1/* 2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "krb5_locl.h" 35 36/* coverity[+alloc : arg-*3] */ 37KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 38krb5_salttype_to_string (krb5_context context, 39 krb5_enctype etype, 40 krb5_salttype stype, 41 char **string) 42{ 43 struct _krb5_encryption_type *e; 44 struct salt_type *st; 45 46 e = _krb5_find_enctype (etype); 47 if (e == NULL) { 48 krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, 49 "encryption type %d not supported", 50 etype); 51 return KRB5_PROG_ETYPE_NOSUPP; 52 } 53 for (st = e->keytype->string_to_key; st && st->type; st++) { 54 if (st->type == stype) { 55 *string = strdup (st->name); 56 if (*string == NULL) { 57 krb5_set_error_message (context, ENOMEM, 58 N_("malloc: out of memory", "")); 59 return ENOMEM; 60 } 61 return 0; 62 } 63 } 64 krb5_set_error_message (context, HEIM_ERR_SALTTYPE_NOSUPP, 65 "salttype %d not supported", stype); 66 return HEIM_ERR_SALTTYPE_NOSUPP; 67} 68 69KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 70krb5_string_to_salttype (krb5_context context, 71 krb5_enctype etype, 72 const char *string, 73 krb5_salttype *salttype) 74{ 75 struct _krb5_encryption_type *e; 76 struct salt_type *st; 77 78 e = _krb5_find_enctype (etype); 79 if (e == NULL) { 80 krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, 81 N_("encryption type %d not supported", ""), 82 etype); 83 return KRB5_PROG_ETYPE_NOSUPP; 84 } 85 for (st = e->keytype->string_to_key; st && st->type; st++) { 86 if (strcasecmp (st->name, string) == 0) { 87 *salttype = st->type; 88 return 0; 89 } 90 } 91 krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP, 92 N_("salttype %s not supported", ""), string); 93 return HEIM_ERR_SALTTYPE_NOSUPP; 94} 95 96KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 97krb5_get_pw_salt(krb5_context context, 98 krb5_const_principal principal, 99 krb5_salt *salt) 100{ 101 size_t len; 102 size_t i; 103 krb5_error_code ret; 104 char *p; 105 106 salt->salttype = KRB5_PW_SALT; 107 len = strlen(principal->realm); 108 for (i = 0; i < principal->name.name_string.len; ++i) 109 len += strlen(principal->name.name_string.val[i]); 110 ret = krb5_data_alloc (&salt->saltvalue, len); 111 if (ret) 112 return ret; 113 p = salt->saltvalue.data; 114 memcpy (p, principal->realm, strlen(principal->realm)); 115 p += strlen(principal->realm); 116 for (i = 0; i < principal->name.name_string.len; ++i) { 117 memcpy (p, 118 principal->name.name_string.val[i], 119 strlen(principal->name.name_string.val[i])); 120 p += strlen(principal->name.name_string.val[i]); 121 } 122 return 0; 123} 124 125KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 126krb5_free_salt(krb5_context context, 127 krb5_salt salt) 128{ 129 krb5_data_free(&salt.saltvalue); 130 return 0; 131} 132 133KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 134krb5_string_to_key_data (krb5_context context, 135 krb5_enctype enctype, 136 krb5_data password, 137 krb5_principal principal, 138 krb5_keyblock *key) 139{ 140 krb5_error_code ret; 141 krb5_salt salt; 142 143 ret = krb5_get_pw_salt(context, principal, &salt); 144 if(ret) 145 return ret; 146 ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key); 147 krb5_free_salt(context, salt); 148 return ret; 149} 150 151KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 152krb5_string_to_key (krb5_context context, 153 krb5_enctype enctype, 154 const char *password, 155 krb5_principal principal, 156 krb5_keyblock *key) 157{ 158 krb5_data pw; 159 pw.data = rk_UNCONST(password); 160 pw.length = strlen(password); 161 return krb5_string_to_key_data(context, enctype, pw, principal, key); 162} 163 164KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 165krb5_string_to_key_data_salt (krb5_context context, 166 krb5_enctype enctype, 167 krb5_data password, 168 krb5_salt salt, 169 krb5_keyblock *key) 170{ 171 krb5_data opaque; 172 krb5_data_zero(&opaque); 173 return krb5_string_to_key_data_salt_opaque(context, enctype, password, 174 salt, opaque, key); 175} 176 177/* 178 * Do a string -> key for encryption type `enctype' operation on 179 * `password' (with salt `salt' and the enctype specific data string 180 * `opaque'), returning the resulting key in `key' 181 */ 182 183KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 184krb5_string_to_key_data_salt_opaque (krb5_context context, 185 krb5_enctype enctype, 186 krb5_data password, 187 krb5_salt salt, 188 krb5_data opaque, 189 krb5_keyblock *key) 190{ 191 struct _krb5_encryption_type *et =_krb5_find_enctype(enctype); 192 struct salt_type *st; 193 if(et == NULL) { 194 krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, 195 N_("encryption type %d not supported", ""), 196 enctype); 197 return KRB5_PROG_ETYPE_NOSUPP; 198 } 199 for(st = et->keytype->string_to_key; st && st->type; st++) 200 if(st->type == salt.salttype) 201 return (*st->string_to_key)(context, enctype, password, 202 salt, opaque, key); 203 krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP, 204 N_("salt type %d not supported", ""), 205 salt.salttype); 206 return HEIM_ERR_SALTTYPE_NOSUPP; 207} 208 209/* 210 * Do a string -> key for encryption type `enctype' operation on the 211 * string `password' (with salt `salt'), returning the resulting key 212 * in `key' 213 */ 214 215KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 216krb5_string_to_key_salt (krb5_context context, 217 krb5_enctype enctype, 218 const char *password, 219 krb5_salt salt, 220 krb5_keyblock *key) 221{ 222 krb5_data pw; 223 pw.data = rk_UNCONST(password); 224 pw.length = strlen(password); 225 return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); 226} 227 228KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 229krb5_string_to_key_salt_opaque (krb5_context context, 230 krb5_enctype enctype, 231 const char *password, 232 krb5_salt salt, 233 krb5_data opaque, 234 krb5_keyblock *key) 235{ 236 krb5_data pw; 237 pw.data = rk_UNCONST(password); 238 pw.length = strlen(password); 239 return krb5_string_to_key_data_salt_opaque(context, enctype, 240 pw, salt, opaque, key); 241} 242 243 244KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 245krb5_string_to_key_derived(krb5_context context, 246 const void *str, 247 size_t len, 248 krb5_enctype etype, 249 krb5_keyblock *key) 250{ 251#ifdef HEIM_KRB5_DES3 252 struct _krb5_encryption_type *et = _krb5_find_enctype(etype); 253 krb5_error_code ret; 254 struct _krb5_key_data kd; 255 size_t keylen; 256 u_char *tmp; 257 258 if(et == NULL) { 259 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, 260 N_("encryption type %d not supported", ""), 261 etype); 262 return KRB5_PROG_ETYPE_NOSUPP; 263 } 264 keylen = et->keytype->bits / 8; 265 266 ALLOC(kd.key, 1); 267 if(kd.key == NULL) { 268 krb5_set_error_message (context, ENOMEM, 269 N_("malloc: out of memory", "")); 270 return ENOMEM; 271 } 272 ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); 273 if(ret) { 274 free(kd.key); 275 return ret; 276 } 277 kd.key->keytype = etype; 278 tmp = malloc (keylen); 279 if(tmp == NULL) { 280 krb5_free_keyblock(context, kd.key); 281 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 282 return ENOMEM; 283 } 284 ret = _krb5_n_fold(str, len, tmp, keylen); 285 if (ret) { 286 free(tmp); 287 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 288 return ret; 289 } 290 kd.schedule = NULL; 291 _krb5_DES3_random_to_key(context, kd.key, tmp, keylen); 292 memset(tmp, 0, keylen); 293 free(tmp); 294 ret = _krb5_derive_key(context, 295 et, 296 &kd, 297 "kerberos", /* XXX well known constant */ 298 strlen("kerberos")); 299 if (ret) { 300 _krb5_free_key_data(context, &kd, et); 301 return ret; 302 } 303 ret = krb5_copy_keyblock_contents(context, kd.key, key); 304 _krb5_free_key_data(context, &kd, et); 305 return ret; 306#else 307 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, 308 N_("encryption type %d not supported", ""), 309 etype); 310 return KRB5_PROG_ETYPE_NOSUPP; 311#endif 312} 313