/* Display the name of enctype. */ static void display_enctype(krb5_enctype enctype) { char ename[128]; if (krb5_enctype_to_name(enctype, FALSE, ename, sizeof(ename)) == 0) fputs(ename, stdout); else fputs("(unknown)", stdout); }
static char * etype_string(krb5_enctype enctype) { static char buf[100]; krb5_error_code ret; ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf)); if (ret) snprintf(buf, sizeof(buf), "etype %d", enctype); return buf; }
PyObject *pykadmin_key_enctype_name(krb5_key_data *key_data) { PyObject *enctype = NULL; // make sure this is enough. char buffer[1024]; if (krb5_enctype_to_name(key_data->key_data_type[0], FALSE, buffer, sizeof(buffer))) snprintf(buffer, sizeof(buffer), "<Encryption type 0x%x>", key_data->key_data_type[0]); enctype = PyUnicode_FromString(buffer); return enctype; }
/* Write an enctype field, optionally as decimal. */ static krb5_error_code write_enctype(struct rec_args *args, krb5_int16 etype) { char buf[256]; krb5_error_code ret; struct rechandle *h = args->rh; struct tdopts *opts = args->opts; if (!opts->numeric) { ret = krb5_enctype_to_name(etype, 0, buf, sizeof(buf)); if (ret == 0) { if (writefield(h, "%s", buf) < 0) return errno; return ret; } } /* decimal if requested, or if conversion failed */ if (writefield(h, "%d", etype) < 0) return errno; return 0; }
void kdb5_list_mkeys(int argc, char *argv[]) { krb5_error_code retval; char *mkey_fullname = NULL, *output_str = NULL, enctype[BUFSIZ]; krb5_kvno act_kvno; krb5_timestamp act_time; krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno; krb5_db_entry *master_entry; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); exit_status++; return; } /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, _("while setting up master key name")); exit_status++; return; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup_return; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup_return; } if (actkvno_list == NULL) { act_kvno = master_entry->key_data[0].key_data_kvno; } else { retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, &act_mkey); if (retval == KRB5_KDB_NOACTMASTERKEY) { /* Maybe we went through a time warp, and the only keys with activation dates have them set in the future? */ com_err(progname, retval, ""); /* Keep going. */ act_kvno = -1; } else if (retval != 0) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup_return; } } printf("Master keys for Principal: %s\n", mkey_fullname); for (cur_kb_node = master_keylist; cur_kb_node != NULL; cur_kb_node = cur_kb_node->next) { if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype, FALSE, enctype, sizeof(enctype)))) { com_err(progname, retval, _("while getting enctype description")); exit_status++; goto cleanup_return; } if (actkvno_list != NULL) { act_time = -1; /* assume actkvno entry not found */ for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { if (cur_actkvno->act_kvno == cur_kb_node->kvno) { act_time = cur_actkvno->act_time; break; } } } else { /* * mkey princ doesn't have an active knvo list so assume the current * key is active now */ if ((retval = krb5_timeofday(util_context, &act_time))) { com_err(progname, retval, _("while getting current time")); exit_status++; goto cleanup_return; } } if (cur_kb_node->kvno == act_kvno) { /* * indicates kvno is currently active */ retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s *\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { if (act_time != -1) { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, No activate time " "set\n"), cur_kb_node->kvno, enctype); } } if (retval == -1) { com_err(progname, ENOMEM, _("asprintf could not allocate enough " "memory to hold output")); exit_status++; goto cleanup_return; } printf("%s", output_str); free(output_str); output_str = NULL; } cleanup_return: /* clean up */ (void) krb5_db_fini(util_context); krb5_free_unparsed_name(util_context, mkey_fullname); free(output_str); krb5_free_principal(util_context, master_princ); krb5_dbe_free_actkvno_list(util_context, actkvno_list); return; }
void kdb5_list_mkeys(int argc, char *argv[]) { krb5_error_code retval; char *output_str = NULL, enctype[BUFSIZ]; krb5_kvno act_kvno; krb5_timestamp act_time; krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno; krb5_db_entry *master_entry = NULL; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); exit_status++; return; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup_return; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup_return; } retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, &act_mkey); if (retval != 0) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup_return; } printf("Master keys for Principal: %s\n", mkey_fullname); for (cur_kb_node = master_keylist; cur_kb_node != NULL; cur_kb_node = cur_kb_node->next) { if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype, FALSE, enctype, sizeof(enctype)))) { com_err(progname, retval, _("while getting enctype description")); exit_status++; goto cleanup_return; } act_time = -1; /* assume actkvno entry not found */ for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { if (cur_actkvno->act_kvno == cur_kb_node->kvno) { act_time = cur_actkvno->act_time; break; } } if (cur_kb_node->kvno == act_kvno) { /* * indicates kvno is currently active */ retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s *\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { if (act_time != -1) { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, No activate time " "set\n"), cur_kb_node->kvno, enctype); } } if (retval == -1) { com_err(progname, ENOMEM, _("asprintf could not allocate enough " "memory to hold output")); exit_status++; goto cleanup_return; } printf("%s", output_str); free(output_str); output_str = NULL; } cleanup_return: /* clean up */ krb5_db_free_principal(util_context, master_entry); free(output_str); krb5_dbe_free_actkvno_list(util_context, actkvno_list); return; }
int main(int argc, char **argv) { krb5_error_code ret; krb5_context context = NULL; size_t i; struct test *test; krb5_keyblock kb, *kbp; krb5_checksum cksum; krb5_cksumtype mtype; krb5_boolean valid, verbose = FALSE; int status = 0; if (argc >= 2 && strcmp(argv[1], "-v") == 0) verbose = TRUE; for (i = 0; i < sizeof(test_cases) / sizeof(*test_cases); i++) { test = &test_cases[i]; if (test->enctype != 0) { kb.magic = KV5M_KEYBLOCK; kb.enctype = test->enctype; kb.length = test->keybits.length; kb.contents = (unsigned char *)test->keybits.data; kbp = &kb; } else kbp = NULL; ret = krb5_c_make_checksum(context, test->sumtype, kbp, test->usage, &test->plaintext, &cksum); assert(!ret); if (verbose) { char buf[64]; krb5_cksumtype_to_string(test->sumtype, buf, sizeof(buf)); printf("\nTest %d:\n", (int)i); printf("Plaintext: %.*s\n", (int)test->plaintext.length, test->plaintext.data); printf("Checksum type: %s\n", buf); if (test->enctype != 0) { krb5_enctype_to_name(test->enctype, FALSE, buf, sizeof(buf)); printf("Enctype: %s\n", buf); printhex("Key: ", test->keybits.data, test->keybits.length); printf("Key usage: %d\n", (int)test->usage); } printhex("Checksum: ", cksum.contents, cksum.length); } if (test->cksum.length != cksum.length || memcmp(test->cksum.data, cksum.contents, cksum.length) != 0) { printf("derive test %d failed\n", (int)i); status = 1; if (!verbose) break; } /* Test that the checksum verifies successfully. */ ret = krb5_c_verify_checksum(context, kbp, test->usage, &test->plaintext, &cksum, &valid); assert(!ret); if (!valid) { printf("test %d verify failed\n", (int)i); status = 1; if (!verbose) break; } if (kbp != NULL) { ret = krb5int_c_mandatory_cksumtype(context, kbp->enctype, &mtype); assert(!ret); if (test->sumtype == mtype) { /* Test that a checksum type of 0 uses the mandatory checksum * type for the key. */ cksum.checksum_type = 0; ret = krb5_c_verify_checksum(context, kbp, test->usage, &test->plaintext, &cksum, &valid); assert(!ret && valid); } } krb5_free_checksum_contents(context, &cksum); } return status; }
/* Return a helpful error code and message when we fail to find a key after * iterating over the keytab. */ static krb5_error_code iteration_error(krb5_context context, krb5_const_principal server, krb5_const_principal tkt_server, krb5_kvno tkt_kvno, krb5_enctype tkt_etype, krb5_boolean tkt_server_mismatch, krb5_boolean found_server_match, krb5_boolean found_tkt_server, krb5_boolean found_kvno, krb5_boolean found_higher_kvno, krb5_boolean found_enctype) { krb5_error_code ret; char *sname = NULL, *tsname = NULL, encname[128]; ret = unparse_princs(context, server, tkt_server, &sname, &tsname); if (ret) return ret; if (krb5_enctype_to_name(tkt_etype, TRUE, encname, sizeof(encname)) != 0) (void)snprintf(encname, sizeof(encname), "%d", (int)tkt_etype); if (!found_server_match) { ret = KRB5KRB_AP_ERR_NOKEY; if (sname == NULL) { krb5_set_error_message(context, ret, _("No keys in keytab")); } else { krb5_set_error_message(context, ret, _("Server principal %s does not match any " "keys in keytab"), sname); } } else if (tkt_server_mismatch) { assert(sname != NULL); /* Null server princ would match anything. */ ret = KRB5KRB_AP_ERR_NOT_US; krb5_set_error_message(context, ret, _("Request ticket server %s found in keytab " "but does not match server principal %s"), tsname, sname); } else if (!found_tkt_server) { ret = KRB5KRB_AP_ERR_NOT_US; krb5_set_error_message(context, ret, _("Request ticket server %s not found in " "keytab (ticket kvno %d)"), tsname, (int)tkt_kvno); } else if (!found_kvno) { ret = KRB5KRB_AP_ERR_BADKEYVER; if (found_higher_kvno) { krb5_set_error_message(context, ret, _("Request ticket server %s kvno %d not " "found in keytab; ticket is likely out " "of date"), tsname, (int)tkt_kvno); } else { krb5_set_error_message(context, ret, _("Request ticket server %s kvno %d not " "found in keytab; keytab is likely out " "of date"), tsname, (int)tkt_kvno); } } else if (!found_enctype) { /* There's no defined error for having the key version but not the * enctype. */ ret = KRB5KRB_AP_ERR_BADKEYVER; krb5_set_error_message(context, ret, _("Request ticket server %s kvno %d found in " "keytab but not with enctype %s"), tsname, (int)tkt_kvno, encname); } else { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; krb5_set_error_message(context, ret, _("Request ticket server %s kvno %d enctype %s " "found in keytab but cannot decrypt ticket"), tsname, (int)tkt_kvno, encname); } krb5_free_unparsed_name(context, sname); krb5_free_unparsed_name(context, tsname); return ret; }