/* Display the name of enctype. */
static void
display_enctype(krb5_enctype enctype)
{
char ename[128];
if (krb5_enctype_to_name(enctype, FALSE, ename, sizeof(ename)) == 0)
fputs(ename, stdout);
else
fputs("(unknown)", stdout);
}
static char *
etype_string(krb5_enctype enctype)
{
static char buf[100];
krb5_error_code ret;
ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf));
if (ret)
snprintf(buf, sizeof(buf), "etype %d", enctype);
return buf;
}
PyObject *pykadmin_key_enctype_name(krb5_key_data *key_data) {
PyObject *enctype = NULL;
// make sure this is enough.
char buffer[1024];
if (krb5_enctype_to_name(key_data->key_data_type[0], FALSE, buffer, sizeof(buffer)))
snprintf(buffer, sizeof(buffer), "<Encryption type 0x%x>", key_data->key_data_type[0]);
enctype = PyUnicode_FromString(buffer);
return enctype;
}
/* Write an enctype field, optionally as decimal. */
static krb5_error_code
write_enctype(struct rec_args *args, krb5_int16 etype)
{
char buf[256];
krb5_error_code ret;
struct rechandle *h = args->rh;
struct tdopts *opts = args->opts;
if (!opts->numeric) {
ret = krb5_enctype_to_name(etype, 0, buf, sizeof(buf));
if (ret == 0) {
if (writefield(h, "%s", buf) < 0)
return errno;
return ret;
}
}
/* decimal if requested, or if conversion failed */
if (writefield(h, "%d", etype) < 0)
return errno;
return 0;
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *mkey_fullname = NULL, *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list == NULL) {
act_kvno = master_entry->key_data[0].key_data_kvno;
} else {
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval == KRB5_KDB_NOACTMASTERKEY) {
/* Maybe we went through a time warp, and the only keys
with activation dates have them set in the future? */
com_err(progname, retval, "");
/* Keep going. */
act_kvno = -1;
} else if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list != NULL) {
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
} else {
/*
* mkey princ doesn't have an active knvo list so assume the current
* key is active now
*/
if ((retval = krb5_timeofday(util_context, &act_time))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
goto cleanup_return;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
krb5_free_unparsed_name(util_context, mkey_fullname);
free(output_str);
krb5_free_principal(util_context, master_princ);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry = NULL;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
krb5_db_free_principal(util_context, master_entry);
free(output_str);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context = NULL;
size_t i;
struct test *test;
krb5_keyblock kb, *kbp;
krb5_checksum cksum;
krb5_cksumtype mtype;
krb5_boolean valid, verbose = FALSE;
int status = 0;
if (argc >= 2 && strcmp(argv[1], "-v") == 0)
verbose = TRUE;
for (i = 0; i < sizeof(test_cases) / sizeof(*test_cases); i++) {
test = &test_cases[i];
if (test->enctype != 0) {
kb.magic = KV5M_KEYBLOCK;
kb.enctype = test->enctype;
kb.length = test->keybits.length;
kb.contents = (unsigned char *)test->keybits.data;
kbp = &kb;
} else
kbp = NULL;
ret = krb5_c_make_checksum(context, test->sumtype, kbp, test->usage,
&test->plaintext, &cksum);
assert(!ret);
if (verbose) {
char buf[64];
krb5_cksumtype_to_string(test->sumtype, buf, sizeof(buf));
printf("\nTest %d:\n", (int)i);
printf("Plaintext: %.*s\n", (int)test->plaintext.length,
test->plaintext.data);
printf("Checksum type: %s\n", buf);
if (test->enctype != 0) {
krb5_enctype_to_name(test->enctype, FALSE, buf, sizeof(buf));
printf("Enctype: %s\n", buf);
printhex("Key: ", test->keybits.data, test->keybits.length);
printf("Key usage: %d\n", (int)test->usage);
}
printhex("Checksum: ", cksum.contents, cksum.length);
}
if (test->cksum.length != cksum.length ||
memcmp(test->cksum.data, cksum.contents, cksum.length) != 0) {
printf("derive test %d failed\n", (int)i);
status = 1;
if (!verbose)
break;
}
/* Test that the checksum verifies successfully. */
ret = krb5_c_verify_checksum(context, kbp, test->usage,
&test->plaintext, &cksum, &valid);
assert(!ret);
if (!valid) {
printf("test %d verify failed\n", (int)i);
status = 1;
if (!verbose)
break;
}
if (kbp != NULL) {
ret = krb5int_c_mandatory_cksumtype(context, kbp->enctype, &mtype);
assert(!ret);
if (test->sumtype == mtype) {
/* Test that a checksum type of 0 uses the mandatory checksum
* type for the key. */
cksum.checksum_type = 0;
ret = krb5_c_verify_checksum(context, kbp, test->usage,
&test->plaintext, &cksum, &valid);
assert(!ret && valid);
}
}
krb5_free_checksum_contents(context, &cksum);
}
return status;
}
/* Return a helpful error code and message when we fail to find a key after
* iterating over the keytab. */
static krb5_error_code
iteration_error(krb5_context context, krb5_const_principal server,
krb5_const_principal tkt_server, krb5_kvno tkt_kvno,
krb5_enctype tkt_etype, krb5_boolean tkt_server_mismatch,
krb5_boolean found_server_match, krb5_boolean found_tkt_server,
krb5_boolean found_kvno, krb5_boolean found_higher_kvno,
krb5_boolean found_enctype)
{
krb5_error_code ret;
char *sname = NULL, *tsname = NULL, encname[128];
ret = unparse_princs(context, server, tkt_server, &sname, &tsname);
if (ret)
return ret;
if (krb5_enctype_to_name(tkt_etype, TRUE, encname, sizeof(encname)) != 0)
(void)snprintf(encname, sizeof(encname), "%d", (int)tkt_etype);
if (!found_server_match) {
ret = KRB5KRB_AP_ERR_NOKEY;
if (sname == NULL) {
krb5_set_error_message(context, ret, _("No keys in keytab"));
} else {
krb5_set_error_message(context, ret,
_("Server principal %s does not match any "
"keys in keytab"), sname);
}
} else if (tkt_server_mismatch) {
assert(sname != NULL); /* Null server princ would match anything. */
ret = KRB5KRB_AP_ERR_NOT_US;
krb5_set_error_message(context, ret,
_("Request ticket server %s found in keytab "
"but does not match server principal %s"),
tsname, sname);
} else if (!found_tkt_server) {
ret = KRB5KRB_AP_ERR_NOT_US;
krb5_set_error_message(context, ret,
_("Request ticket server %s not found in "
"keytab (ticket kvno %d)"),
tsname, (int)tkt_kvno);
} else if (!found_kvno) {
ret = KRB5KRB_AP_ERR_BADKEYVER;
if (found_higher_kvno) {
krb5_set_error_message(context, ret,
_("Request ticket server %s kvno %d not "
"found in keytab; ticket is likely out "
"of date"), tsname, (int)tkt_kvno);
} else {
krb5_set_error_message(context, ret,
_("Request ticket server %s kvno %d not "
"found in keytab; keytab is likely out "
"of date"), tsname, (int)tkt_kvno);
}
} else if (!found_enctype) {
/* There's no defined error for having the key version but not the
* enctype. */
ret = KRB5KRB_AP_ERR_BADKEYVER;
krb5_set_error_message(context, ret,
_("Request ticket server %s kvno %d found in "
"keytab but not with enctype %s"),
tsname, (int)tkt_kvno, encname);
} else {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
krb5_set_error_message(context, ret,
_("Request ticket server %s kvno %d enctype %s "
"found in keytab but cannot decrypt ticket"),
tsname, (int)tkt_kvno, encname);
}
krb5_free_unparsed_name(context, sname);
krb5_free_unparsed_name(context, tsname);
return ret;
}
