/* * Given a keytab and a list of allowed enctypes, and optionally a known * service principal, choose an appropriate enctype, and choose a * service principal if one was not given. Return the keytab entry * corresponding to this service principal and enctype. * * The list of allowed enctypes must be zero-terminated. */ static int pick_enctype_and_principal(krb5_context context, krb5_keytab kt, const int *allowed_enctypes, krb5_enctype *enctype, krb5_principal *service_principal, krb5_keytab_entry *entry) { krb5_error_code code; int i; if (*service_principal == NULL) { code = pick_principal(context, kt, service_principal); if (code != 0) { goto cleanup; } } /* We always have a service_principal, now. */ i = 0; do { *enctype = allowed_enctypes[i]; code = krb5_kt_get_entry(context, kt, *service_principal, 0 /* any */, *enctype, entry); if (code == 0) { if (*enctype == 0) *enctype = deref_entry_enctype(entry); break; } ++i; } while(allowed_enctypes[i] != 0); if (code != 0) goto cleanup; cleanup: return code; }
mit_krb5_error_code KRB5_CALLCONV krb5_kt_read_service_key(mit_krb5_context context, mit_krb5_pointer keyprocarg, mit_krb5_principal principal, mit_krb5_kvno vno, mit_krb5_enctype enctype, mit_krb5_keyblock **key) { mit_krb5_keytab keytab; mit_krb5_keytab_entry entry; mit_krb5_error_code ret; LOG_ENTRY(); if (keyprocarg) ret = krb5_kt_resolve (context, keyprocarg, &keytab); else ret = krb5_kt_default (context, &keytab); if (ret) return ret; ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry); krb5_kt_close (context, keytab); if (ret) return ret; ret = krb5_copy_keyblock (context, &entry.key, key); krb5_kt_free_entry(context, &entry); return ret; }
KRB5_DEPRECATED KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV krb5_keytab_key_proc (krb5_context context, krb5_enctype enctype, krb5_salt salt, krb5_const_pointer keyseed, krb5_keyblock **key) { krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed); krb5_keytab keytab = args->keytab; krb5_principal principal = args->principal; krb5_error_code ret; krb5_keytab real_keytab; krb5_keytab_entry entry; if(keytab == NULL) krb5_kt_default(context, &real_keytab); else real_keytab = keytab; ret = krb5_kt_get_entry (context, real_keytab, principal, 0, enctype, &entry); if (keytab == NULL) krb5_kt_close (context, real_keytab); if (ret) return ret; ret = krb5_copy_keyblock (context, &entry.keyblock, key); krb5_kt_free_entry(context, &entry); return ret; }
krb5_error_code KRB5_LIB_FUNCTION krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock **key) { krb5_keytab keytab; krb5_keytab_entry entry; krb5_error_code ret; if (keyprocarg) ret = krb5_kt_resolve (context, keyprocarg, &keytab); else ret = krb5_kt_default (context, &keytab); if (ret) return ret; ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry); krb5_kt_close (context, keytab); if (ret) return ret; ret = krb5_copy_keyblock (context, &entry.keyblock, key); krb5_kt_free_entry(context, &entry); return ret; }
static krb5_error_code copy_one_entry(krb5_context context, krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry) { krb5_error_code ret; krb5_keytab_entry dummy; char *name_str; char *etype_str; ret = krb5_unparse_name (context, entry.principal, &name_str); if(ret) { krb5_set_error_message(context, ret, "krb5_unparse_name"); name_str = NULL; /* XXX */ return ret; } ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); if(ret) { krb5_set_error_message(context, ret, "krb5_enctype_to_string"); etype_str = NULL; /* XXX */ return ret; } ret = krb5_kt_get_entry(context, dst_keytab, entry.principal, entry.vno, entry.keyblock.keytype, &dummy); if(ret == 0) { /* this entry is already in the new keytab, so no need to copy it; if the keyblocks are not the same, something is weird, so complain about that */ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { krb5_warn(context, 0, "entry with different keyvalue " "already exists for %s, keytype %s, kvno %d", name_str, etype_str, entry.vno); } krb5_kt_free_entry(context, &dummy); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); return ret; } else if(ret != KRB5_KT_NOTFOUND) { krb5_set_error_message (context, ret, "fetching %s/%s/%u", name_str, etype_str, entry.vno); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); return ret; } ret = krb5_kt_add_entry (context, dst_keytab, &entry); krb5_kt_free_entry (context, &entry); if (ret) { krb5_set_error_message (context, ret, "adding %s/%s/%u", name_str, etype_str, entry.vno); free(name_str); free(etype_str); return ret; } free(name_str); free(etype_str); return ret; }
static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, krb5_context context, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gsskrb5_cred handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) { OM_uint32 ret; krb5_error_code kret; ret = GSS_S_FAILURE; kret = get_keytab(context, &handle->keytab); if (kret) goto end; /* check that the requested principal exists in the keytab */ if (handle->principal) { krb5_keytab_entry entry; kret = krb5_kt_get_entry(context, handle->keytab, handle->principal, 0, 0, &entry); if (kret) goto end; krb5_kt_free_entry(context, &entry); ret = GSS_S_COMPLETE; } else { /* * Check if there is at least one entry in the keytab before * declaring it as an useful keytab. */ krb5_keytab_entry tmp; krb5_kt_cursor c; kret = krb5_kt_start_seq_get (context, handle->keytab, &c); if (kret) goto end; if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) { krb5_kt_free_entry(context, &tmp); ret = GSS_S_COMPLETE; /* ok found one entry */ } krb5_kt_end_seq_get (context, handle->keytab, &c); } end: if (ret != GSS_S_COMPLETE) { if (handle->keytab != NULL) krb5_kt_close(context, handle->keytab); if (kret != 0) { *minor_status = kret; } } return (ret); }
int kssl_keytab_is_available(KSSL_CTX *kssl_ctx) { krb5_context krb5context = NULL; krb5_keytab krb5keytab = NULL; krb5_keytab_entry entry; krb5_principal princ = NULL; krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; int rc = 0; if ((krb5rc = krb5_init_context(&krb5context))) return (0); /* kssl_ctx->keytab_file == NULL ==> use Kerberos default */ if (kssl_ctx->keytab_file) { krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, &krb5keytab); if (krb5rc) goto exit; } else { krb5rc = krb5_kt_default(krb5context, &krb5keytab); if (krb5rc) goto exit; } /* the host key we are looking for */ krb5rc = krb5_sname_to_principal(krb5context, NULL, kssl_ctx->service_name ? kssl_ctx->service_name : KRB5SVC, KRB5_NT_SRV_HST, &princ); if (krb5rc) goto exit; krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 0 /* IGNORE_VNO */, 0 /* IGNORE_ENCTYPE */, &entry); if (krb5rc == KRB5_KT_NOTFOUND) { rc = 1; goto exit; } else if (krb5rc) goto exit; krb5_kt_free_entry(krb5context, &entry); rc = 1; exit: if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); if (princ) krb5_free_principal(krb5context, princ); if (krb5context) krb5_free_context(krb5context); return (rc); }
static krb5_error_code hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry) { hdb_keytab k = (hdb_keytab)db->hdb_db; krb5_error_code ret; krb5_keytab_entry ktentry; if (!(flags & HDB_F_KVNO_SPECIFIED)) { /* Preserve previous behaviour if no kvno specified */ kvno = 0; } memset(&ktentry, 0, sizeof(ktentry)); entry->entry.flags.server = 1; entry->entry.flags.forwardable = 1; entry->entry.flags.renewable = 1; /* Not recorded in the OD backend, make something up */ ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND", &entry->entry.created_by.principal); if (ret) goto out; /* * XXX really needs to try all enctypes and just not pick the * first one, even if that happens to be des3-cbc-sha1 (ie best * enctype) in the Apple case. A while loop over all known * enctypes should work. */ ret = krb5_kt_get_entry(context, k->keytab, principal, kvno, 0, &ktentry); if (ret) { ret = HDB_ERR_NOENTRY; goto out; } ret = krb5_copy_principal(context, principal, &entry->entry.principal); if (ret) goto out; ret = _hdb_keytab2hdb_entry(context, &ktentry, entry); out: if (ret) { free_hdb_entry(&entry->entry); memset(&entry->entry, 0, sizeof(entry->entry)); } krb5_kt_free_entry(context, &ktentry); return ret; }
static krb5_error_code get_as_key_keytab(krb5_context context, krb5_principal client, krb5_enctype etype, krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, krb5_data *params, krb5_keyblock *as_key, void *gak_data, k5_response_items *ritems) { krb5_keytab keytab = (krb5_keytab) gak_data; krb5_error_code ret; krb5_keytab_entry kt_ent; krb5_keyblock *kt_key; /* We don't need the password from the responder to create the AS key. */ if (as_key == NULL) return 0; /* if there's already a key of the correct etype, we're done. if the etype is wrong, free the existing key, and make a new one. */ if (as_key->length) { if (as_key->enctype == etype) return(0); krb5_free_keyblock_contents(context, as_key); as_key->length = 0; } if (!krb5_c_valid_enctype(etype)) return(KRB5_PROG_ETYPE_NOSUPP); if ((ret = krb5_kt_get_entry(context, keytab, client, 0, /* don't have vno available */ etype, &kt_ent))) return(ret); ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key); /* again, krb5's memory management is lame... */ *as_key = *kt_key; free(kt_key); (void) krb5_kt_free_entry(context, &kt_ent); return(ret); }
static OM_uint32 acquire_acceptor_cred (OM_uint32 * minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_cred_id_t handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec ) { OM_uint32 ret; krb5_error_code kret; kret = 0; ret = GSS_S_FAILURE; kret = get_keytab(&handle->keytab); if (kret) goto end; /* check that the requested principal exists in the keytab */ if (handle->principal) { krb5_keytab_entry entry; kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab, handle->principal, 0, 0, &entry); if (kret) goto end; krb5_kt_free_entry(gssapi_krb5_context, &entry); } ret = GSS_S_COMPLETE; end: if (ret != GSS_S_COMPLETE) { if (handle->keytab != NULL) krb5_kt_close(gssapi_krb5_context, handle->keytab); if (kret != 0) { *minor_status = kret; gssapi_krb5_set_error_string (); } } return (ret); }
static krb5_error_code krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, krb5_keytab keytab) { krb5_error_code retval; krb5_enctype enctype; krb5_keytab_entry ktent; enctype = req->ticket->enc_part.enctype; if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server, req->ticket->enc_part.kvno, enctype, &ktent))) return retval; retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); /* Upon error, Free keytab entry first, then return */ (void) krb5_kt_free_entry(context, &ktent); return retval; }
/* Decrypt the ticket in req using a principal looked up from keytab. */ static krb5_error_code try_one_princ(krb5_context context, const krb5_ap_req *req, krb5_const_principal princ, krb5_keytab keytab, krb5_keyblock *keyblock_out) { krb5_error_code ret; krb5_keytab_entry ent; ret = krb5_kt_get_entry(context, keytab, princ, req->ticket->enc_part.kvno, req->ticket->enc_part.enctype, &ent); if (ret) return ret; ret = try_one_entry(context, req, &ent, keyblock_out); if (ret == 0) TRACE_RD_REQ_DECRYPT_SPECIFIC(context, ent.principal, &ent.key); (void)krb5_free_keytab_entry_contents(context, &ent); if (ret) return ret; return 0; }
static krb5_error_code get_key_from_keytab(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, krb5_const_principal server, krb5_keytab keytab, krb5_keyblock **out_key) { krb5_keytab_entry entry; krb5_error_code ret; int kvno; krb5_keytab real_keytab; if(keytab == NULL) krb5_kt_default(context, &real_keytab); else real_keytab = keytab; if (ap_req->ticket.enc_part.kvno) kvno = *ap_req->ticket.enc_part.kvno; else kvno = 0; ret = krb5_kt_get_entry (context, real_keytab, server, kvno, ap_req->ticket.enc_part.etype, &entry); if(ret) goto out; ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); krb5_kt_free_entry (context, &entry); out: if(keytab == NULL) krb5_kt_close(context, real_keytab); return ret; }
krb5_error_code KRB5_CALLCONV krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket *ticket) { krb5_error_code retval; krb5_enctype enctype; krb5_keytab_entry ktent; enctype = ticket->enc_part.enctype; if ((retval = krb5_kt_get_entry(context, kt, ticket->server, ticket->enc_part.kvno, enctype, &ktent))) return retval; retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); /* Upon error, Free keytab entry first, then return */ (void) krb5_kt_free_entry(context, &ktent); return retval; }
/* * effects: If keyprocarg is not NULL, it is taken to be the name of a * keytab. Otherwise, the default keytab will be used. This * routine opens the keytab and finds the principal associated with * principal, vno, and enctype and returns the resulting key in *key * or returning an error code if it is not found. * returns: Either KSUCCESS or error code. * errors: error code if not found or keyprocarg is invalid. */ krb5_error_code KRB5_CALLCONV krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock **key) { krb5_error_code kerror = KSUCCESS; char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */ krb5_keytab id; krb5_keytab_entry entry; /* * Get the name of the file that we should use. */ if (!keyprocarg) { if ((kerror = krb5_kt_default_name(context, (char *)keytabname, sizeof(keytabname) - 1))!= KSUCCESS) return (kerror); } else { memset(keytabname, 0, sizeof(keytabname)); (void) strncpy(keytabname, (char *)keyprocarg, sizeof(keytabname) - 1); } if ((kerror = krb5_kt_resolve(context, (char *)keytabname, &id))) return (kerror); kerror = krb5_kt_get_entry(context, id, principal, vno, enctype, &entry); krb5_kt_close(context, id); if (kerror) return(kerror); krb5_copy_keyblock(context, &entry.key, key); krb5_kt_free_entry(context, &entry); return (KSUCCESS); }
/* Decrypt the ticket in req using a principal looked up from keytab. * explicit_server should be true if this is the only usable principal. */ static krb5_error_code try_one_princ(krb5_context context, const krb5_ap_req *req, krb5_const_principal princ, krb5_keytab keytab, krb5_boolean explicit_server, krb5_keyblock *keyblock_out) { krb5_error_code ret; krb5_keytab_entry ent; krb5_kvno tkt_kvno = req->ticket->enc_part.kvno; krb5_enctype tkt_etype = req->ticket->enc_part.enctype; krb5_principal tkt_server = req->ticket->server; ret = krb5_kt_get_entry(context, keytab, princ, tkt_kvno, tkt_etype, &ent); if (ret) { return keytab_fetch_error(context, ret, princ, tkt_server, tkt_kvno, explicit_server); } ret = try_one_entry(context, req, &ent, keyblock_out); if (ret == 0) TRACE_RD_REQ_DECRYPT_SPECIFIC(context, ent.principal, &ent.key); (void)krb5_free_keytab_entry_contents(context, &ent); if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) return integrity_error(context, princ, req->ticket->server); return ret; }
static krb5_error_code get_key_from_keytab(krb5_context context, krb5_const_principal server, krb5_enctype enctype, krb5_kvno kvno, krb5_keyblock **out_key) { krb5_keytab_entry entry; krb5_error_code ret; krb5_keytab keytab; char *name = NULL; /* We have to open a new keytab handle here, as MIT does an implicit open/getnext/close on krb5_kt_get_entry. We may be in the middle of a keytab enumeration when this is called. JRA. */ ret = krb5_kt_default(context, &keytab); if (ret) { DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret))); return ret; } if ( DEBUGLEVEL >= 10 ) { if (smb_krb5_unparse_name(context, server, &name) == 0) { DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", kvno, enctype, name)); SAFE_FREE(name); } } ret = krb5_kt_get_entry(context, keytab, server, kvno, enctype, &entry); if (ret) { DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret))); goto out; } #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */ ret = krb5_copy_keyblock(context, &entry.key, out_key); #else #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT #endif if (ret) { DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret))); goto out; } smb_krb5_kt_free_entry(context, &entry); out: krb5_kt_close(context, keytab); return ret; }
static int gss_create_principal(AFPObj *obj) { int rv = -1; #ifdef HAVE_KERBEROS krb5_context context; krb5_error_code ret; const char *error_msg; krb5_keytab keytab; krb5_keytab_entry entry; krb5_principal service_principal; char *principal; krb5_kt_cursor cursor; if (krb5_init_context(&context)) { LOG(log_error, logtype_afpd, "gss_create_principal: failed to intialize a krb5_context"); goto exit; } if ((ret = krb5_kt_default(context, &keytab))) goto krb5_error; if (obj->options.k5service && obj->options.fqdn && obj->options.k5realm) { LOG(log_debug, logtype_afpd, "gss_create_principal: using service principal specified in options"); if ((ret = krb5_build_principal(context, &service_principal, strlen(obj->options.k5realm), obj->options.k5realm, obj->options.k5service, obj->options.fqdn, NULL))) goto krb5_error; if ((ret = krb5_kt_get_entry(context, keytab, service_principal, 0, // kvno - wildcard 0, // enctype - wildcard &entry)) == KRB5_KT_NOTFOUND) { krb5_unparse_name(context, service_principal, &principal); LOG(log_error, logtype_afpd, "gss_create_principal: specified service principal '%s' not found in keytab", principal); #ifdef HAVE_KRB5_FREE_UNPARSED_NAME krb5_free_unparsed_name(context, principal); #else krb5_xfree(principal); #endif goto krb5_cleanup; } krb5_free_principal(context, service_principal); if (ret) goto krb5_error; } else { LOG(log_debug, logtype_afpd, "gss_create_principal: using first entry from keytab as service principal"); if ((ret = krb5_kt_start_seq_get(context, keytab, &cursor))) goto krb5_error; ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); krb5_kt_end_seq_get(context, keytab, &cursor); if (ret) goto krb5_error; } krb5_unparse_name(context, entry.principal, &principal); #ifdef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS krb5_free_keytab_entry_contents(context, &entry); #elif defined(HAVE_KRB5_KT_FREE_ENTRY) krb5_kt_free_entry(context, &entry); #endif set_principal(obj, principal); free(principal); rv = 0; goto krb5_cleanup; krb5_error: if (ret) { error_msg = krb5_get_error_message(context, ret); LOG(log_note, logtype_afpd, "Can't get principal from default keytab: %s", (char *)error_msg); #ifdef HAVE_KRB5_FREE_ERROR_MESSAGE krb5_free_error_message(context, error_msg); #else krb5_xfree(error_msg); #endif } krb5_cleanup: krb5_kt_close(context, keytab); krb5_free_context(context); #else /* ! HAVE_KERBEROS */ if (!obj->options.k5service || !obj->options.fqdn || !obj->options.k5realm) goto exit; char principal[255]; size_t len = snprintf(principal, sizeof(principal), "%s/%s@%s", obj->options.k5service, obj->options.fqdn, obj->options.k5realm); (void)set_principal(obj, principal); rv = 0; #endif /* HAVE_KERBEROS */ exit: return rv; }
static void remove_principal(char *keytab_str, krb5_keytab keytab, char *princ_str, char *kvno_str) { krb5_principal princ; krb5_keytab_entry entry; krb5_kt_cursor cursor; enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; int code, did_something; krb5_kvno kvno; code = krb5_parse_name(context, princ_str, &princ); if (code != 0) { com_err(whoami, code, "while parsing principal name %s", princ_str); return; } mode = UNDEF; if (kvno_str == NULL) { mode = HIGH; kvno = 0; } else if (strcmp(kvno_str, "all") == 0) { mode = ALL; kvno = 0; } else if (strcmp(kvno_str, "old") == 0) { mode = OLD; kvno = 0; } else { mode = SPEC; kvno = atoi(kvno_str); } /* kvno is set to specified value for SPEC, 0 otherwise */ code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry); if (code != 0) { if (code == ENOENT) { fprintf(stderr, "%s: Keytab %s does not exist.\n", whoami, keytab_str); } else if (code == KRB5_KT_NOTFOUND) { if (mode != SPEC) { fprintf(stderr, "%s: No entry for principal " "%s exists in keytab %s\n", whoami, princ_str, keytab_str); } else { fprintf(stderr, "%s: No entry for principal " "%s with kvno %d exists in keytab " "%s.\n", whoami, princ_str, kvno, keytab_str); } } else com_err(whoami, code, "while retrieving highest kvno from keytab"); return; } /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ kvno = entry.vno; krb5_kt_free_entry(context, &entry); code = krb5_kt_start_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, "while starting keytab scan"); return; } did_something = 0; while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { if (krb5_principal_compare(context, princ, entry.principal) && ((mode == ALL) || (mode == SPEC && entry.vno == kvno) || (mode == OLD && entry.vno != kvno) || (mode == HIGH && entry.vno == kvno))) { /* * Ack! What a kludge... the scanning functions lock * the keytab so entries cannot be removed while they * are operating. */ code = krb5_kt_end_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, "while temporarily ending keytab scan"); return; } code = krb5_kt_remove_entry(context, keytab, &entry); if (code != 0) { com_err(whoami, code, "while deleting entry from keytab"); return; } code = krb5_kt_start_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, "while restarting keytab scan"); return; } did_something++; if (!quiet) printf("Entry for principal %s with kvno %d " "removed from keytab %s.\n", princ_str, entry.vno, keytab_str); } krb5_kt_free_entry(context, &entry); } if (code && code != KRB5_KT_END) { com_err(whoami, code, "while scanning keytab"); return; } code = krb5_kt_end_seq_get(context, keytab, &cursor); if (code) { com_err(whoami, code, "while ending keytab scan"); return; } /* * If !did_someting then mode must be OLD or we would have * already returned with an error. But check it anyway just to * prevent unexpected error messages... */ if (!did_something && mode == OLD) { fprintf(stderr, "%s: There is only one entry for principal " "%s in keytab %s\n", whoami, princ_str, keytab_str); } }
static void do_v5_kvno (int count, char *names[], char * ccache_name, char *etype_str, char *keytab_name, char *sname) { krb5_error_code ret; krb5_context context = 0; int i, errors; krb5_enctype etype; krb5_ccache ccache; krb5_principal me; krb5_creds in_creds, *out_creds = NULL; Ticket ticket; size_t len; char *princ = NULL; krb5_keytab keytab = NULL; ret = krb5_init_context(&context); if (ret) errx(1, "krb5_init_context failed: %d", ret); if (etype_str) { ret = krb5_string_to_enctype(context, etype_str, &etype); if (ret) krb5_err(context, 1, ret, "Failed to convert encryption type %s", etype_str); } else { etype = 0; } if (ccache_name) ret = krb5_cc_resolve(context, ccache_name, &ccache); else ret = krb5_cc_default(context, &ccache); if (ret) krb5_err(context, 1, ret, "Failed to open credentials cache %s", (ccache_name) ? ccache_name : "(Default)"); if (keytab_name) { ret = krb5_kt_resolve(context, keytab_name, &keytab); if (ret) krb5_err(context, 1, ret, "Can't resolve keytab %s", keytab_name); } ret = krb5_cc_get_principal(context, ccache, &me); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); errors = 0; for (i = 0; i < count; i++) { memset(&in_creds, 0, sizeof(in_creds)); memset(&ticket, 0, sizeof(ticket)); in_creds.client = me; if (sname != NULL) { ret = krb5_sname_to_principal(context, names[i], sname, KRB5_NT_SRV_HST, &in_creds.server); } else { ret = krb5_parse_name(context, names[i], &in_creds.server); } if (ret) { if (!quiet_flag) krb5_warn(context, ret, "Couldn't parse principal name %s", names[i]); errors++; continue; } ret = krb5_unparse_name(context, in_creds.server, &princ); if (ret) { krb5_warn(context, ret, "Couldn't format parsed principal name for '%s'", names[i]); errors++; goto next; } in_creds.session.keytype = etype; ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); if (ret) { krb5_warn(context, ret, "Couldn't get credentials for %s", princ); errors++; goto next; } ret = decode_Ticket(out_creds->ticket.data, out_creds->ticket.length, &ticket, &len); if (ret) { krb5_err(context, 1, ret, "Can't decode ticket for %s", princ); errors++; goto next; continue; } if (keytab) { krb5_keytab_entry kte; krb5_crypto crypto; krb5_data dec_data; EncTicketPart decr_part; ret = krb5_kt_get_entry(context, keytab, in_creds.server, (ticket.enc_part.kvno != NULL)? *ticket.enc_part.kvno : 0, ticket.enc_part.etype, &kte); if (ret) { krb5_warn(context, ret, "Can't decrypt ticket for %s", princ); if (!quiet_flag) printf("%s: kvno = %d, keytab entry invalid", princ, (ticket.enc_part.kvno != NULL)? *ticket.enc_part.kvno : 0); errors ++; goto next; } ret = krb5_crypto_init(context, &kte.keyblock, 0, &crypto); if (ret) { krb5_warn(context, ret, "krb5_crypto_init"); errors ++; krb5_kt_free_entry(context, &kte); goto next; } ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET, &ticket.enc_part, &dec_data); krb5_crypto_destroy(context, crypto); krb5_kt_free_entry(context, &kte); if (ret) { krb5_warn(context, ret, "krb5_decrypt_EncryptedData"); errors ++; goto next; } ret = decode_EncTicketPart(dec_data.data, dec_data.length, &decr_part, &len); krb5_data_free(&dec_data); if (ret) { krb5_warn(context, ret, "decode_EncTicketPart"); errors ++; goto next; } if (!quiet_flag) printf("%s: kvno = %d, keytab entry valid\n", princ, (ticket.enc_part.kvno != NULL)? *ticket.enc_part.kvno : 0); free_EncTicketPart(&decr_part); } else { if (!quiet_flag) printf("%s: kvno = %d\n", princ, (ticket.enc_part.kvno != NULL)? *ticket.enc_part.kvno : 0); } next: if (out_creds) { krb5_free_creds(context, out_creds); out_creds = NULL; } if (princ) { krb5_free_unparsed_name(context, princ); princ = NULL; } krb5_free_principal(context, in_creds.server); free_Ticket(&ticket); } if (keytab) krb5_kt_close(context, keytab); krb5_free_principal(context, me); krb5_cc_close(context, ccache); krb5_free_context(context); if (errors) exit(1); exit(0); }
krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal server_arg, krb5_keytab keytab_arg, krb5_ccache *ccache_arg, krb5_verify_init_creds_opt *options) { krb5_error_code ret; krb5_principal server; krb5_keytab keytab; krb5_ccache ccache; krb5_keytab_entry kte; krb5_creds in_creds, *out_creds; krb5_auth_context authcon; krb5_data ap_req; /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ server = NULL; keytab = NULL; ccache = NULL; out_creds = NULL; authcon = NULL; ap_req.data = NULL; if (keytab_arg) { keytab = keytab_arg; } else { if ((ret = krb5_kt_default(context, &keytab))) goto cleanup; } if (server_arg) { ret = krb5_copy_principal(context, server_arg, &server); if (ret) goto cleanup; } else { /* Use a principal name from the keytab. */ ret = k5_kt_get_principal(context, keytab, &server); if (ret) { /* There's no keytab, or it's empty, or we can't read it. * Allow this unless configuration demands verification. */ if (!nofail(context, options, creds)) ret = 0; goto cleanup; } } /* first, check if the server is in the keytab. If not, there's no reason to continue. rd_req does all this, but there's no way to know that a given error is caused by a missing keytab or key, and not by some other problem. */ if (krb5_is_referral_realm(&server->realm)) { krb5_free_data_contents(context, &server->realm); ret = krb5_get_default_realm(context, &server->realm.data); if (ret) goto cleanup; server->realm.length = strlen(server->realm.data); } if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { /* this means there is no keying material. This is ok, as long as it is not prohibited by the configuration */ if (!nofail(context, options, creds)) ret = 0; goto cleanup; } krb5_kt_free_entry(context, &kte); /* If the creds are for the server principal, we're set, just do a mk_req. * Otherwise, do a get_credentials first. */ if (krb5_principal_compare(context, server, creds->server)) { /* make an ap_req */ if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, &ap_req))) goto cleanup; } else { /* this is unclean, but it's the easiest way without ripping the library into very small pieces. store the client's initial cred in a memory ccache, then call the library. Later, we'll copy everything except the initial cred into the ccache we return to the user. A clean implementation would involve library internals with a coherent idea of "in" and "out". */ /* insert the initial cred into the ccache */ if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { ccache = NULL; goto cleanup; } if ((ret = krb5_cc_initialize(context, ccache, creds->client))) goto cleanup; if ((ret = krb5_cc_store_cred(context, ccache, creds))) goto cleanup; /* set up for get_creds */ memset(&in_creds, 0, sizeof(in_creds)); in_creds.client = creds->client; in_creds.server = server; if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) goto cleanup; in_creds.times.endtime += 5*60; if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds))) goto cleanup; /* make an ap_req */ if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, &ap_req))) goto cleanup; } /* wipe the auth context for mk_req */ if (authcon) { krb5_auth_con_free(context, authcon); authcon = NULL; } /* verify the ap_req */ if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL))) goto cleanup; /* if we get this far, then the verification succeeded. We can still fail if the library stuff here fails, but that's it */ if (ccache_arg && ccache) { if (*ccache_arg == NULL) { krb5_ccache retcc; retcc = NULL; if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || (ret = krb5_cc_initialize(context, retcc, creds->client)) || (ret = copy_creds_except(context, ccache, retcc, creds->server))) { if (retcc) krb5_cc_destroy(context, retcc); } else { *ccache_arg = retcc; } } else { ret = copy_creds_except(context, ccache, *ccache_arg, server); } } /* if any of the above paths returned an errors, then ret is set accordingly. * Either that, or it's zero, which is fine, too */ cleanup: if ( server) krb5_free_principal(context, server); if (!keytab_arg && keytab) krb5_kt_close(context, keytab); if (ccache) krb5_cc_destroy(context, ccache); if (out_creds) krb5_free_creds(context, out_creds); if (authcon) krb5_auth_con_free(context, authcon); if (ap_req.data) free(ap_req.data); return(ret); }
int kt_copy (void *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab src_keytab, dst_keytab; krb5_kt_cursor cursor; krb5_keytab_entry entry, dummy; const char *from = argv[0]; const char *to = argv[1]; ret = krb5_kt_resolve (context, from, &src_keytab); if (ret) { krb5_warn (context, ret, "resolving src keytab `%s'", from); return 1; } ret = krb5_kt_resolve (context, to, &dst_keytab); if (ret) { krb5_kt_close (context, src_keytab); krb5_warn (context, ret, "resolving dst keytab `%s'", to); return 1; } ret = krb5_kt_start_seq_get (context, src_keytab, &cursor); if (ret) { krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string); goto out; } if (verbose_flag) fprintf(stderr, "copying %s to %s\n", from, to); while((ret = krb5_kt_next_entry(context, src_keytab, &entry, &cursor)) == 0) { char *name_str; char *etype_str; ret = krb5_unparse_name (context, entry.principal, &name_str); if(ret) { krb5_warn(context, ret, "krb5_unparse_name"); name_str = NULL; /* XXX */ } ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); if(ret) { krb5_warn(context, ret, "krb5_enctype_to_string"); etype_str = NULL; /* XXX */ } ret = krb5_kt_get_entry(context, dst_keytab, entry.principal, entry.vno, entry.keyblock.keytype, &dummy); if(ret == 0) { /* this entry is already in the new keytab, so no need to copy it; if the keyblocks are not the same, something is weird, so complain about that */ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { krb5_warnx(context, "entry with different keyvalue " "already exists for %s, keytype %s, kvno %d", name_str, etype_str, entry.vno); } krb5_kt_free_entry(context, &dummy); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); continue; } else if(ret != KRB5_KT_NOTFOUND) { krb5_warn (context, ret, "%s: fetching %s/%s/%u", to, name_str, etype_str, entry.vno); krb5_kt_free_entry (context, &entry); free(name_str); free(etype_str); break; } if (verbose_flag) fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, etype_str, entry.vno); ret = krb5_kt_add_entry (context, dst_keytab, &entry); krb5_kt_free_entry (context, &entry); if (ret) { krb5_warn (context, ret, "%s: adding %s/%s/%u", to, name_str, etype_str, entry.vno); free(name_str); free(etype_str); break; } free(name_str); free(etype_str); } krb5_kt_end_seq_get (context, src_keytab, &cursor); out: krb5_kt_close (context, src_keytab); krb5_kt_close (context, dst_keytab); return ret != 0; }
krb5_error_code sss_extract_pac(krb5_context ctx, krb5_ccache ccache, krb5_principal server_principal, krb5_principal client_principal, krb5_keytab keytab, krb5_authdata ***_pac_authdata) { #ifdef HAVE_PAC_RESPONDER krb5_error_code kerr; krb5_creds mcred; krb5_creds cred; krb5_authdata **pac_authdata = NULL; krb5_pac pac = NULL; int ret; krb5_ticket *ticket = NULL; krb5_keytab_entry entry; memset(&entry, 0, sizeof(entry)); memset(&mcred, 0, sizeof(mcred)); memset(&cred, 0, sizeof(mcred)); mcred.server = server_principal; mcred.client = client_principal; kerr = krb5_cc_retrieve_cred(ctx, ccache, 0, &mcred, &cred); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_retrieve_cred failed.\n"); goto done; } kerr = krb5_decode_ticket(&cred.ticket, &ticket); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_decode_ticket failed.\n"); goto done; } kerr = krb5_server_decrypt_ticket_keytab(ctx, keytab, ticket); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_server_decrypt_ticket_keytab failed.\n"); goto done; } kerr = sss_krb5_find_authdata(ctx, ticket->enc_part2->authorization_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &pac_authdata); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_find_authdata failed.\n"); goto done; } if (pac_authdata == NULL || pac_authdata[0] == NULL) { DEBUG(SSSDBG_OP_FAILURE, "No PAC authdata available.\n"); kerr = ENOENT; goto done; } if (pac_authdata[1] != NULL) { DEBUG(SSSDBG_OP_FAILURE, "More than one PAC autdata found.\n"); kerr = EINVAL; goto done; } kerr = krb5_pac_parse(ctx, pac_authdata[0]->contents, pac_authdata[0]->length, &pac); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_pac_parse failed.\n"); goto done; } kerr = krb5_kt_get_entry(ctx, keytab, ticket->server, ticket->enc_part.kvno, ticket->enc_part.enctype, &entry); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_get_entry failed.\n"); goto done; } kerr = krb5_pac_verify(ctx, pac, 0, NULL, &entry.key, NULL); if (kerr != 0) { DEBUG(SSSDBG_OP_FAILURE, "krb5_pac_verify failed.\n"); goto done; } ret = unsetenv("_SSS_LOOPS"); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, " "sss_pac_make_request will most certainly fail.\n"); } *_pac_authdata = pac_authdata; kerr = 0; done: if (kerr != 0) { krb5_free_authdata(ctx, pac_authdata); } if (entry.magic != 0) { krb5_free_keytab_entry_contents(ctx, &entry); } krb5_pac_free(ctx, pac); if (ticket != NULL) { krb5_free_ticket(ctx, ticket); } krb5_free_cred_contents(ctx, &cred); return kerr; #else return ENOTSUP; #endif }
static void kt_test(krb5_context context, const char *name) { krb5_error_code kret; krb5_keytab kt; const char *type; char buf[BUFSIZ]; char *p; krb5_keytab_entry kent, kent2; krb5_principal princ; krb5_kt_cursor cursor, cursor2; int cnt; kret = krb5_kt_resolve(context, name, &kt); CHECK(kret, "resolve"); type = krb5_kt_get_type(context, kt); CHECK_STR(type, "getting kt type"); printf(" Type is: %s\n", type); kret = krb5_kt_get_name(context, kt, buf, sizeof(buf)); CHECK(kret, "get_name"); printf(" Name is: %s\n", buf); /* Check that length checks fail */ /* The buffer is allocated too small - to allow for valgrind test of overflows */ p = malloc(strlen(buf)); kret = krb5_kt_get_name(context, kt, p, 1); if(kret != KRB5_KT_NAME_TOOLONG) { CHECK(kret, "get_name - size 1"); } kret = krb5_kt_get_name(context, kt, p, strlen(buf)); if(kret != KRB5_KT_NAME_TOOLONG) { CHECK(kret, "get_name"); } free(p); /* Try to lookup unknown principal - when keytab does not exist*/ kret = krb5_parse_name(context, "test/[email protected]", &princ); CHECK(kret, "parsing principal"); kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); if((kret != KRB5_KT_NOTFOUND) && (kret != ENOENT)) { CHECK(kret, "Getting non-existant entry"); } /* =================== Add entries to keytab ================= */ /* * Add the following for this principal * enctype 1, kvno 1, key = "1" * enctype 2, kvno 1, key = "1" * enctype 1, kvno 2, key = "2" */ memset(&kent, 0, sizeof(kent)); kent.magic = KV5M_KEYTAB_ENTRY; kent.principal = princ; kent.timestamp = 327689; kent.vno = 1; kent.key.magic = KV5M_KEYBLOCK; kent.key.enctype = 1; kent.key.length = 1; kent.key.contents = (krb5_octet *) "1"; kret = krb5_kt_add_entry(context, kt, &kent); CHECK(kret, "Adding initial entry"); kent.key.enctype = 2; kret = krb5_kt_add_entry(context, kt, &kent); CHECK(kret, "Adding second entry"); kent.key.enctype = 1; kent.vno = 2; kent.key.contents = (krb5_octet *) "2"; kret = krb5_kt_add_entry(context, kt, &kent); CHECK(kret, "Adding third entry"); /* Free memory */ krb5_free_principal(context, princ); /* ============== Test iterating over contents of keytab ========= */ kret = krb5_kt_start_seq_get(context, kt, &cursor); CHECK(kret, "Start sequence get"); memset(&kent, 0, sizeof(kent)); cnt = 0; while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { if(((kent.vno != 1) && (kent.vno != 2)) || ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Error in read contents\n"); exit(1); } if((kent.magic != KV5M_KEYTAB_ENTRY) || (kent.key.magic != KV5M_KEYBLOCK)) { fprintf(stderr, "Magic number in sequence not proper\n"); exit(1); } cnt++; krb5_free_keytab_entry_contents(context, &kent); } if (kret != KRB5_KT_END) { CHECK(kret, "getting next entry"); } if(cnt != 3) { fprintf(stderr, "Mismatch in number of entries in keytab"); } kret = krb5_kt_end_seq_get(context, kt, &cursor); CHECK(kret, "End sequence get"); /* ========================== get_entry tests ============== */ /* Try to lookup unknown principal - now that keytab exists*/ kret = krb5_parse_name(context, "test3/[email protected]", &princ); CHECK(kret, "parsing principal"); kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); if((kret != KRB5_KT_NOTFOUND)) { CHECK(kret, "Getting non-existant entry"); } krb5_free_principal(context, princ); /* Try to lookup known principal */ kret = krb5_parse_name(context, "test/[email protected]", &princ); CHECK(kret, "parsing principal"); kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - we did not specify an enctype or kvno */ if (!krb5_principal_compare(context, princ, kent.principal) || ((kent.vno != 1) && (kent.vno != 2)) || ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); /* Try to lookup a specific enctype - but unspecified kvno - should give * max kvno */ kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - we did specified an enctype */ if (!krb5_principal_compare(context, princ, kent.principal) || (kent.vno != 2) || (kent.key.enctype != 1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); /* Try to lookup unspecified enctype, but a specified kvno */ kret = krb5_kt_get_entry(context, kt, princ, 2, 0, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - we did not specify a kvno */ if (!krb5_principal_compare(context, princ, kent.principal) || (kent.vno != 2) || (kent.key.enctype != 1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); /* Try to lookup specified enctype and kvno */ kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); CHECK(kret, "looking up principal"); if (!krb5_principal_compare(context, princ, kent.principal) || (kent.vno != 1) || (kent.key.enctype != 1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); /* Try lookup with active iterators. */ kret = krb5_kt_start_seq_get(context, kt, &cursor); CHECK(kret, "Start sequence get(2)"); kret = krb5_kt_start_seq_get(context, kt, &cursor2); CHECK(kret, "Start sequence get(3)"); kret = krb5_kt_next_entry(context, kt, &kent, &cursor); CHECK(kret, "getting next entry(2)"); krb5_free_keytab_entry_contents(context, &kent); kret = krb5_kt_next_entry(context, kt, &kent, &cursor); CHECK(kret, "getting next entry(3)"); kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); CHECK(kret, "getting next entry(4)"); krb5_free_keytab_entry_contents(context, &kent2); kret = krb5_kt_get_entry(context, kt, kent.principal, 0, 0, &kent2); CHECK(kret, "looking up principal(2)"); krb5_free_keytab_entry_contents(context, &kent2); kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); CHECK(kret, "getting next entry(5)"); if (!krb5_principal_compare(context, kent.principal, kent2.principal)) { fprintf(stderr, "iterators not in sync\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); krb5_free_keytab_entry_contents(context, &kent2); kret = krb5_kt_next_entry(context, kt, &kent, &cursor); CHECK(kret, "getting next entry(6)"); kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); CHECK(kret, "getting next entry(7)"); krb5_free_keytab_entry_contents(context, &kent); krb5_free_keytab_entry_contents(context, &kent2); kret = krb5_kt_end_seq_get(context, kt, &cursor); CHECK(kret, "ending sequence get(1)"); kret = krb5_kt_end_seq_get(context, kt, &cursor2); CHECK(kret, "ending sequence get(2)"); /* Try to lookup specified enctype and kvno - that does not exist*/ kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); if(kret != KRB5_KT_KVNONOTFOUND) { CHECK(kret, "looking up specific principal, kvno, enctype"); } krb5_free_principal(context, princ); /* ========================= krb5_kt_remove_entry =========== */ /* Lookup the keytab entry w/ 2 kvno - and delete version 2 - ensure gone */ kret = krb5_parse_name(context, "test/[email protected]", &princ); CHECK(kret, "parsing principal"); kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ if (!krb5_principal_compare(context, princ, kent.principal) || (kent.vno != 2) || (kent.key.enctype != 1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); exit(1); } /* Delete it */ kret = krb5_kt_remove_entry(context, kt, &kent); CHECK(kret, "Removing entry"); krb5_free_keytab_entry_contents(context, &kent); /* And ensure gone */ kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ if (!krb5_principal_compare(context, princ, kent.principal) || (kent.vno != 1) || (kent.key.enctype != 1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Delete principal check failed\n"); exit(1); } krb5_free_keytab_entry_contents(context, &kent); krb5_free_principal(context, princ); /* ======================= Finally close ======================= */ kret = krb5_kt_close(context, kt); CHECK(kret, "close"); }
static void test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2) { krb5_error_code ret; krb5_keytab id, id2, id3; krb5_keytab_entry entry, entry2, entry3; ret = krb5_kt_resolve(context, keytab, &id); if (ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); memset(&entry, 0, sizeof(entry)); ret = krb5_parse_name(context, "*****@*****.**", &entry.principal); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); entry.vno = 1; ret = krb5_generate_random_keyblock(context, ETYPE_AES256_CTS_HMAC_SHA1_96, &entry.keyblock); if (ret) krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); krb5_kt_add_entry(context, id, &entry); ret = krb5_kt_resolve(context, keytab, &id2); if (ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); ret = krb5_kt_get_entry(context, id, entry.principal, 0, ETYPE_AES256_CTS_HMAC_SHA1_96, &entry2); if (ret) krb5_err(context, 1, ret, "krb5_kt_get_entry"); krb5_kt_free_entry(context, &entry2); ret = krb5_kt_close(context, id); if (ret) krb5_err(context, 1, ret, "krb5_kt_close"); ret = krb5_kt_get_entry(context, id2, entry.principal, 0, ETYPE_AES256_CTS_HMAC_SHA1_96, &entry2); if (ret) krb5_err(context, 1, ret, "krb5_kt_get_entry"); krb5_kt_free_entry(context, &entry2); ret = krb5_kt_close(context, id2); if (ret) krb5_err(context, 1, ret, "krb5_kt_close"); ret = krb5_kt_resolve(context, keytab2, &id3); if (ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); memset(&entry3, 0, sizeof(entry3)); ret = krb5_parse_name(context, "*****@*****.**", &entry3.principal); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); entry3.vno = 1; ret = krb5_generate_random_keyblock(context, ETYPE_AES256_CTS_HMAC_SHA1_96, &entry3.keyblock); if (ret) krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); krb5_kt_add_entry(context, id3, &entry3); ret = krb5_kt_resolve(context, keytab, &id); if (ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); ret = krb5_kt_get_entry(context, id, entry.principal, 0, ETYPE_AES256_CTS_HMAC_SHA1_96, &entry2); if (ret == 0) krb5_errx(context, 1, "krb5_kt_get_entry when if should fail"); krb5_kt_remove_entry(context, id, &entry); ret = krb5_kt_close(context, id); if (ret) krb5_err(context, 1, ret, "krb5_kt_close"); krb5_kt_free_entry(context, &entry); krb5_kt_remove_entry(context, id3, &entry3); ret = krb5_kt_close(context, id3); if (ret) krb5_err(context, 1, ret, "krb5_kt_close"); krb5_free_principal(context, entry3.principal); krb5_free_keyblock_contents(context, &entry3.keyblock); }
static int create_krb5_tickets (krb5_context context, krb5_keytab kt) { krb5_error_code ret; krb5_keytab_entry entry; krb5_creds cred; krb5_enctype etype; krb5_ccache ccache; memset (&cred, 0, sizeof(cred)); ret = krb5_string_to_enctype (context, enc_type, &etype); if (ret) krb5_err (context, 1, ret, "krb5_string_to_enctype"); ret = krb5_kt_get_entry (context, kt, server_principal, 0, etype, &entry); if (ret) krb5_err (context, 1, ret, "krb5_kt_get_entry"); /* * setup cred */ ret = krb5_copy_principal (context, client_principal, &cred.client); if (ret) krb5_err (context, 1, ret, "krb5_copy_principal"); ret = krb5_copy_principal (context, server_principal, &cred.server); if (ret) krb5_err (context, 1, ret, "krb5_copy_principal"); krb5_generate_random_keyblock(context, etype, &cred.session); cred.times.authtime = time(NULL); cred.times.starttime = time(NULL); cred.times.endtime = time(NULL) + expiration_time; cred.times.renew_till = 0; krb5_data_zero(&cred.second_ticket); ret = krb5_get_all_client_addrs (context, &cred.addresses); if (ret) krb5_err (context, 1, ret, "krb5_get_all_client_addrs"); cred.flags.b = ticket_flags; /* * Encode encrypted part of ticket */ encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred); /* * Write to cc */ if (ccache_str) { ret = krb5_cc_resolve(context, ccache_str, &ccache); if (ret) krb5_err (context, 1, ret, "krb5_cc_resolve"); } else { ret = krb5_cc_default (context, &ccache); if (ret) krb5_err (context, 1, ret, "krb5_cc_default"); } ret = krb5_cc_initialize (context, ccache, cred.client); if (ret) krb5_err (context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_store_cred (context, ccache, &cred); if (ret) krb5_err (context, 1, ret, "krb5_cc_store_cred"); krb5_free_cred_contents (context, &cred); krb5_cc_close (context, ccache); return 0; }
/* * Find a keytab entry to use for a given target hostname. * Tries to find the most appropriate keytab to use given the * name of the host we are trying to connect with. */ static int find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname, krb5_keytab_entry *kte, const char **svcnames) { krb5_error_code code; char **realmnames = NULL; char myhostname[NI_MAXHOST], targethostname[NI_MAXHOST]; char myhostad[NI_MAXHOST + 1]; int i, j, retval; char *default_realm = NULL; char *realm; char *k5err = NULL; int tried_all = 0, tried_default = 0; krb5_principal princ; /* Get full target hostname */ retval = get_full_hostname(hostname, targethostname, sizeof(targethostname)); if (retval) goto out; /* Get full local hostname */ retval = gethostname(myhostname, sizeof(myhostname)); if (retval) { k5err = gssd_k5_err_msg(context, retval); printerr(1, "%s while getting local hostname\n", k5err); gsh_free(k5err); goto out; } /* Compute the active directory machine name HOST$ */ strcpy(myhostad, myhostname); for (i = 0; myhostad[i] != 0; ++i) myhostad[i] = toupper(myhostad[i]); myhostad[i] = '$'; myhostad[i + 1] = 0; retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname)); if (retval) goto out; code = krb5_get_default_realm(context, &default_realm); if (code) { retval = code; k5err = gssd_k5_err_msg(context, code); printerr(1, "%s while getting default realm name\n", k5err); gsh_free(k5err); goto out; } /* * Get the realm name(s) for the target hostname. * In reality, this function currently only returns a * single realm, but we code with the assumption that * someday it may actually return a list. */ code = krb5_get_host_realm(context, targethostname, &realmnames); if (code) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s while getting realm(s) for host '%s'\n", k5err, targethostname); gsh_free(k5err); retval = code; goto out; } /* * Try the "appropriate" realm first, and if nothing found for that * realm, try the default realm (if it hasn't already been tried). */ i = 0; realm = realmnames[i]; while (1) { if (realm == NULL) { tried_all = 1; if (!tried_default) realm = default_realm; } if (tried_all && tried_default) break; if (strcmp(realm, default_realm) == 0) tried_default = 1; for (j = 0; svcnames[j] != NULL; j++) { char spn[300]; /* * The special svcname "$" means 'try the active * directory machine account' */ if (strcmp(svcnames[j], "$") == 0) { snprintf(spn, sizeof(spn), "%s@%s", myhostad, realm); code = krb5_build_principal_ext(context, &princ, strlen(realm), realm, strlen(myhostad), myhostad, NULL); } else { snprintf(spn, sizeof(spn), "%s/%s@%s", svcnames[j], myhostname, realm); code = krb5_build_principal_ext(context, &princ, strlen(realm), realm, strlen(svcnames [j]), svcnames[j], strlen(myhostname), myhostname, NULL); } if (code) { k5err = gssd_k5_err_msg(context, code); printerr(1, "%s while building principal for '%s'\n", k5err, spn); gsh_free(k5err); continue; } code = krb5_kt_get_entry(context, kt, princ, 0, 0, kte); krb5_free_principal(context, princ); if (code) { k5err = gssd_k5_err_msg(context, code); printerr(3, "%s while getting keytab entry for '%s'\n", k5err, spn); gsh_free(k5err); } else { printerr(3, "Success getting keytab entry for '%s'\n", spn); retval = 0; goto out; } retval = code; } /* * Nothing found with our hostname instance, now look for * names with any instance (they must have an instance) */ for (j = 0; svcnames[j] != NULL; j++) { int found = 0; if (strcmp(svcnames[j], "$") == 0) continue; code = gssd_search_krb5_keytab(context, kt, realm, svcnames[j], &found, kte); if (!code && found) { printerr(3, "Success getting keytab entry for " "%s/*@%s\n", svcnames[j], realm); retval = 0; goto out; } } if (!tried_all) { i++; realm = realmnames[i]; } } out: if (default_realm) k5_free_default_realm(context, default_realm); if (realmnames) krb5_free_host_realm(context, realmnames); return retval; }
krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to, const char *principal, krb5_kvno kvno, krb5_enctype *enctypes) { krb5_error_code ret; krb5_keytab src_keytab, dst_keytab; krb5_keytab_entry entry; krb5_principal princ; int i; bool found_one = false; ret = krb5_parse_name (context, principal, &princ); if(ret) { krb5_set_error_message(context, ret, "krb5_unparse_name"); return ret; } ret = krb5_kt_resolve (context, from, &src_keytab); if (ret) { krb5_set_error_message(context, ret, "resolving src keytab `%s'", from); return ret; } ret = krb5_kt_resolve (context, to, &dst_keytab); if (ret) { krb5_kt_close (context, src_keytab); krb5_set_error_message(context, ret, "resolving dst keytab `%s'", to); return ret; } for (i=0; enctypes[i]; i++) { ret = krb5_kt_get_entry(context, src_keytab, princ, kvno, enctypes[i], &entry); if (ret == KRB5_KT_NOTFOUND) { continue; } else if (ret) { break; } found_one = true; ret = copy_one_entry(context, src_keytab, dst_keytab, entry); if (ret) { break; } } if (ret == KRB5_KT_NOTFOUND) { if (!found_one) { char *princ_string; int ret2 = krb5_unparse_name (context, princ, &princ_string); if (ret2) { krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string); } } else { /* Not finding an enc type is not an error, as long as we copied one for the principal */ ret = 0; } } krb5_kt_close (context, src_keytab); krb5_kt_close (context, dst_keytab); return ret; }
static krb5_error_code get_keytab(krb5_context context, gsskrb5_cred handle, int require_lkdc) { krb5_error_code kret; HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); if (_gsskrb5_keytab != NULL) { char *name = NULL; kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name); if (kret == 0) { kret = krb5_kt_resolve(context, name, &handle->keytab); krb5_xfree(name); } } else kret = krb5_kt_default(context, &handle->keytab); if (kret) goto out; /* * If caller requested, check that we have the user in the keytab. */ if (handle->principal) { krb5_keytab_entry entry; if (krb5_principal_is_gss_hostbased_service(context, handle->principal)) { /* * check if we have a service in the keytab */ const char *service = handle->principal->name.name_string.val[0]; if (!check_keytab(context, handle, service, require_lkdc)) { kret = KRB5_KT_NOTFOUND; krb5_set_error_message(context, kret, "Didn't find service %s in keytab", service); goto out; } } else { kret = krb5_kt_get_entry(context, handle->keytab, handle->principal, 0, 0, &entry); if (kret) goto out; /* * Update the name with the entry from the keytab in case we * have a gss hostname service name principal */ krb5_free_principal(context, handle->principal); kret = krb5_copy_principal(context, entry.principal, &handle->principal); krb5_kt_free_entry(context, &entry); if (kret) goto out; } } else { if (!check_keytab(context, handle, NULL, require_lkdc)) { kret = KRB5_KT_NOTFOUND; goto out; } } out: if (kret && handle->keytab) { krb5_kt_close(context, handle->keytab); handle->keytab = NULL; } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); return (kret); }
/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), ** and krb5 AP_REQ message & message length, ** Return Kerberos session key and client principle ** to SSL Server in KSSL_CTX *kssl_ctx. ** ** 19990702 VRS Started. */ krb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, /* IN */ krb5_data *indata, /* OUT */ krb5_ticket_times *ttimes, /* OUT */ KSSL_ERR *kssl_err ) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; static krb5_context krb5context = NULL; static krb5_auth_context krb5auth_context = NULL; krb5_ticket *krb5ticket = NULL; KRB5_TKTBODY *asn1ticket = NULL; const unsigned char *p; krb5_keytab krb5keytab = NULL; krb5_keytab_entry kt_entry; krb5_principal krb5server; krb5_rcache rcache = NULL; kssl_err_set(kssl_err, 0, ""); if (!kssl_ctx) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); goto err; } #ifdef KSSL_DEBUG printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); #endif /* KSSL_DEBUG */ if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_init_context() fails.\n"); goto err; } if (krb5auth_context && (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_free() fails.\n"); goto err; } else krb5auth_context = NULL; if (!krb5auth_context && (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_init() fails.\n"); goto err; } if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, &rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_getrcache() fails.\n"); goto err; } if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC, KRB5_NT_SRV_HST, &krb5server)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_sname_to_principal() fails.\n"); goto err; } if (rcache == NULL) { if ((krb5rc = krb5_get_server_rcache(krb5context, krb5_princ_component(krb5context, krb5server, 0), &rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_get_server_rcache() fails.\n"); goto err; } } if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_setrcache() fails.\n"); goto err; } /* kssl_ctx->keytab_file == NULL ==> use Kerberos default */ if (kssl_ctx->keytab_file) { krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, &krb5keytab); if (krb5rc) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_kt_resolve() fails.\n"); goto err; } } else { krb5rc = krb5_kt_default(krb5context, &krb5keytab); if (krb5rc) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_kt_default() fails.\n"); goto err; } } /* Actual Kerberos5 krb5_recvauth() has initial conversation here ** o check KRB5_SENDAUTH_BADAUTHVERS ** unless KRB5_RECVAUTH_SKIP_VERSION ** o check KRB5_SENDAUTH_BADAPPLVERS ** o send "0" msg if all OK */ /* 20010411 was using AP_REQ instead of true KerberosWrapper ** ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, ** &krb5in_data, krb5server, krb5keytab, ** &ap_option, &krb5ticket)) != 0) { Error } */ p = (unsigned char *)indata->data; if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, (long)indata->length)) == NULL) { (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */ if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, kssl_err)) != 0) { (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "Error converting ASN.1 ticket to krb5_ticket.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if (!krb5_principal_compare(krb5context, krb5server, krb5ticket->server)) { krb5rc = KRB5_PRINC_NOMATCH; (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "server principal != ticket principal\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, krb5ticket->server, krb5ticket->enc_part.kvno, krb5ticket->enc_part.enctype, &kt_entry)) != 0) { (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "krb5_kt_get_entry() fails with %x.\n", krb5rc); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, krb5ticket)) != 0) { (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "krb5_decrypt_tkt_part() failed.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } else { krb5_kt_free_entry(krb5context, &kt_entry); #ifdef KSSL_DEBUG { int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; printf("Decrypted ticket fields:\n"); printf("\tflags: %X, transit-type: %X", krb5ticket->enc_part2->flags, krb5ticket->enc_part2->transited.tr_type); print_krb5_data("\ttransit-data: ", &(krb5ticket->enc_part2->transited.tr_contents)); printf("\tcaddrs: %p, authdata: %p\n", krb5ticket->enc_part2->caddrs, krb5ticket->enc_part2->authorization_data); if (paddr) { printf("\tcaddrs:\n"); for (i = 0; paddr[i] != NULL; i++) { krb5_data d; d.length = paddr[i]->length; d.data = paddr[i]->contents; print_krb5_data("\t\tIP: ", &d); } } printf("\tstart/auth/end times: %d / %d / %d\n", krb5ticket->enc_part2->times.starttime, krb5ticket->enc_part2->times.authtime, krb5ticket->enc_part2->times.endtime); } #endif /* KSSL_DEBUG */ } krb5rc = KRB5_NO_TKT_SUPPLIED; if (!krb5ticket || !krb5ticket->enc_part2 || !krb5ticket->enc_part2->client || !krb5ticket->enc_part2->client->data || !krb5ticket->enc_part2->session) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "bad ticket from krb5_rd_req.\n"); } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, &krb5ticket->enc_part2->client->realm, krb5ticket->enc_part2->client->data, krb5ticket->enc_part2->client->length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setprinc() fails.\n"); } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setkey() fails.\n"); } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) { krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "invalid ticket from krb5_rd_req.\n"); } else krb5rc = 0; kssl_ctx->enctype = krb5ticket->enc_part.enctype; ttimes->authtime = krb5ticket->enc_part2->times.authtime; ttimes->starttime = krb5ticket->enc_part2->times.starttime; ttimes->endtime = krb5ticket->enc_part2->times.endtime; ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; err: #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket); if (krb5server) krb5_free_principal(krb5context, krb5server); return (krb5rc); }