xref: /illumos-gate/usr/src/lib/krb5/kdb/kdb_cpw.c (revision 4de2612967d06c4fdbf524a62556a1e8118a006f)
1 /*
2  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 #pragma ident	"%Z%%M%	%I%	%E% SMI"
6 
7 /*
8  * lib/kdb/kdb_cpw.c
9  *
10  * Copyright 1995 by the Massachusetts Institute of Technology.
11  * All Rights Reserved.
12  *
13  * Export of this software from the United States of America may
14  *   require a specific license from the United States Government.
15  *   It is the responsibility of any person or organization contemplating
16  *   export to obtain such a license before exporting.
17  *
18  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19  * distribute this software and its documentation for any purpose and
20  * without fee is hereby granted, provided that the above copyright
21  * notice appear in all copies and that both that copyright notice and
22  * this permission notice appear in supporting documentation, and that
23  * the name of M.I.T. not be used in advertising or publicity pertaining
24  * to distribution of the software without specific, written prior
25  * permission.  Furthermore if you modify this software you must label
26  * your software as modified software and not distribute it in such a
27  * fashion that it might be confused with the original M.I.T. software.
28  * M.I.T. makes no representations about the suitability of
29  * this software for any purpose.  It is provided "as is" without express
30  * or implied warranty.
31  *
32  */
33 
34 /*
35  * Copyright (C) 1998 by the FundsXpress, INC.
36  *
37  * All rights reserved.
38  *
39  * Export of this software from the United States of America may require
40  * a specific license from the United States Government.  It is the
41  * responsibility of any person or organization contemplating export to
42  * obtain such a license before exporting.
43  *
44  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45  * distribute this software and its documentation for any purpose and
46  * without fee is hereby granted, provided that the above copyright
47  * notice appear in all copies and that both that copyright notice and
48  * this permission notice appear in supporting documentation, and that
49  * the name of FundsXpress. not be used in advertising or publicity pertaining
50  * to distribution of the software without specific, written prior
51  * permission.  FundsXpress makes no representations about the suitability of
52  * this software for any purpose.  It is provided "as is" without express
53  * or implied warranty.
54  *
55  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
56  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
57  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
58  */
59 
60 #include "k5-int.h"
61 #include "krb5/adm.h"
62 #include <stdio.h>
63 #include <errno.h>
64 
65 static int
66 get_key_data_kvno(context, count, data)
67     krb5_context	  context;
68     int			  count;
69     krb5_key_data	* data;
70 {
71     int i, kvno;
72     /* Find last key version number */
73     for (kvno = i = 0; i < count; i++) {
74 	if (kvno < data[i].key_data_kvno) {
75 	    kvno = data[i].key_data_kvno;
76 	}
77     }
78     return(kvno);
79 }
80 
81 static void
82 cleanup_key_data(context, count, data)
83     krb5_context	  context;
84     int			  count;
85     krb5_key_data	* data;
86 {
87     int i, j;
88 
89     for (i = 0; i < count; i++) {
90 	for (j = 0; j < data[i].key_data_ver; j++) {
91 	    if (data[i].key_data_length[j]) {
92 	    	free(data[i].key_data_contents[j]);
93 	    }
94 	}
95     }
96     free(data);
97 }
98 
99 static krb5_error_code
100 add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
101     krb5_context	  context;
102     krb5_keyblock       * master_key;
103     krb5_key_salt_tuple	* ks_tuple;
104     int			  ks_tuple_count;
105     krb5_db_entry	* db_entry;
106     int			  kvno;
107 {
108     krb5_principal	  krbtgt_princ;
109     krb5_keyblock	  key;
110     krb5_db_entry	  krbtgt_entry;
111     krb5_key_data	* krbtgt_kdata;
112     krb5_boolean	  more;
113     int			  max_kvno, one, i, j;
114     krb5_error_code	  retval;
115 
116     retval = krb5_build_principal_ext(context, &krbtgt_princ,
117 				      db_entry->princ->realm.length,
118 				      db_entry->princ->realm.data,
119 				      KRB5_TGS_NAME_SIZE,
120 				      KRB5_TGS_NAME,
121 				      db_entry->princ->realm.length,
122 				      db_entry->princ->realm.data,
123 				      0);
124     if (retval)
125 	return retval;
126 
127     /* Get tgt from database */
128     retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry,
129 				   &one, &more);
130     krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */
131     if (retval)
132 	return(retval);
133     if ((one > 1) || (more)) {
134 	krb5_db_free_principal(context, &krbtgt_entry, one);
135 	return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
136     }
137     if (!one)
138 	return KRB5_KDB_NOENTRY;
139 
140     /* Get max kvno */
141     for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) {
142 	 if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) {
143 	     max_kvno = krbtgt_entry.key_data[j].key_data_kvno;
144 	}
145     }
146 
147     for (i = 0; i < ks_tuple_count; i++) {
148 	krb5_boolean similar;
149 
150 	similar = 0;
151 
152 	/*
153 	 * We could use krb5_keysalt_iterate to replace this loop, or use
154 	 * krb5_keysalt_is_present for the loop below, but we want to avoid
155 	 * circular library dependencies.
156 	 */
157 	for (j = 0; j < i; j++) {
158 	    if ((retval = krb5_c_enctype_compare(context,
159 						 ks_tuple[i].ks_enctype,
160 						 ks_tuple[j].ks_enctype,
161 						 &similar)))
162 		return(retval);
163 
164 	    if (similar)
165 		break;
166 	}
167 
168 	if (similar)
169 	    continue;
170 
171         if (retval = krb5_dbe_create_key_data(context, db_entry))
172 	    goto add_key_rnd_err;
173 
174 	/* there used to be code here to extract the old key, and derive
175 	   a new key from it.  Now that there's a unified prng, that isn't
176 	   necessary. */
177 
178 	/* make new key */
179 	if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype,
180 					     &key)))
181 	    goto add_key_rnd_err;
182 
183     	retval = krb5_dbekd_encrypt_key_data(context, master_key,
184 					     &key, NULL, kvno,
185 					     &db_entry->key_data[db_entry->n_key_data-1]);
186 
187 	krb5_free_keyblock_contents(context, &key);
188 
189 	if (retval)
190 	    goto add_key_rnd_err;
191     }
192 
193 add_key_rnd_err:
194     krb5_db_free_principal(context, &krbtgt_entry, one);
195 
196     return(retval);
197 }
198 
199 /*
200  * Change random key for a krb5_db_entry
201  * Assumes the max kvno
202  *
203  * As a side effect all old keys are nuked if keepold is false.
204  */
205 krb5_error_code
206 krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, keepold, db_entry)
207     krb5_context	  context;
208     krb5_keyblock       * master_key;
209     krb5_key_salt_tuple	* ks_tuple;
210     int			  ks_tuple_count;
211     krb5_boolean	  keepold;
212     krb5_db_entry	* db_entry;
213 {
214     int 		  key_data_count;
215     int			  n_new_key_data;
216     krb5_key_data 	* key_data;
217     krb5_error_code	  retval;
218     int			  kvno;
219     int			  i;
220 
221     /* First save the old keydata */
222     kvno = get_key_data_kvno(context, db_entry->n_key_data, db_entry->key_data);
223     key_data_count = db_entry->n_key_data;
224     key_data = db_entry->key_data;
225     db_entry->key_data = NULL;
226     db_entry->n_key_data = 0;
227 
228     /* increment the kvno */
229     kvno++;
230 
231     retval = add_key_rnd(context, master_key, ks_tuple,
232 			 ks_tuple_count, db_entry, kvno);
233     if (retval) {
234 	cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
235 	db_entry->n_key_data = key_data_count;
236 	db_entry->key_data = key_data;
237     } else if (keepold) {
238 	n_new_key_data = db_entry->n_key_data;
239 	for (i = 0; i < key_data_count; i++) {
240 	    retval = krb5_dbe_create_key_data(context, db_entry);
241 	    if (retval) {
242 		cleanup_key_data(context, db_entry->n_key_data,
243 				 db_entry->key_data);
244 		break;
245 	    }
246 	    db_entry->key_data[i+n_new_key_data] = key_data[i];
247 	    memset(&key_data[i], 0, sizeof(krb5_key_data));
248 	}
249     } else {
250 	cleanup_key_data(context, key_data_count, key_data);
251     }
252     return(retval);
253 }
254 
255 /*
256  * Add random key for a krb5_db_entry
257  * Assumes the max kvno
258  *
259  * As a side effect all old keys older than the max kvno are nuked.
260  */
261 krb5_error_code
262 krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry)
263     krb5_context	  context;
264     krb5_keyblock       * master_key;
265     krb5_key_salt_tuple	* ks_tuple;
266     int			  ks_tuple_count;
267     krb5_db_entry	* db_entry;
268 {
269     int 		  key_data_count;
270     krb5_key_data 	* key_data;
271     krb5_error_code	  retval;
272     int			  kvno;
273     int			  i;
274 
275     /* First save the old keydata */
276     kvno = get_key_data_kvno(context, db_entry->n_key_data, db_entry->key_data);
277     key_data_count = db_entry->n_key_data;
278     key_data = db_entry->key_data;
279     db_entry->key_data = NULL;
280     db_entry->n_key_data = 0;
281 
282     /* increment the kvno */
283     kvno++;
284 
285     if (retval = add_key_rnd(context, master_key, ks_tuple,
286 			     ks_tuple_count, db_entry, kvno)) {
287 	cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
288 	db_entry->n_key_data = key_data_count;
289 	db_entry->key_data = key_data;
290     } else {
291 	/* Copy keys with key_data_kvno == kvno - 1 ( = old kvno ) */
292 	for (i = 0; i < key_data_count; i++) {
293 	    if (key_data[i].key_data_kvno == (kvno - 1)) {
294 		if (retval = krb5_dbe_create_key_data(context, db_entry)) {
295 		    cleanup_key_data(context, db_entry->n_key_data,
296 				     db_entry->key_data);
297 		    break;
298 		}
299 		/* We should decrypt/re-encrypt the data to use the same mkvno*/
300 		db_entry->key_data[db_entry->n_key_data - 1] = key_data[i];
301 		memset(&key_data[i], 0, sizeof(krb5_key_data));
302 	    }
303 	}
304 	cleanup_key_data(context, key_data_count, key_data);
305     }
306     return(retval);
307 }
308 
309 /*
310  * Add key_data for a krb5_db_entry
311  * If passwd is NULL the assumes that the caller wants a random password.
312  */
313 static krb5_error_code
314 add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
315 	    db_entry, kvno)
316     krb5_context	  context;
317     krb5_keyblock       * master_key;
318     krb5_key_salt_tuple	* ks_tuple;
319     int			  ks_tuple_count;
320     char 		* passwd;
321     krb5_db_entry	* db_entry;
322     int			  kvno;
323 {
324     krb5_error_code	  retval;
325     krb5_keysalt	  key_salt;
326     krb5_keyblock	  key;
327     krb5_data	  	  pwd;
328     krb5_boolean	  found;
329     int			  i, j;
330 
331     retval = 0;
332     for (i = 0; i < ks_tuple_count; i++) {
333 	krb5_boolean similar;
334 
335 	similar = 0;
336 
337 	/*
338 	 * We could use krb5_keysalt_iterate to replace this loop, or use
339 	 * krb5_keysalt_is_present for the loop below, but we want to avoid
340 	 * circular library dependencies.
341 	 */
342 	for (j = 0; j < i; j++) {
343 	    if ((retval = krb5_c_enctype_compare(context,
344 						 ks_tuple[i].ks_enctype,
345 						 ks_tuple[j].ks_enctype,
346 						 &similar)))
347 		return(retval);
348 
349 	    if (similar &&
350 		(ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
351 		break;
352 	}
353 
354 	if (j < i)
355 	    continue;
356 
357 	if (retval = krb5_dbe_create_key_data(context, db_entry))
358 	    return(retval);
359 
360 	/* Convert password string to key using appropriate salt */
361 	switch (key_salt.type = ks_tuple[i].ks_salttype) {
362     	case KRB5_KDB_SALTTYPE_ONLYREALM: {
363             krb5_data * saltdata;
364             if (retval = krb5_copy_data(context, krb5_princ_realm(context,
365 					db_entry->princ), &saltdata))
366 	 	return(retval);
367 
368 	    key_salt.data = *saltdata;
369 	    krb5_xfree(saltdata);
370 	}
371 		break;
372     	case KRB5_KDB_SALTTYPE_NOREALM:
373             if (retval=krb5_principal2salt_norealm(context, db_entry->princ,
374                                                          &key_salt.data))
375 		return(retval);
376             break;
377 	case KRB5_KDB_SALTTYPE_NORMAL:
378             if (retval = krb5_principal2salt(context, db_entry->princ,
379 					         &key_salt.data))
380 		return(retval);
381             break;
382     	case KRB5_KDB_SALTTYPE_V4:
383             key_salt.data.length = 0;
384             key_salt.data.data = 0;
385             break;
386     	case KRB5_KDB_SALTTYPE_AFS3: {
387 #if 0
388             krb5_data * saltdata;
389             if (retval = krb5_copy_data(context, krb5_princ_realm(context,
390 					db_entry->princ), &saltdata))
391 	 	return(retval);
392 
393 	    key_salt.data = *saltdata;
394 	    key_salt.data.length = -1; /*length actually used below...*/
395 	    krb5_xfree(saltdata);
396 #else
397 	    /* Why do we do this? Well, the afs_mit_string_to_key needs to
398 	       use strlen, and the realm is not NULL terminated.... */
399 	    int slen = (*krb5_princ_realm(context,db_entry->princ)).length;
400 	    if(!(key_salt.data.data = (char *) malloc(slen+1)))
401 	        return ENOMEM;
402 	    key_salt.data.data[slen] = 0;
403 	    memcpy((char *)key_salt.data.data,
404 		   (char *)(*krb5_princ_realm(context,db_entry->princ)).data,
405 		   slen);
406 	    key_salt.data.length = -1; /*length actually used below...*/
407 #endif
408 
409 	}
410 		break;
411 	default:
412 	    return(KRB5_KDB_BAD_SALTTYPE);
413 	}
414 
415     	pwd.data = passwd;
416     	pwd.length = strlen(passwd);
417 
418 	memset(&key, 0, sizeof (krb5_keyblock));
419 
420 	if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype,
421 					   &pwd, &key_salt.data, &key))) {
422 	     if (key_salt.data.data)
423 		  free(key_salt.data.data);
424 	     return(retval);
425 	}
426 
427 	if (key_salt.data.length == -1)
428 	    key_salt.data.length =
429 	      krb5_princ_realm(context, db_entry->princ)->length;
430 
431 	if (retval = krb5_dbekd_encrypt_key_data(context, master_key, &key,
432 		     (const krb5_keysalt *)&key_salt,
433 		     kvno, &db_entry->key_data[db_entry->n_key_data-1])) {
434 	    if (key_salt.data.data)
435 		 free(key_salt.data.data);
436 
437 	    krb5_free_keyblock_contents(context, &key);
438 	    return(retval);
439 	}
440 	if (key_salt.data.data)
441 	     free(key_salt.data.data);
442 
443 	krb5_free_keyblock_contents(context, &key);
444     }
445     return(retval);
446 }
447 
448 /*
449  * Change password for a krb5_db_entry
450  * Assumes the max kvno
451  *
452  * As a side effect all old keys are nuked if keepold is false.
453  */
454 krb5_error_code
455 krb5_dbe_cpw(context, master_key, ks_tuple, ks_tuple_count, passwd,
456 	     new_kvno, keepold, db_entry)
457     krb5_context	  context;
458     krb5_keyblock       * master_key;
459     krb5_key_salt_tuple	* ks_tuple;
460     int			  ks_tuple_count;
461     char 		* passwd;
462     int			  new_kvno;
463     krb5_boolean	  keepold;
464     krb5_db_entry	* db_entry;
465 {
466     int 		  key_data_count;
467     int			  n_new_key_data;
468     krb5_key_data 	* key_data;
469     krb5_error_code	  retval;
470     int			  old_kvno;
471     int			  i;
472 
473     /* First save the old keydata */
474     old_kvno = get_key_data_kvno(context, db_entry->n_key_data,
475 				 db_entry->key_data);
476     key_data_count = db_entry->n_key_data;
477     key_data = db_entry->key_data;
478     db_entry->key_data = NULL;
479     db_entry->n_key_data = 0;
480 
481     /* increment the kvno.  if the requested kvno is too small,
482        increment the old kvno */
483     if (new_kvno < old_kvno+1)
484        new_kvno = old_kvno+1;
485 
486     retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
487 			 passwd, db_entry, new_kvno);
488     if (retval) {
489 	cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
490 	db_entry->n_key_data = key_data_count;
491 	db_entry->key_data = key_data;
492     } else if (keepold) {
493 	n_new_key_data = db_entry->n_key_data;
494 	for (i = 0; i < key_data_count; i++) {
495 	    retval = krb5_dbe_create_key_data(context, db_entry);
496 	    if (retval) {
497 		cleanup_key_data(context, db_entry->n_key_data,
498 				 db_entry->key_data);
499 		break;
500 	    }
501 	    db_entry->key_data[i+n_new_key_data] = key_data[i];
502 	    memset(&key_data[i], 0, sizeof(krb5_key_data));
503 	}
504     } else {
505 	cleanup_key_data(context, key_data_count, key_data);
506     }
507     return(retval);
508 }
509 
510 /*
511  * Add password for a krb5_db_entry
512  * Assumes the max kvno
513  *
514  * As a side effect all old keys older than the max kvno are nuked.
515  */
516 krb5_error_code
517 krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry)
518     krb5_context	  context;
519     krb5_keyblock       * master_key;
520     krb5_key_salt_tuple	* ks_tuple;
521     int			  ks_tuple_count;
522     char 		* passwd;
523     krb5_db_entry	* db_entry;
524 {
525     int 		  key_data_count;
526     krb5_key_data 	* key_data;
527     krb5_error_code	  retval;
528     int			  old_kvno, new_kvno;
529     int			  i;
530 
531     /* First save the old keydata */
532     old_kvno = get_key_data_kvno(context, db_entry->n_key_data,
533 				 db_entry->key_data);
534     key_data_count = db_entry->n_key_data;
535     key_data = db_entry->key_data;
536     db_entry->key_data = NULL;
537     db_entry->n_key_data = 0;
538 
539     /* increment the kvno */
540     new_kvno = old_kvno+1;
541 
542     if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
543 			     passwd, db_entry, new_kvno)) {
544 	cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
545 	db_entry->n_key_data = key_data_count;
546 	db_entry->key_data = key_data;
547     } else {
548 	/* Copy keys with key_data_kvno == old_kvno */
549 	for (i = 0; i < key_data_count; i++) {
550 	    if (key_data[i].key_data_kvno == old_kvno) {
551 		if (retval = krb5_dbe_create_key_data(context, db_entry)) {
552 		    cleanup_key_data(context, db_entry->n_key_data,
553 				     db_entry->key_data);
554 		    break;
555 		}
556 		/* We should decrypt/re-encrypt the data to use the same mkvno*/
557 		db_entry->key_data[db_entry->n_key_data - 1] = key_data[i];
558 		memset(&key_data[i], 0, sizeof(krb5_key_data));
559 	    }
560 	}
561 	cleanup_key_data(context, key_data_count, key_data);
562     }
563     return(retval);
564 }
565