC) &&
485 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD5) &&
486 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD4) &&
487 	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_RAW))
488 	    continue;
489 
490 	for (lp1 = pruned; lp1; prev = lp1, lp1 = lp1->next) {
491 	    /* Hunt for the current principal in the pruned list */
492 	    if (krb5_principal_compare(context,
493 				       lp->entry->principal,
494 				       lp1->entry->principal))
495 		    break;
496 	}
497 	if (!lp1) {		/* need to add entry to tail of pruned list */
498 	    if (!pruned) {
499 		pruned = (krb5_kt_list) malloc(sizeof (*pruned));
500 		if (!pruned)
501 		    return ENOMEM;
502 		memset((char *) pruned, 0, sizeof(*pruned));
503 		lp1 = pruned;
504 	    } else {
505 		prev->next
506 		    = (krb5_kt_list) malloc(sizeof (*pruned));
507 		if (!prev->next) {
508 		    retval = ENOMEM;
509 		    goto free_pruned;
510 		}
511 		memset((char *) prev->next, 0, sizeof(*pruned));
512 		lp1 = prev->next;
513 	    }
514 	    lp1->entry = lp->entry;
515 	} else if (lp1->entry->vno < lp->entry->vno)
516 	    /* Check if lp->entry is newer kvno; if so, update */
517 	    lp1->entry = lp->entry;
518     }
519     fp = fopen(name, "w");
520     if (!fp) {
521 	retval = EIO;
522 	goto free_pruned;
523     }
524     for (lp = pruned; lp; lp = lp->next) {
525 	unsigned char  kvno;
526 	kvno = (unsigned char) lp->entry->vno;
527 	retval = krb5_524_conv_principal(context,
528 					 lp->entry->principal,
529 					 sname, sinst, srealm);
530 	if (retval)
531 	    break;
532 	fwrite(sname, strlen(sname) + 1, 1, fp);
533 	fwrite(sinst, strlen(sinst) + 1, 1, fp);
534 	fwrite(srealm, strlen(srealm) + 1, 1, fp);
535 	fwrite((char *)&kvno, 1, 1, fp);
536 	fwrite((char *)lp->entry->key.contents,
537 	       sizeof (des_cblock), 1, fp);
538     }
539     fclose(fp);
540  free_pruned:
541     /*
542      * Loop over and free the pruned list; don't use free_kt_list
543      * because that kills the entries.
544      */
545     for (lp = pruned; lp;) {
546 	prev = lp;
547 	lp = lp->next;
548 	free((char *)prev);
549     }
550     return retval;
551 }
552 #endif /* KRB5_KRB4_COMPAT */
553