xref: /titanic_51/usr/src/lib/krb5/kdb/kdb_default.c (revision 1e49577a7fcde812700ded04431b49d67cc57d6d)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * lib/kdb/kdb_helper.c
10  *
11  * Copyright 1995 by the Massachusetts Institute of Technology.
12  * All Rights Reserved.
13  *
14  * Export of this software from the United States of America may
15  *   require a specific license from the United States Government.
16  *   It is the responsibility of any person or organization contemplating
17  *   export to obtain such a license before exporting.
18  *
19  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
20  * distribute this software and its documentation for any purpose and
21  * without fee is hereby granted, provided that the above copyright
22  * notice appear in all copies and that both that copyright notice and
23  * this permission notice appear in supporting documentation, and that
24  * the name of M.I.T. not be used in advertising or publicity pertaining
25  * to distribution of the software without specific, written prior
26  * permission.  Furthermore if you modify this software you must label
27  * your software as modified software and not distribute it in such a
28  * fashion that it might be confused with the original M.I.T. software.
29  * M.I.T. makes no representations about the suitability of
30  * this software for any purpose.  It is provided "as is" without express
31  * or implied warranty.
32  *
33  */
34 
35 #include "k5-int.h"
36 #include "kdb.h"
37 #include <string.h>
38 #include <stdio.h>
39 #include <errno.h>
40 #include <libintl.h>
41 
42 
43 /*
44  * Given a particular enctype and optional salttype and kvno, find the
45  * most appropriate krb5_key_data entry of the database entry.
46  *
47  * If stype or kvno is negative, it is ignored.
48  * If kvno is 0 get the key which is maxkvno for the princ and matches
49  * the other attributes.
50  */
51 krb5_error_code
52 krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
53     krb5_context	kcontext;
54     krb5_db_entry	*dbentp;
55     krb5_int32		*start;
56     krb5_int32		ktype;
57     krb5_int32		stype;
58     krb5_int32		kvno;
59     krb5_key_data	**kdatap;
60 {
61     int			i, idx;
62     int			maxkvno;
63     krb5_key_data	*datap;
64     krb5_error_code	ret;
65 
66     ret = 0;
67     if (kvno == -1 && stype == -1 && ktype == -1)
68 	kvno = 0;
69 
70     if (kvno == 0) {
71 	/* Get the max key version */
72 	for (i = 0; i < dbentp->n_key_data; i++) {
73 	    if (kvno < dbentp->key_data[i].key_data_kvno) {
74 		kvno = dbentp->key_data[i].key_data_kvno;
75 	    }
76 	}
77     }
78 
79     maxkvno = -1;
80     datap = (krb5_key_data *) NULL;
81     for (i = *start; i < dbentp->n_key_data; i++) {
82         krb5_boolean    similar;
83         krb5_int32      db_stype;
84 
85 	ret = 0;
86 	if (dbentp->key_data[i].key_data_ver > 1) {
87 	    db_stype = dbentp->key_data[i].key_data_type[1];
88 	} else {
89 	    db_stype = KRB5_KDB_SALTTYPE_NORMAL;
90 	}
91 
92 	/*
93 	 * Filter out non-permitted enctypes.
94 	 */
95 	if (!krb5_is_permitted_enctype(kcontext,
96 				       dbentp->key_data[i].key_data_type[0])) {
97 	    ret = KRB5_KDB_NO_PERMITTED_KEY;
98 	    continue;
99 	}
100 
101 
102 	if (ktype > 0) {
103 	    if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
104 					      dbentp->key_data[i].key_data_type[0],
105 					      &similar)))
106 
107 		return(ret);
108 	}
109 
110 	if (((ktype <= 0) || similar) &&
111 	    ((db_stype == stype) || (stype < 0))) {
112 	    if (kvno >= 0) {
113 		if (kvno == dbentp->key_data[i].key_data_kvno) {
114 		    datap = &dbentp->key_data[i];
115 		    idx = i;
116 		    maxkvno = kvno;
117 		    break;
118 		}
119 	    } else {
120 		if (dbentp->key_data[i].key_data_kvno > maxkvno) {
121 		    maxkvno = dbentp->key_data[i].key_data_kvno;
122 		    datap = &dbentp->key_data[i];
123 		    idx = i;
124 		}
125 	    }
126 	}
127     }
128     if (maxkvno < 0)
129 	return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
130     *kdatap = datap;
131     *start = idx+1;
132     return 0;
133 }
134 
135 /*
136  *  kdb default functions. Ideally, some other file should have this functions. For now, TBD.
137  */
138 #ifndef min
139 #define min(a,b) (((a) < (b)) ? (a) : (b))
140 #endif
141 
142 krb5_error_code
143 krb5_def_store_mkey(context, keyfile, mname, key, master_pwd)
144     krb5_context context;
145     char *keyfile;
146     krb5_principal mname;
147     krb5_keyblock *key;
148     char *master_pwd;
149 {
150     FILE *kf;
151     krb5_error_code retval = 0;
152     krb5_ui_2 enctype;
153     char defkeyfile[MAXPATHLEN+1];
154     krb5_data *realm = krb5_princ_realm(context, mname);
155 #if HAVE_UMASK
156     mode_t oumask;
157 #endif
158 
159     if (!keyfile) {
160 	(void) strcpy(defkeyfile, DEFAULT_KEYFILE_STUB);
161 	(void) strncat(defkeyfile, realm->data,
162 		       min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
163 			   realm->length));
164 	defkeyfile[sizeof(defkeyfile) - 1] = '\0';
165 	keyfile = defkeyfile;
166     }
167 
168 #if HAVE_UMASK
169     oumask = umask(077);
170 #endif
171 #ifdef ANSI_STDIO
172     /* Solaris Kerberos: using F to deal with 256 open file limit */
173     if (!(kf = fopen(keyfile, "wbF")))
174 #else
175     if (!(kf = fopen(keyfile, "wF")))
176 #endif
177     {
178 	int e = errno;
179 #if HAVE_UMASK
180 	(void) umask(oumask);
181 #endif
182 	krb5_set_error_message (context, e,
183 				gettext("%s accessing file '%s'"),
184 				error_message (e), keyfile);
185 	return e;
186     }
187     enctype = key->enctype;
188     if ((fwrite((krb5_pointer) &enctype,
189 		2, 1, kf) != 1) ||
190 	(fwrite((krb5_pointer) &key->length,
191 		sizeof(key->length), 1, kf) != 1) ||
192 	(fwrite((krb5_pointer) key->contents,
193 		sizeof(key->contents[0]), (unsigned) key->length,
194 		kf) != key->length)) {
195 	retval = errno;
196 	(void) fclose(kf);
197     }
198     if (fclose(kf) == EOF)
199 	retval = errno;
200 #if HAVE_UMASK
201     (void) umask(oumask);
202 #endif
203     return retval;
204 }
205 
206 
207 krb5_error_code
208 krb5_db_def_fetch_mkey( krb5_context   context,
209 			krb5_principal mname,
210 			krb5_keyblock *key,
211 			int           *kvno,
212 			char          *db_args)
213 {
214     krb5_error_code retval;
215     krb5_ui_2 enctype;
216     char defkeyfile[MAXPATHLEN+1];
217     krb5_data *realm = krb5_princ_realm(context, mname);
218     FILE *kf = NULL;
219 
220     retval = 0;
221     key->magic = KV5M_KEYBLOCK;
222     (void) strcpy(defkeyfile, DEFAULT_KEYFILE_STUB);
223     (void) strncat(defkeyfile, realm->data,
224 		   min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
225 		       realm->length));
226     defkeyfile[sizeof(defkeyfile) - 1] = '\0';
227 
228 #ifdef ANSI_STDIO
229     /* Solaris Kerberos: using F to deal with 256 open file limit */
230     if (!(kf = fopen((db_args) ? db_args : defkeyfile, "rbF")))
231 #else
232     if (!(kf = fopen((db_args) ? db_args : defkeyfile, "rF")))
233 #endif
234 	return KRB5_KDB_CANTREAD_STORED;
235 
236     if (fread((krb5_pointer) &enctype, 2, 1, kf) != 1) {
237 	retval = KRB5_KDB_CANTREAD_STORED;
238 	goto errout;
239     }
240 
241     if (key->enctype == ENCTYPE_UNKNOWN)
242 	key->enctype = enctype;
243     else if (enctype != key->enctype) {
244 	retval = KRB5_KDB_BADSTORED_MKEY;
245 	goto errout;
246     }
247 
248     if (fread((krb5_pointer) &key->length,
249 	      sizeof(key->length), 1, kf) != 1) {
250 	retval = KRB5_KDB_CANTREAD_STORED;
251 	goto errout;
252     }
253 
254     if (!key->length || ((int) key->length) < 0) {
255 	retval = KRB5_KDB_BADSTORED_MKEY;
256 	goto errout;
257     }
258 
259     if (!(key->contents = (krb5_octet *)malloc(key->length))) {
260 	retval = ENOMEM;
261 	goto errout;
262     }
263 
264     if (fread((krb5_pointer) key->contents,
265 	      sizeof(key->contents[0]), key->length, kf)
266 	!= key->length) {
267 	retval = KRB5_KDB_CANTREAD_STORED;
268 	memset(key->contents, 0,  key->length);
269 	free(key->contents);
270 	key->contents = 0;
271     } else
272 	retval = 0;
273 
274     *kvno = 0;
275 
276  errout:
277     (void) fclose(kf);
278     return retval;
279 
280 }
281 
282 
283 krb5_error_code
284 krb5_def_verify_master_key(context, mprinc, mkey)
285     krb5_context context;
286     krb5_principal mprinc;
287     krb5_keyblock *mkey;
288 {
289     krb5_error_code retval;
290     krb5_db_entry master_entry;
291     int nprinc;
292     krb5_boolean more;
293     krb5_keyblock tempkey;
294 
295     nprinc = 1;
296     if ((retval = krb5_db_get_principal(context, mprinc,
297 					&master_entry, &nprinc, &more)))
298 	return(retval);
299 
300     if (nprinc != 1) {
301 	if (nprinc)
302 	    krb5_db_free_principal(context, &master_entry, nprinc);
303 	return(KRB5_KDB_NOMASTERKEY);
304     } else if (more) {
305 	krb5_db_free_principal(context, &master_entry, nprinc);
306 	return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
307     }
308 
309     if ((retval = krb5_dbekd_decrypt_key_data(context, mkey,
310 					      &master_entry.key_data[0],
311 					      &tempkey, NULL))) {
312 	krb5_db_free_principal(context, &master_entry, nprinc);
313 	return retval;
314     }
315 
316     if (mkey->length != tempkey.length ||
317 	memcmp((char *)mkey->contents,
318 	       (char *)tempkey.contents,mkey->length)) {
319 	retval = KRB5_KDB_BADMASTERKEY;
320     }
321 
322     memset((char *)tempkey.contents, 0, tempkey.length);
323     krb5_xfree(tempkey.contents);
324     krb5_db_free_principal(context, &master_entry, nprinc);
325 
326     return retval;
327 }
328 
329 
330 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
331 				   char *pwd,
332 				   krb5_keyblock *key )
333 {
334     /* printf("default set master key\n"); */
335     return 0;
336 }
337 
338 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
339 				   krb5_keyblock **key )
340 {
341     /* printf("default get master key\n"); */
342     return 0;
343 }
344 
345 krb5_error_code krb5_def_promote_db (krb5_context kcontext,
346 				     char *s, char **args)
347 {
348     /* printf("default promote_db\n"); */
349     return KRB5_PLUGIN_OP_NOTSUPP;
350 }
351