int main(int argc, char **argv) { struct testcase *t; krb5_context context; krb5_error_code ret; int val = 0; ret = krb5_init_context (&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); /* to enable realm-less principal name above */ krb5_set_default_realm(context, ""); for (t = tests; t->principal_name; ++t) { krb5_keyblock key; krb5_principal principal; int i; ret = krb5_parse_name (context, t->principal_name, &principal); if (ret) krb5_err (context, 1, ret, "krb5_parse_name %s", t->principal_name); ret = krb5_string_to_key (context, t->enctype, t->password, principal, &key); if (ret) krb5_err (context, 1, ret, "krb5_string_to_key"); krb5_free_principal (context, principal); if (memcmp (key.keyvalue.data, t->res, key.keyvalue.length) != 0) { const unsigned char *p = key.keyvalue.data; printf ("string_to_key(%s, %s) failed\n", t->principal_name, t->password); printf ("should be: "); for (i = 0; i < key.keyvalue.length; ++i) printf ("%02x", t->res[i]); printf ("\nresult was: "); for (i = 0; i < key.keyvalue.length; ++i) printf ("%02x", p[i]); printf ("\n"); val = 1; } krb5_free_keyblock_contents(context, &key); } krb5_free_context(context); return val; }
int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype) { int ret; krb5_data salt; krb5_encrypt_block eblock; ret = krb5_principal2salt(context, host_princ, &salt); if (ret) { DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); return ret; } krb5_use_enctype(context, &eblock, enctype); ret = krb5_string_to_key(context, &eblock, key, password, &salt); SAFE_FREE(salt.data); return ret; }
static void print_and_decode_tkt (krb5_context context, krb5_data *ticket, krb5_principal server, krb5_enctype enctype) { krb5_error_code ret; krb5_crypto crypto; krb5_data dec_data; size_t len; EncTicketPart decr_part; krb5_keyblock key; Ticket tkt; ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len); if (ret) krb5_err (context, 1, ret, "decode_Ticket"); ret = krb5_string_to_key (context, enctype, "foo", server, &key); if (ret) krb5_err (context, 1, ret, "krb5_string_to_key"); ret = krb5_crypto_init(context, &key, 0, &crypto); if (ret) krb5_err (context, 1, ret, "krb5_crypto_init"); ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET, &tkt.enc_part, &dec_data); krb5_crypto_destroy (context, crypto); if (ret) krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData"); ret = decode_EncTicketPart (dec_data.data, dec_data.length, &decr_part, &len); krb5_data_free (&dec_data); if (ret) krb5_err (context, 1, ret, "krb5_decode_EncTicketPart"); free_EncTicketPart(&decr_part); }
krb5KeyblockObject *keyblock_new(PyObject *unused, PyObject *args) { krb5_error_code ret; krb5ContextObject *context; krb5EnctypeObject *enctype; char *password; PyObject *arg; krb5KeyblockObject *self = (krb5KeyblockObject *) PyObject_New(krb5KeyblockObject, &krb5KeyblockType); int error = 0; if (!PyArg_ParseTuple(args, "OOsO", &context, &enctype, &password, &arg)) return NULL; if (self == NULL) return NULL; self->context = context->context; #if PY_MAJOR_VERSION >= 2 && PY_MINOR_VERSION >= 2 if (PyObject_TypeCheck(arg, &krb5SaltType)) { krb5SaltObject *salt = (krb5SaltObject*)arg; ret = krb5_string_to_key_salt(context->context, enctype->enctype, password, salt->salt, &self->keyblock); } else if (PyObject_TypeCheck(arg, &krb5PrincipalType)) { #else if (1) { #endif krb5PrincipalObject *principal = (krb5PrincipalObject*)arg; ret = krb5_string_to_key(context->context, enctype->enctype, password, principal->principal, &self->keyblock); } else { PyErr_SetString(PyExc_TypeError, "either principal or salt needs to be passed"); error = 1; goto out; } if (ret) { error = 1; krb5_exception(NULL, ret); goto out; } out: if (error) return NULL; else return self; } krb5KeyblockObject *keyblock_raw_new(PyObject *unused, PyObject *args) { krb5_error_code ret; krb5ContextObject *py_context; PyObject *py_enctype; PyObject *py_key; uint8_t *key_buf; size_t key_len; krb5_enctype enctype; int error = 0; krb5KeyblockObject *self = (krb5KeyblockObject *) PyObject_NEW(krb5KeyblockObject, &krb5KeyblockType); if (!PyArg_ParseTuple(args, "O!OS", &krb5ContextType, &py_context, &py_enctype, &py_key)) return NULL; if (self == NULL) return NULL; self->context = py_context->context; if (PyObject_TypeCheck(py_enctype, &krb5EnctypeType)) { krb5EnctypeObject *enctype_obj = (krb5EnctypeObject*)py_enctype; enctype = enctype_obj>enctype; } else if (PyInt_Check(py_enctype)) { enctype = PyInt_AsLong(py_enctype); } else { PyErr_SetString(PyExc_TypeError, "enctype must be of type integer or krb5EnctypeObject"); error = 1; goto out; } key_buf = (uint8_t *) PyString_AsString(py_key); key_len = PyString_Size(py_key); ret = krb5_keyblock_init(py_context->context, enctype, key_buf, key_len, &self->keyblock); if (ret) { error = 1; krb5_exception(NULL, ret); goto out; } out: if (error) return NULL; else return self; }
int main(int argc, char **argv) { krb5_context context; krb5_keytab kt; krb5_keytab_entry ktent; krb5_encrypt_block eblock; krb5_creds my_creds; krb5_get_init_creds_opt *opt; kadm5_principal_ent_rec princ_ent; krb5_principal princ, server; char pw[16]; char *whoami, *principal, *authprinc, *authpwd; krb5_data pwdata; void *handle; int ret, test, encnum; unsigned int i; whoami = argv[0]; if (argc < 2 || argc > 4) { fprintf(stderr, "Usage: %s principal [authuser] [authpwd]\n", whoami); exit(1); } principal = argv[1]; authprinc = (argc > 2) ? argv[2] : argv[0]; authpwd = (argc > 3) ? argv[3] : NULL; /* * Setup. Initialize data structures, open keytab, open connection * to kadm5 server. */ memset(&context, 0, sizeof(context)); kadm5_init_krb5_context(&context); ret = krb5_parse_name(context, principal, &princ); if (ret) { com_err(whoami, ret, "while parsing principal name %s", principal); exit(1); } if((ret = krb5_build_principal_ext(context, &server, krb5_princ_realm(kcontext, princ)->length, krb5_princ_realm(kcontext, princ)->data, tgtname.length, tgtname.data, krb5_princ_realm(kcontext, princ)->length, krb5_princ_realm(kcontext, princ)->data, 0))) { com_err(whoami, ret, "while building server name"); exit(1); } ret = krb5_kt_default(context, &kt); if (ret) { com_err(whoami, ret, "while opening keytab"); exit(1); } ret = kadm5_init(context, authprinc, authpwd, KADM5_ADMIN_SERVICE, NULL, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, &handle); if (ret) { com_err(whoami, ret, "while initializing connection"); exit(1); } /* these pw's don't need to be secure, just different every time */ SRAND((RAND_TYPE)time((void *) NULL)); pwdata.data = pw; pwdata.length = sizeof(pw); /* * For each test: * * For each enctype in the test, construct a random password/key. * Assign all keys to principal with kadm5_setkey_principal. Add * each key to the keytab, and acquire an initial ticket with the * keytab (XXX can I specify the kvno explicitly?). If * krb5_get_init_creds_keytab succeeds, then the keys were set * successfully. */ for (test = 0; tests[test] != NULL; test++) { krb5_keyblock *testp = tests[test]; kadm5_key_data *extracted; int n_extracted, match; printf("+ Test %d:\n", test); for (encnum = 0; testp[encnum].magic != -1; encnum++) { for (i = 0; i < sizeof(pw); i++) pw[i] = (RAND() % 26) + '0'; /* XXX */ krb5_use_enctype(context, &eblock, testp[encnum].enctype); ret = krb5_string_to_key(context, &eblock, &testp[encnum], &pwdata, NULL); if (ret) { com_err(whoami, ret, "while converting string to key"); exit(1); } } /* now, encnum == # of keyblocks in testp */ ret = kadm5_setkey_principal(handle, princ, testp, encnum); if (ret) { com_err(whoami, ret, "while setting keys"); exit(1); } ret = kadm5_get_principal(handle, princ, &princ_ent, KADM5_KVNO); if (ret) { com_err(whoami, ret, "while retrieving principal"); exit(1); } ret = kadm5_get_principal_keys(handle, princ, 0, &extracted, &n_extracted); if (ret) { com_err(whoami, ret, "while extracting keys"); exit(1); } for (encnum = 0; testp[encnum].magic != -1; encnum++) { printf("+ enctype %d\n", testp[encnum].enctype); for (match = 0; match < n_extracted; match++) { if (extracted[match].key.enctype == testp[encnum].enctype) break; } if (match >= n_extracted) { com_err(whoami, KRB5_WRONG_ETYPE, "while matching enctypes"); exit(1); } if (extracted[match].key.length != testp[encnum].length || memcmp(extracted[match].key.contents, testp[encnum].contents, testp[encnum].length) != 0) { com_err(whoami, KRB5_KDB_NO_MATCHING_KEY, "verifying keys"); exit(1); } memset(&ktent, 0, sizeof(ktent)); ktent.principal = princ; ktent.key = testp[encnum]; ktent.vno = princ_ent.kvno; ret = krb5_kt_add_entry(context, kt, &ktent); if (ret) { com_err(whoami, ret, "while adding keytab entry"); exit(1); } memset(&my_creds, 0, sizeof(my_creds)); my_creds.client = princ; my_creds.server = server; ktypes[0] = testp[encnum].enctype; ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) { com_err(whoami, ret, "while allocating gic opts"); exit(1); } krb5_get_init_creds_opt_set_etype_list(opt, ktypes, 1); ret = krb5_get_init_creds_keytab(context, &my_creds, princ, kt, 0, NULL /* in_tkt_service */, opt); krb5_get_init_creds_opt_free(context, opt); if (ret) { com_err(whoami, ret, "while acquiring initial ticket"); exit(1); } krb5_free_cred_contents(context, &my_creds); /* since I can't specify enctype explicitly ... */ ret = krb5_kt_remove_entry(context, kt, &ktent); if (ret) { com_err(whoami, ret, "while removing keytab entry"); exit(1); } } (void)kadm5_free_kadm5_key_data(context, n_extracted, extracted); } ret = krb5_kt_close(context, kt); if (ret) { com_err(whoami, ret, "while closing keytab"); exit(1); } ret = kadm5_destroy(handle); if (ret) { com_err(whoami, ret, "while closing kadmin connection"); exit(1); } krb5_free_principal(context, princ); krb5_free_principal(context, server); krb5_free_context(context); return 0; }
int kt_add(struct add_options *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab keytab; krb5_keytab_entry entry; char buf[1024]; krb5_enctype enctype; if((keytab = ktutil_open_keytab()) == NULL) return 1; memset(&entry, 0, sizeof(entry)); if(opt->principal_string == NULL) { if(readstring("Principal: ", buf, sizeof(buf)) == NULL) return 1; opt->principal_string = buf; } ret = krb5_parse_name(context, opt->principal_string, &entry.principal); if(ret) { krb5_warn(context, ret, "%s", opt->principal_string); goto out; } if(opt->enctype_string == NULL) { if(readstring("Encryption type: ", buf, sizeof(buf)) == NULL) { ret = 1; goto out; } opt->enctype_string = buf; } ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); if(ret) { int t; if(sscanf(opt->enctype_string, "%d", &t) == 1) enctype = t; else { krb5_warn(context, ret, "%s", opt->enctype_string); goto out; } } if(opt->kvno_integer == -1) { if(readstring("Key version: ", buf, sizeof(buf)) == NULL) { ret = 1; goto out; } if(sscanf(buf, "%u", &opt->kvno_integer) != 1) goto out; } if(opt->password_string == NULL && opt->random_flag == 0) { if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: "******"malloc"); goto out; } if ((size_t)hex_decode(opt->password_string, data, len) != len) { free(data); krb5_warn(context, ENOMEM, "hex decode failed"); goto out; } ret = krb5_keyblock_init(context, enctype, data, len, &entry.keyblock); free(data); } else if (!opt->salt_flag) { krb5_salt salt; krb5_data pw; salt.salttype = KRB5_PW_SALT; salt.saltvalue.data = NULL; salt.saltvalue.length = 0; pw.data = (void*)opt->password_string; pw.length = strlen(opt->password_string); ret = krb5_string_to_key_data_salt(context, enctype, pw, salt, &entry.keyblock); } else { ret = krb5_string_to_key(context, enctype, opt->password_string, entry.principal, &entry.keyblock); } memset (opt->password_string, 0, strlen(opt->password_string)); } else { ret = krb5_generate_random_keyblock(context, enctype, &entry.keyblock); } if(ret) { krb5_warn(context, ret, "add"); goto out; } entry.vno = opt->kvno_integer; entry.timestamp = time (NULL); ret = krb5_kt_add_entry(context, keytab, &entry); if(ret) krb5_warn(context, ret, "add"); out: krb5_kt_free_entry(context, &entry); krb5_kt_close(context, keytab); return ret != 0; }