xref: /onnv-gate/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c (revision 2881:ea6360e7e1c5)

/*
 * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"


/*
 * kadmin/ktutil/ktutil_funcs.c
 *
 *(C) Copyright 1995, 1996 by the Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * Utility functions for ktutil.
 */

#include "k5-int.h"
#include "ktutil.h"
#ifdef KRB5_KRB4_COMPAT
#include "kerberosIV/krb.h"
#include <stdio.h>
#endif
#include <string.h>
#include <ctype.h>
#include <libintl.h>

/*
 * Free a kt_list
 */
krb5_error_code ktutil_free_kt_list(context, list)
    krb5_context context;
    krb5_kt_list list;
{
    krb5_kt_list lp, prev;
    krb5_error_code retval = 0;

    for (lp = list; lp;) {
	retval = krb5_kt_free_entry(context, lp->entry);
	free((char *)lp->entry);
	if (retval)
	    break;
	prev = lp;
	lp = lp->next;
	free((char *)prev);
    }
    return retval;
}

/*
 * Delete a numbered entry in a kt_list.  Takes a pointer to a kt_list
 * in case head gets deleted.
 */
krb5_error_code ktutil_delete(context, list, idx)
    krb5_context context;
    krb5_kt_list *list;
    int idx;
{
    krb5_kt_list lp, prev;
    int i;

    for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) {
	if (i == idx) {
	    if (i == 1)
		*list = lp->next;
	    else
		prev->next = lp->next;
	    lp->next = NULL;
	    return ktutil_free_kt_list(context, lp);
	}
    }
    return EINVAL;
}

/*
 * Create a new keytab entry and add it to the keytab list.
 * Based on the value of use_pass, either prompt the user for a
 * password or key.  If the keytab list is NULL, allocate a new
 * one first.
 */
krb5_error_code ktutil_add(context, list, princ_str, kvno,
			   enctype_str, use_pass)
    krb5_context context;
    krb5_kt_list *list;
    char *princ_str;
    krb5_kvno kvno;
    char *enctype_str;
    int use_pass;
{
    krb5_keytab_entry *entry;
    krb5_kt_list lp = NULL, prev = NULL;
    krb5_principal princ;
    krb5_enctype enctype;
    krb5_timestamp now;
    krb5_error_code retval;
    krb5_data password, salt;
    krb5_keyblock key;
    char buf[BUFSIZ];
    char promptstr[1024];

    char *cp;
    int i, tmp;
    unsigned int pwsize = BUFSIZ;

    retval = krb5_parse_name(context, princ_str, &princ);
    if (retval)
        return retval;
    /* now unparse in order to get the default realm appended
       to princ_str, if no realm was specified */
    retval = krb5_unparse_name(context, princ, &princ_str);
    if (retval)
        return retval;
    retval = krb5_string_to_enctype(enctype_str, &enctype);
    if (retval)
        return KRB5_BAD_ENCTYPE;
    retval = krb5_timeofday(context, &now);
    if (retval)
        return retval;

    if (*list) {
        /* point lp at the tail of the list */
        for (lp = *list; lp->next; lp = lp->next);
    }
    entry = (krb5_keytab_entry *) malloc(sizeof(krb5_keytab_entry));
    if (!entry) {
        return ENOMEM;
    }
    memset((char *) entry, 0, sizeof(*entry));

    if (!lp) {		/* if list is empty, start one */
        lp = (krb5_kt_list) malloc(sizeof(*lp));
	if (!lp) {
	    return ENOMEM;
	}
    } else {
        lp->next = (krb5_kt_list) malloc(sizeof(*lp));
	if (!lp->next) {
	    return ENOMEM;
	}
	prev = lp;
	lp = lp->next;
    }
    lp->next = NULL;
    lp->entry = entry;

    if (use_pass) {
        password.length = pwsize;
	password.data = (char *) malloc(pwsize);
	if (!password.data) {
	    retval = ENOMEM;
	    goto cleanup;
	}

	(void) snprintf(promptstr, sizeof(promptstr),
		gettext("Password for %.1000s"), princ_str);
        retval = krb5_read_password(context, promptstr, NULL, password.data,
				    &password.length);
	if (retval)
	    goto cleanup;
	retval = krb5_principal2salt(context, princ, &salt);
	if (retval)
	    goto cleanup;
	retval = krb5_c_string_to_key(context, enctype, &password,
				      &salt, &key);
	if (retval)
	    goto cleanup;
	memset(password.data, 0, password.length);
	password.length = 0;
	memcpy(&lp->entry->key, &key, sizeof(krb5_keyblock));
    } else {
        printf(gettext("Key for %s (hex): "), princ_str);
	fgets(buf, BUFSIZ, stdin);
	/*
	 * We need to get rid of the trailing '\n' from fgets.
	 * If we have an even number of hex digits (as we should),
	 * write a '\0' over the '\n'.  If for some reason we have
	 * an odd number of hex digits, force an even number of hex
	 * digits by writing a '0' into the last position (the string
	 * will still be null-terminated).
	 */
	buf[strlen(buf) - 1] = strlen(buf) % 2 ? '\0' : '0';
	if (strlen(buf) == 0) {
	    fprintf(stderr, "addent: %s", gettext("Error reading key.\n"));
	    retval = 0;
	    goto cleanup;
	}

        lp->entry->key.enctype = enctype;
	lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2);
	if (!lp->entry->key.contents) {
	    retval = ENOMEM;
	    goto cleanup;
	}

	i = 0;
	for (cp = buf; *cp; cp += 2) {
	    if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) {
	        fprintf(stderr, "addent: %s",
			gettext("Illegal character in key.\n"));
		retval = 0;
		goto cleanup;
	    }
	    sscanf(cp, "%02x", &tmp);
	    lp->entry->key.contents[i++] = (krb5_octet) tmp;
	}
	lp->entry->key.length = i;
    }
    lp->entry->principal = princ;
    lp->entry->vno = kvno;
    lp->entry->timestamp = now;

    if (!*list)
	*list = lp;

    return 0;

 cleanup:
    if (prev)
        prev->next = NULL;
    ktutil_free_kt_list(context, lp);
    return retval;
}

/*
 * Read in a keytab and append it to list.  If list starts as NULL,
 * allocate a new one if necessary.
 */
krb5_error_code ktutil_read_keytab(context, name, list)
    krb5_context context;
    char *name;
    krb5_kt_list *list;
{
    krb5_kt_list lp = NULL, tail = NULL, back = NULL;
    krb5_keytab kt;
    krb5_keytab_entry *entry;
    krb5_kt_cursor cursor;
    krb5_error_code retval = 0;

    if (*list) {
	/* point lp at the tail of the list */
	for (lp = *list; lp->next; lp = lp->next);
	back = lp;
    }
    retval = krb5_kt_resolve(context, name, &kt);
    if (retval)
	return retval;
    retval = krb5_kt_start_seq_get(context, kt, &cursor);
    if (retval)
	goto close_kt;
    for (;;) {
	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
	if (!entry) {
	    retval = ENOMEM;
	    break;
	}
	memset((char *)entry, 0, sizeof (*entry));
	retval = krb5_kt_next_entry(context, kt, entry, &cursor);
	if (retval)
	    break;

	if (!lp) {		/* if list is empty, start one */
	    lp = (krb5_kt_list)malloc(sizeof (*lp));
	    if (!lp) {
		retval = ENOMEM;
		break;
	    }
	} else {
	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
	    if (!lp->next) {
		retval = ENOMEM;
		break;
	    }
	    lp = lp->next;
	}
	if (!tail)
	    tail = lp;
	lp->next = NULL;
	lp->entry = entry;
    }
    if (entry)
	free((char *)entry);
    if (retval) {
	if (retval == KRB5_KT_END)
	    retval = 0;
	else {
	    ktutil_free_kt_list(context, tail);
	    tail = NULL;
	    if (back)
		back->next = NULL;
	}
    }
    if (!*list)
	*list = tail;
    krb5_kt_end_seq_get(context, kt, &cursor);
 close_kt:
    krb5_kt_close(context, kt);
    return retval;
}

/*
 * Takes a kt_list and writes it to the named keytab.
 */
krb5_error_code ktutil_write_keytab(context, list, name)
    krb5_context context;
    krb5_kt_list list;
    char *name;
{
    krb5_kt_list lp;
    krb5_keytab kt;
    char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];
    krb5_error_code retval = 0;

    strcpy(ktname, "WRFILE:");
    if (strlen (name) >= MAXPATHLEN)
	return ENAMETOOLONG;
    strncat (ktname, name, MAXPATHLEN);
    retval = krb5_kt_resolve(context, ktname, &kt);
    if (retval)
	return retval;
    for (lp = list; lp; lp = lp->next) {
	retval = krb5_kt_add_entry(context, kt, lp->entry);
	if (retval)
	    break;
    }
    krb5_kt_close(context, kt);
    return retval;
}

#ifdef KRB5_KRB4_COMPAT
/*
 * getstr() takes a file pointer, a string and a count.  It reads from
 * the file until either it has read "count" characters, or until it
 * reads a null byte.  When finished, what has been read exists in the
 * given string "s".  If "count" characters were actually read, the
 * last is changed to a null, so the returned string is always null-
 * terminated.  getstr() returns the number of characters read,
 * including the null terminator.
 */

static int getstr(fp, s, n)
    FILE *fp;
    register char *s;
    int n;
{
    register int count = n;
    while (fread(s, 1, 1, fp) > 0 && --count)
        if (*s++ == '\0')
            return (n - count);
    *s = '\0';
    return (n - count);
}

/*
 * Read in a named krb4 srvtab and append to list.  Allocate new list
 * if needed.
 */
krb5_error_code ktutil_read_srvtab(context, name, list)
    krb5_context context;
    char *name;
    krb5_kt_list *list;
{
    krb5_kt_list lp = NULL, tail = NULL, back = NULL;
    krb5_keytab_entry *entry;
    krb5_error_code retval = 0;
    char sname[SNAME_SZ];	/* name of service */
    char sinst[INST_SZ];	/* instance of service */
    char srealm[REALM_SZ];	/* realm of service */
    unsigned char kvno;		/* key version number */
    des_cblock key;
    FILE *fp;

    if (*list) {
	/* point lp at the tail of the list */
	for (lp = *list; lp->next; lp = lp->next);
	back = lp;
    }
    fp = fopen(name, "r");
    if (!fp)
	return EIO;
    for (;;) {
	entry = (krb5_keytab_entry *)malloc(sizeof (krb5_keytab_entry));
	if (!entry) {
	    retval = ENOMEM;
	    break;
	}
	memset((char *)entry, 0, sizeof (*entry));
	memset(sname, 0, sizeof (sname));
	memset(sinst, 0, sizeof (sinst));
	memset(srealm, 0, sizeof (srealm));
	if (!(getstr(fp, sname, SNAME_SZ) > 0 &&
	      getstr(fp, sinst, INST_SZ) > 0 &&
	      getstr(fp, srealm, REALM_SZ) > 0 &&
	      fread(&kvno, 1, 1, fp) > 0 &&
	      fread((char *)key, sizeof (key), 1, fp) > 0))
	    break;
	entry->magic = KV5M_KEYTAB_ENTRY;
	entry->timestamp = 0;	/* XXX */
	entry->vno = kvno;
	retval = krb5_425_conv_principal(context,
					 sname, sinst, srealm,
					 &entry->principal);
	if (retval)
	    break;
	entry->key.magic = KV5M_KEYBLOCK;
	entry->key.enctype = ENCTYPE_DES_CBC_CRC;
	entry->key.length = sizeof (key);
	entry->key.contents = (krb5_octet *)malloc(sizeof (key));
	if (!entry->key.contents) {
	    retval = ENOMEM;
	    break;
	}
	memcpy((char *)entry->key.contents, (char *)key, sizeof (key));
	if (!lp) {		/* if list is empty, start one */
	    lp = (krb5_kt_list)malloc(sizeof (*lp));
	    if (!lp) {
		retval = ENOMEM;
		break;
	    }
	} else {
	    lp->next = (krb5_kt_list)malloc(sizeof (*lp));
	    if (!lp->next) {
		retval = ENOMEM;
		break;
	    }
	    lp = lp->next;
	}
	lp->next = NULL;
	lp->entry = entry;
	if (!tail)
	    tail = lp;
    }
    if (entry) {
	if (entry->magic == KV5M_KEYTAB_ENTRY)
	    krb5_kt_free_entry(context, entry);
	free((char *)entry);
    }
    if (retval) {
	ktutil_free_kt_list(context, tail);
	tail = NULL;
	if (back)
	    back->next = NULL;
    }
    if (!*list)
	*list = tail;
    fclose(fp);
    return retval;
}

/*
 * Writes a kt_list out to a krb4 srvtab file.  Note that it first
 * prunes the kt_list so that it won't contain any keys that are not
 * the most recent, and ignores keys that are not ENCTYPE_DES.
 */
krb5_error_code ktutil_write_srvtab(context, list, name)
    krb5_context context;
    krb5_kt_list list;
    char *name;
{
    krb5_kt_list lp, lp1, prev, pruned = NULL;
    krb5_error_code retval = 0;
    FILE *fp;
    char sname[SNAME_SZ];
    char sinst[INST_SZ];
    char srealm[REALM_SZ];

    /* First do heinous stuff to prune the list. */
    for (lp = list; lp; lp = lp->next) {
	if ((lp->entry->key.enctype != ENCTYPE_DES_CBC_CRC) &&
	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD5) &&
	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_MD4) &&
	    (lp->entry->key.enctype != ENCTYPE_DES_CBC_RAW))
	    continue;

	for (lp1 = pruned; lp1; prev = lp1, lp1 = lp1->next) {
	    /* Hunt for the current principal in the pruned list */
	    if (krb5_principal_compare(context,
				       lp->entry->principal,
				       lp1->entry->principal))
		    break;
	}
	if (!lp1) {		/* need to add entry to tail of pruned list */
	    if (!pruned) {
		pruned = (krb5_kt_list) malloc(sizeof (*pruned));
		if (!pruned)
		    return ENOMEM;
		memset((char *) pruned, 0, sizeof(*pruned));
		lp1 = pruned;
	    } else {
		prev->next
		    = (krb5_kt_list) malloc(sizeof (*pruned));
		if (!prev->next) {
		    retval = ENOMEM;
		    goto free_pruned;
		}
		memset((char *) prev->next, 0, sizeof(*pruned));
		lp1 = prev->next;
	    }
	    lp1->entry = lp->entry;
	} else {
	    /* This heuristic should be roughly the same as in the
	       keytab-reading code in libkrb5.  */
	    int offset = 0;
	    if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
		offset = 128;
	    }
#define M(X) (((X) + offset) % 256)
	    if (M(lp1->entry->vno) < M(lp->entry->vno))
		/* Check if lp->entry is newer kvno; if so, update */
		lp1->entry = lp->entry;
	}
    }
    umask(0077); /*Changing umask for all of ktutil is OK
		  * We don't ever write out anything that should use
		  * default umask.*/
    fp = fopen(name, "w");
    if (!fp) {
	retval = EIO;
	goto free_pruned;
    }
    for (lp = pruned; lp; lp = lp->next) {
	unsigned char  kvno;
	kvno = (unsigned char) lp->entry->vno;
	retval = krb5_524_conv_principal(context,
					 lp->entry->principal,
					 sname, sinst, srealm);
	if (retval)
	    break;
	fwrite(sname, strlen(sname) + 1, 1, fp);
	fwrite(sinst, strlen(sinst) + 1, 1, fp);
	fwrite(srealm, strlen(srealm) + 1, 1, fp);
	fwrite((char *)&kvno, 1, 1, fp);
	fwrite((char *)lp->entry->key.contents,
	       sizeof (des_cblock), 1, fp);
    }
    fclose(fp);
 free_pruned:
    /*
     * Loop over and free the pruned list; don't use free_kt_list
     * because that kills the entries.
     */
    for (lp = pruned; lp;) {
	prev = lp;
	lp = lp->next;
	free((char *)prev);
    }
    return retval;
}
#endif /* KRB5_KRB4_COMPAT */