keytab.c revision 102644
1/* 2 * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "krb5_locl.h" 35 36RCSID("$Id: keytab.c,v 1.53 2002/03/10 23:14:12 assar Exp $"); 37 38/* 39 * Register a new keytab in `ops' 40 * Return 0 or an error. 41 */ 42 43krb5_error_code 44krb5_kt_register(krb5_context context, 45 const krb5_kt_ops *ops) 46{ 47 struct krb5_keytab_data *tmp; 48 49 tmp = realloc(context->kt_types, 50 (context->num_kt_types + 1) * sizeof(*context->kt_types)); 51 if(tmp == NULL) { 52 krb5_set_error_string(context, "malloc: out of memory"); 53 return ENOMEM; 54 } 55 memcpy(&tmp[context->num_kt_types], ops, 56 sizeof(tmp[context->num_kt_types])); 57 context->kt_types = tmp; 58 context->num_kt_types++; 59 return 0; 60} 61 62/* 63 * Resolve the keytab name (of the form `type:residual') in `name' 64 * into a keytab in `id'. 65 * Return 0 or an error 66 */ 67 68krb5_error_code 69krb5_kt_resolve(krb5_context context, 70 const char *name, 71 krb5_keytab *id) 72{ 73 krb5_keytab k; 74 int i; 75 const char *type, *residual; 76 size_t type_len; 77 krb5_error_code ret; 78 79 residual = strchr(name, ':'); 80 if(residual == NULL) { 81 type = "FILE"; 82 type_len = strlen(type); 83 residual = name; 84 } else { 85 type = name; 86 type_len = residual - name; 87 residual++; 88 } 89 90 for(i = 0; i < context->num_kt_types; i++) { 91 if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0) 92 break; 93 } 94 if(i == context->num_kt_types) { 95 krb5_set_error_string(context, "unknown keytab type %.*s", 96 (int)type_len, type); 97 return KRB5_KT_UNKNOWN_TYPE; 98 } 99 100 k = malloc (sizeof(*k)); 101 if (k == NULL) { 102 krb5_set_error_string(context, "malloc: out of memory"); 103 return ENOMEM; 104 } 105 memcpy(k, &context->kt_types[i], sizeof(*k)); 106 k->data = NULL; 107 ret = (*k->resolve)(context, residual, k); 108 if(ret) { 109 free(k); 110 k = NULL; 111 } 112 *id = k; 113 return ret; 114} 115 116/* 117 * copy the name of the default keytab into `name'. 118 * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. 119 */ 120 121krb5_error_code 122krb5_kt_default_name(krb5_context context, char *name, size_t namesize) 123{ 124 if (strlcpy (name, context->default_keytab, namesize) >= namesize) { 125 krb5_clear_error_string (context); 126 return KRB5_CONFIG_NOTENUFSPACE; 127 } 128 return 0; 129} 130 131/* 132 * copy the name of the default modify keytab into `name'. 133 * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. 134 */ 135 136krb5_error_code 137krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) 138{ 139 const char *kt = NULL; 140 if(context->default_keytab_modify == NULL) { 141 if(strncasecmp(context->default_keytab, "ANY:", 4) != 0) 142 kt = context->default_keytab; 143 else { 144 size_t len = strcspn(context->default_keytab + 4, ","); 145 if(len >= namesize) { 146 krb5_clear_error_string(context); 147 return KRB5_CONFIG_NOTENUFSPACE; 148 } 149 strlcpy(name, context->default_keytab + 4, namesize); 150 name[len] = '\0'; 151 return 0; 152 } 153 } else 154 kt = context->default_keytab_modify; 155 if (strlcpy (name, kt, namesize) >= namesize) { 156 krb5_clear_error_string (context); 157 return KRB5_CONFIG_NOTENUFSPACE; 158 } 159 return 0; 160} 161 162/* 163 * Set `id' to the default keytab. 164 * Return 0 or an error. 165 */ 166 167krb5_error_code 168krb5_kt_default(krb5_context context, krb5_keytab *id) 169{ 170 return krb5_kt_resolve (context, context->default_keytab, id); 171} 172 173/* 174 * Read the key identified by `(principal, vno, enctype)' from the 175 * keytab in `keyprocarg' (the default if == NULL) into `*key'. 176 * Return 0 or an error. 177 */ 178 179krb5_error_code 180krb5_kt_read_service_key(krb5_context context, 181 krb5_pointer keyprocarg, 182 krb5_principal principal, 183 krb5_kvno vno, 184 krb5_enctype enctype, 185 krb5_keyblock **key) 186{ 187 krb5_keytab keytab; 188 krb5_keytab_entry entry; 189 krb5_error_code ret; 190 191 if (keyprocarg) 192 ret = krb5_kt_resolve (context, keyprocarg, &keytab); 193 else 194 ret = krb5_kt_default (context, &keytab); 195 196 if (ret) 197 return ret; 198 199 ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry); 200 krb5_kt_close (context, keytab); 201 if (ret) 202 return ret; 203 ret = krb5_copy_keyblock (context, &entry.keyblock, key); 204 krb5_kt_free_entry(context, &entry); 205 return ret; 206} 207 208/* 209 * Retrieve the name of the keytab `keytab' into `name', `namesize' 210 * Return 0 or an error. 211 */ 212 213krb5_error_code 214krb5_kt_get_name(krb5_context context, 215 krb5_keytab keytab, 216 char *name, 217 size_t namesize) 218{ 219 return (*keytab->get_name)(context, keytab, name, namesize); 220} 221 222/* 223 * Finish using the keytab in `id'. All resources will be released. 224 * Return 0 or an error. 225 */ 226 227krb5_error_code 228krb5_kt_close(krb5_context context, 229 krb5_keytab id) 230{ 231 krb5_error_code ret; 232 233 ret = (*id->close)(context, id); 234 if(ret == 0) 235 free(id); 236 return ret; 237} 238 239/* 240 * Compare `entry' against `principal, vno, enctype'. 241 * Any of `principal, vno, enctype' might be 0 which acts as a wildcard. 242 * Return TRUE if they compare the same, FALSE otherwise. 243 */ 244 245krb5_boolean 246krb5_kt_compare(krb5_context context, 247 krb5_keytab_entry *entry, 248 krb5_const_principal principal, 249 krb5_kvno vno, 250 krb5_enctype enctype) 251{ 252 if(principal != NULL && 253 !krb5_principal_compare(context, entry->principal, principal)) 254 return FALSE; 255 if(vno && vno != entry->vno) 256 return FALSE; 257 if(enctype && enctype != entry->keyblock.keytype) 258 return FALSE; 259 return TRUE; 260} 261 262/* 263 * Retrieve the keytab entry for `principal, kvno, enctype' into `entry' 264 * from the keytab `id'. 265 * kvno == 0 is a wildcard and gives the keytab with the highest vno. 266 * Return 0 or an error. 267 */ 268 269krb5_error_code 270krb5_kt_get_entry(krb5_context context, 271 krb5_keytab id, 272 krb5_const_principal principal, 273 krb5_kvno kvno, 274 krb5_enctype enctype, 275 krb5_keytab_entry *entry) 276{ 277 krb5_keytab_entry tmp; 278 krb5_error_code ret; 279 krb5_kt_cursor cursor; 280 281 if(id->get) 282 return (*id->get)(context, id, principal, kvno, enctype, entry); 283 284 ret = krb5_kt_start_seq_get (context, id, &cursor); 285 if (ret) 286 return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */ 287 288 entry->vno = 0; 289 while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) { 290 if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) { 291 /* the file keytab might only store the lower 8 bits of 292 the kvno, so only compare those bits */ 293 if (kvno == tmp.vno 294 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) { 295 krb5_kt_copy_entry_contents (context, &tmp, entry); 296 krb5_kt_free_entry (context, &tmp); 297 krb5_kt_end_seq_get(context, id, &cursor); 298 return 0; 299 } else if (kvno == 0 && tmp.vno > entry->vno) { 300 if (entry->vno) 301 krb5_kt_free_entry (context, entry); 302 krb5_kt_copy_entry_contents (context, &tmp, entry); 303 } 304 } 305 krb5_kt_free_entry(context, &tmp); 306 } 307 krb5_kt_end_seq_get (context, id, &cursor); 308 if (entry->vno) { 309 return 0; 310 } else { 311 char princ[256], kt_name[256]; 312 313 krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); 314 krb5_kt_get_name (context, id, kt_name, sizeof(kt_name)); 315 316 krb5_set_error_string (context, 317 "failed to find %s%s%d%s in keytab %s", 318 princ, 319 kvno ? "(" : "", 320 kvno, 321 kvno ? ")" : "", 322 kt_name); 323 return KRB5_KT_NOTFOUND; 324 } 325} 326 327/* 328 * Copy the contents of `in' into `out'. 329 * Return 0 or an error. */ 330 331krb5_error_code 332krb5_kt_copy_entry_contents(krb5_context context, 333 const krb5_keytab_entry *in, 334 krb5_keytab_entry *out) 335{ 336 krb5_error_code ret; 337 338 memset(out, 0, sizeof(*out)); 339 out->vno = in->vno; 340 341 ret = krb5_copy_principal (context, in->principal, &out->principal); 342 if (ret) 343 goto fail; 344 ret = krb5_copy_keyblock_contents (context, 345 &in->keyblock, 346 &out->keyblock); 347 if (ret) 348 goto fail; 349 out->timestamp = in->timestamp; 350 return 0; 351fail: 352 krb5_kt_free_entry (context, out); 353 return ret; 354} 355 356/* 357 * Free the contents of `entry'. 358 */ 359 360krb5_error_code 361krb5_kt_free_entry(krb5_context context, 362 krb5_keytab_entry *entry) 363{ 364 krb5_free_principal (context, entry->principal); 365 krb5_free_keyblock_contents (context, &entry->keyblock); 366 return 0; 367} 368 369#if 0 370static int 371xxxlock(int fd, int write) 372{ 373 if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) { 374 sleep(1); 375 if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) 376 return -1; 377 } 378 return 0; 379} 380 381static void 382xxxunlock(int fd) 383{ 384 flock(fd, LOCK_UN); 385} 386#endif 387 388/* 389 * Set `cursor' to point at the beginning of `id'. 390 * Return 0 or an error. 391 */ 392 393krb5_error_code 394krb5_kt_start_seq_get(krb5_context context, 395 krb5_keytab id, 396 krb5_kt_cursor *cursor) 397{ 398 if(id->start_seq_get == NULL) { 399 krb5_set_error_string(context, 400 "start_seq_get is not supported in the %s " 401 " keytab", id->prefix); 402 return HEIM_ERR_OPNOTSUPP; 403 } 404 return (*id->start_seq_get)(context, id, cursor); 405} 406 407/* 408 * Get the next entry from `id' pointed to by `cursor' and advance the 409 * `cursor'. 410 * Return 0 or an error. 411 */ 412 413krb5_error_code 414krb5_kt_next_entry(krb5_context context, 415 krb5_keytab id, 416 krb5_keytab_entry *entry, 417 krb5_kt_cursor *cursor) 418{ 419 if(id->next_entry == NULL) { 420 krb5_set_error_string(context, 421 "next_entry is not supported in the %s " 422 " keytab", id->prefix); 423 return HEIM_ERR_OPNOTSUPP; 424 } 425 return (*id->next_entry)(context, id, entry, cursor); 426} 427 428/* 429 * Release all resources associated with `cursor'. 430 */ 431 432krb5_error_code 433krb5_kt_end_seq_get(krb5_context context, 434 krb5_keytab id, 435 krb5_kt_cursor *cursor) 436{ 437 if(id->end_seq_get == NULL) { 438 krb5_set_error_string(context, 439 "end_seq_get is not supported in the %s " 440 " keytab", id->prefix); 441 return HEIM_ERR_OPNOTSUPP; 442 } 443 return (*id->end_seq_get)(context, id, cursor); 444} 445 446/* 447 * Add the entry in `entry' to the keytab `id'. 448 * Return 0 or an error. 449 */ 450 451krb5_error_code 452krb5_kt_add_entry(krb5_context context, 453 krb5_keytab id, 454 krb5_keytab_entry *entry) 455{ 456 if(id->add == NULL) { 457 krb5_set_error_string(context, "Add is not supported in the %s keytab", 458 id->prefix); 459 return KRB5_KT_NOWRITE; 460 } 461 entry->timestamp = time(NULL); 462 return (*id->add)(context, id,entry); 463} 464 465/* 466 * Remove the entry `entry' from the keytab `id'. 467 * Return 0 or an error. 468 */ 469 470krb5_error_code 471krb5_kt_remove_entry(krb5_context context, 472 krb5_keytab id, 473 krb5_keytab_entry *entry) 474{ 475 if(id->remove == NULL) { 476 krb5_set_error_string(context, 477 "Remove is not supported in the %s keytab", 478 id->prefix); 479 return KRB5_KT_NOWRITE; 480 } 481 return (*id->remove)(context, id, entry); 482} 483