Path: blob/main/crypto/krb5/src/kadmin/ktutil/ktutil_funcs.c
34889 views
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */1/* kadmin/ktutil/ktutil_funcs.c */2/*3*(C) Copyright 1995, 1996 by the Massachusetts Institute of Technology.4* All Rights Reserved.5*6* Export of this software from the United States of America may7* require a specific license from the United States Government.8* It is the responsibility of any person or organization contemplating9* export to obtain such a license before exporting.10*11* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and12* distribute this software and its documentation for any purpose and13* without fee is hereby granted, provided that the above copyright14* notice appear in all copies and that both that copyright notice and15* this permission notice appear in supporting documentation, and that16* the name of M.I.T. not be used in advertising or publicity pertaining17* to distribution of the software without specific, written prior18* permission. Furthermore if you modify this software you must label19* your software as modified software and not distribute it in such a20* fashion that it might be confused with the original M.I.T. software.21* M.I.T. makes no representations about the suitability of22* this software for any purpose. It is provided "as is" without express23* or implied warranty.24*/2526/*27* Utility functions for ktutil.28*/2930#include "k5-int.h"31#include "k5-hex.h"32#include "ktutil.h"33#include <string.h>34#include <ctype.h>3536/*37* Free a kt_list38*/39krb5_error_code40ktutil_free_kt_list(krb5_context context, krb5_kt_list list)41{42krb5_kt_list lp, prev;43krb5_error_code retval = 0;4445for (lp = list; lp;) {46retval = krb5_kt_free_entry(context, lp->entry);47free(lp->entry);48if (retval)49break;50prev = lp;51lp = lp->next;52free(prev);53}54return retval;55}5657/*58* Delete a numbered entry in a kt_list. Takes a pointer to a kt_list59* in case head gets deleted.60*/61krb5_error_code62ktutil_delete(krb5_context context, krb5_kt_list *list, int idx)63{64krb5_kt_list lp, prev;65int i;6667for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) {68if (i == idx) {69if (i == 1)70*list = lp->next;71else72prev->next = lp->next;73lp->next = NULL;74return ktutil_free_kt_list(context, lp);75}76}77return EINVAL;78}7980/*81* Determine the enctype, salt, and s2kparams for princ based on the presence82* of the -f flag (fetch), the optionally specified salt string, and the83* optionally specified enctype. If the fetch flag is used, salt_str must not84* be given; if the fetch flag is not used, the enctype must be given.85*/86static krb5_error_code87get_etype_info(krb5_context context, krb5_principal princ, int fetch,88char *salt_str, krb5_enctype *enctype_inout,89krb5_data *salt_out, krb5_data *s2kparams_out)90{91krb5_error_code retval;92krb5_enctype enctype;93krb5_get_init_creds_opt *opt = NULL;94krb5_data salt;9596*salt_out = empty_data();97*s2kparams_out = empty_data();9899if (!fetch) {100/* Use the specified enctype and either the specified or default salt.101* Do not produce s2kparams. */102assert(*enctype_inout != ENCTYPE_NULL);103if (salt_str != NULL) {104salt = string2data(salt_str);105return krb5int_copy_data_contents(context, &salt, salt_out);106} else {107return krb5_principal2salt(context, princ, salt_out);108}109}110111/* Get etype-info from the KDC. */112assert(salt_str == NULL);113if (*enctype_inout != ENCTYPE_NULL) {114retval = krb5_get_init_creds_opt_alloc(context, &opt);115if (retval)116return retval;117krb5_get_init_creds_opt_set_etype_list(opt, enctype_inout, 1);118}119retval = krb5_get_etype_info(context, princ, opt, &enctype, salt_out,120s2kparams_out);121krb5_get_init_creds_opt_free(context, opt);122if (retval)123return retval;124if (enctype == ENCTYPE_NULL)125return KRB5KDC_ERR_ETYPE_NOSUPP;126127*enctype_inout = enctype;128return 0;129}130131/*132* Create a new keytab entry and add it to the keytab list.133* Based on the value of use_pass, either prompt the user for a134* password or key. If the keytab list is NULL, allocate a new135* one first.136*/137krb5_error_code138ktutil_add(krb5_context context, krb5_kt_list *list, char *princ_str,139int fetch, krb5_kvno kvno, char *enctype_str, int use_pass,140char *salt_str)141{142krb5_keytab_entry *entry = NULL;143krb5_kt_list lp, *last;144krb5_principal princ;145krb5_enctype enctype = ENCTYPE_NULL;146krb5_timestamp now;147krb5_error_code retval;148krb5_data password = empty_data(), salt = empty_data();149krb5_data params = empty_data(), *s2kparams;150krb5_keyblock key;151char buf[BUFSIZ];152char promptstr[1024];153char *princ_full = NULL;154uint8_t *keybytes;155size_t keylen;156unsigned int pwsize = BUFSIZ;157158retval = krb5_parse_name(context, princ_str, &princ);159if (retval)160goto cleanup;161/* now unparse in order to get the default realm appended162to princ_str, if no realm was specified */163retval = krb5_unparse_name(context, princ, &princ_full);164if (retval)165goto cleanup;166if (enctype_str != NULL) {167retval = krb5_string_to_enctype(enctype_str, &enctype);168if (retval) {169retval = KRB5_BAD_ENCTYPE;170goto cleanup;171}172}173retval = krb5_timeofday(context, &now);174if (retval)175goto cleanup;176177entry = k5alloc(sizeof(*entry), &retval);178if (entry == NULL)179goto cleanup;180181if (use_pass) {182retval = alloc_data(&password, pwsize);183if (retval)184goto cleanup;185186snprintf(promptstr, sizeof(promptstr), _("Password for %.1000s"),187princ_full);188retval = krb5_read_password(context, promptstr, NULL, password.data,189&password.length);190if (retval)191goto cleanup;192193retval = get_etype_info(context, princ, fetch, salt_str,194&enctype, &salt, ¶ms);195if (retval)196goto cleanup;197s2kparams = (params.length > 0) ? ¶ms : NULL;198retval = krb5_c_string_to_key_with_params(context, enctype, &password,199&salt, s2kparams, &key);200if (retval)201goto cleanup;202entry->key = key;203} else {204printf(_("Key for %s (hex): "), princ_full);205fgets(buf, BUFSIZ, stdin);206/*207* We need to get rid of the trailing '\n' from fgets.208* If we have an even number of hex digits (as we should),209* write a '\0' over the '\n'. If for some reason we have210* an odd number of hex digits, force an even number of hex211* digits by writing a '0' into the last position (the string212* will still be null-terminated).213*/214buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0';215if (strlen(buf) == 0) {216fprintf(stderr, _("addent: Error reading key.\n"));217retval = 0;218goto cleanup;219}220221retval = k5_hex_decode(buf, &keybytes, &keylen);222if (retval) {223if (retval == EINVAL) {224fprintf(stderr, _("addent: Illegal character in key.\n"));225retval = 0;226}227goto cleanup;228}229230entry->key.enctype = enctype;231entry->key.contents = keybytes;232entry->key.length = keylen;233}234entry->principal = princ;235entry->vno = kvno;236entry->timestamp = now;237238/* Add entry to the end of the list (or create a new list if empty). */239lp = k5alloc(sizeof(*lp), &retval);240if (lp == NULL)241goto cleanup;242lp->next = NULL;243lp->entry = entry;244entry = NULL;245for (last = list; *last != NULL; last = &(*last)->next);246*last = lp;247248cleanup:249krb5_free_keytab_entry_contents(context, entry);250free(entry);251zapfree(password.data, password.length);252krb5_free_data_contents(context, &salt);253krb5_free_data_contents(context, ¶ms);254krb5_free_unparsed_name(context, princ_full);255return retval;256}257258/*259* Read in a keytab and append it to list. If list starts as NULL,260* allocate a new one if necessary.261*/262krb5_error_code263ktutil_read_keytab(krb5_context context, char *name, krb5_kt_list *list)264{265krb5_kt_list lp = NULL, tail = NULL, back = NULL;266krb5_keytab kt;267krb5_keytab_entry *entry;268krb5_kt_cursor cursor;269krb5_error_code retval = 0;270271if (*list) {272/* point lp at the tail of the list */273for (lp = *list; lp->next; lp = lp->next);274back = lp;275}276retval = krb5_kt_resolve(context, name, &kt);277if (retval)278return retval;279retval = krb5_kt_start_seq_get(context, kt, &cursor);280if (retval)281goto close_kt;282for (;;) {283entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));284if (!entry) {285retval = ENOMEM;286break;287}288memset(entry, 0, sizeof (*entry));289retval = krb5_kt_next_entry(context, kt, entry, &cursor);290if (retval)291break;292293if (!lp) { /* if list is empty, start one */294lp = (krb5_kt_list)malloc(sizeof (*lp));295if (!lp) {296retval = ENOMEM;297break;298}299} else {300lp->next = (krb5_kt_list)malloc(sizeof (*lp));301if (!lp->next) {302retval = ENOMEM;303break;304}305lp = lp->next;306}307if (!tail)308tail = lp;309lp->next = NULL;310lp->entry = entry;311}312if (entry)313free(entry);314if (retval) {315if (retval == KRB5_KT_END)316retval = 0;317else {318ktutil_free_kt_list(context, tail);319tail = NULL;320if (back)321back->next = NULL;322}323}324if (!*list)325*list = tail;326krb5_kt_end_seq_get(context, kt, &cursor);327close_kt:328krb5_kt_close(context, kt);329return retval;330}331332/*333* Takes a kt_list and writes it to the named keytab.334*/335krb5_error_code336ktutil_write_keytab(krb5_context context, krb5_kt_list list, char *name)337{338krb5_kt_list lp;339krb5_keytab kt;340char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];341krb5_error_code retval = 0;342int result;343344result = snprintf(ktname, sizeof(ktname), "WRFILE:%s", name);345if (SNPRINTF_OVERFLOW(result, sizeof(ktname)))346return ENAMETOOLONG;347retval = krb5_kt_resolve(context, ktname, &kt);348if (retval)349return retval;350for (lp = list; lp; lp = lp->next) {351retval = krb5_kt_add_entry(context, kt, lp->entry);352if (retval)353break;354}355krb5_kt_close(context, kt);356return retval;357}358359360