lib/hdb/keys.c

   1 /*
   2  * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "hdb_locl.h"
  35
  36 struct hx509_certs_data;
  37 struct krb5_pk_identity;
  38 struct krb5_pk_cert;
  39 struct ContentInfo;
  40 struct AlgorithmIdentifier;
  41 struct _krb5_krb_auth_data;
  42 typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
  43 struct krb5_dh_moduli;
  44 struct _krb5_key_data;
  45 struct _krb5_encryption_type;
  46 struct _krb5_key_type;
  47 #include <pkinit_asn1.h>
  48 #include <krb5-private.h>
  49 #include <base64.h>
  50
  51 /*
  52  * free all the memory used by (len, keys)
  53  */
  54
  55 void
  56 hdb_free_keys(krb5_context context, int len, Key *keys)
  57 {
  58     size_t i;
  59
  60     for (i = 0; i < len; i++) {
  61         free(keys[i].mkvno);
  62         keys[i].mkvno = NULL;
  63         if (keys[i].salt != NULL) {
  64             free_Salt(keys[i].salt);
  65             free(keys[i].salt);
  66             keys[i].salt = NULL;
  67         }
  68         krb5_free_keyblock_contents(context, &keys[i].key);
  69     }
  70     free (keys);
  71 }
  72
  73 /*
  74  * for each entry in `default_keys' try to parse it as a sequence
  75  * of etype:salttype:salt, syntax of this if something like:
  76  * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
  77  *      means all etypes, and if string is omitted is means the default
  78  * string (for that principal). Additional special values:
  79  *      v5 == pw-salt, and
  80  *      v4 == des:pw-salt:
  81  *      afs or afs3 == des:afs3-salt
  82  */
  83
  84 static const krb5_enctype des_etypes[] = {
  85     KRB5_ENCTYPE_DES_CBC_MD5,
  86     KRB5_ENCTYPE_DES_CBC_MD4,
  87     KRB5_ENCTYPE_DES_CBC_CRC
  88 };
  89
  90 static const krb5_enctype all_etypes[] = {
  91     KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
  92     KRB5_ENCTYPE_DES3_CBC_SHA1,
  93     KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
  94 };
  95
  96 static krb5_error_code
  97 parse_key_set(krb5_context context, const char *key,
  98               krb5_enctype **ret_enctypes, size_t *ret_num_enctypes,
  99               krb5_salt *salt, krb5_principal principal)
 100 {
 101     const char *p;
 102     char buf[3][256];
 103     int num_buf = 0;
 104     int i, num_enctypes = 0;
 105     krb5_enctype e;
 106     const krb5_enctype *enctypes = NULL;
 107     krb5_error_code ret;
 108
 109     p = key;
 110
 111     *ret_enctypes = NULL;
 112     *ret_num_enctypes = 0;
 113
 114     /* split p in a list of :-separated strings */
 115     for(num_buf = 0; num_buf < 3; num_buf++)
 116         if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
 117             break;
 118
 119     salt->saltvalue.data = NULL;
 120     salt->saltvalue.length = 0;
 121
 122     for(i = 0; i < num_buf; i++) {
 123         if(enctypes == NULL && num_buf > 1) {
 124             /* this might be a etype specifier */
 125             /* XXX there should be a string_to_etypes handling
 126                special cases like `des' and `all' */
 127             if(strcmp(buf[i], "des") == 0) {
 128                 enctypes = des_etypes;
 129                 num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
 130             } else if(strcmp(buf[i], "des3") == 0) {
 131                 e = KRB5_ENCTYPE_DES3_CBC_SHA1;
 132                 enctypes = &e;
 133                 num_enctypes = 1;
 134             } else {
 135                 ret = krb5_string_to_enctype(context, buf[i], &e);
 136                 if (ret == 0) {
 137                     enctypes = &e;
 138                     num_enctypes = 1;
 139                 } else
 140                     return ret;
 141             }
 142             continue;
 143         }
 144         if(salt->salttype == 0) {
 145             /* interpret string as a salt specifier, if no etype
 146                is set, this sets default values */
 147             /* XXX should perhaps use string_to_salttype, but that
 148                interface sucks */
 149             if(strcmp(buf[i], "pw-salt") == 0) {
 150                 if(enctypes == NULL) {
 151                     enctypes = all_etypes;
 152                     num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
 153                 }
 154                 salt->salttype = KRB5_PW_SALT;
 155             } else if(strcmp(buf[i], "afs3-salt") == 0) {
 156                 if(enctypes == NULL) {
 157                     enctypes = des_etypes;
 158                     num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
 159                 }
 160                 salt->salttype = KRB5_AFS3_SALT;
 161             }
 162             continue;
 163         }
 164
 165         {
 166             /* if there is a final string, use it as the string to
 167                salt with, this is mostly useful with null salt for
 168                v4 compat, and a cell name for afs compat */
 169             salt->saltvalue.data = strdup(buf[i]);
 170             if (salt->saltvalue.data == NULL) {
 171                 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 172                 return ENOMEM;
 173             }
 174             salt->saltvalue.length = strlen(buf[i]);
 175         }
 176     }
 177
 178     if(enctypes == NULL || salt->salttype == 0) {
 179         krb5_set_error_message(context, EINVAL, "bad value for default_keys `%s'", key);
 180         return EINVAL;
 181     }
 182
 183     /* if no salt was specified make up default salt */
 184     if(salt->saltvalue.data == NULL) {
 185         if(salt->salttype == KRB5_PW_SALT) {
 186             ret = krb5_get_pw_salt(context, principal, salt);
 187             if (ret)
 188                 return ret;
 189         } else if(salt->salttype == KRB5_AFS3_SALT) {
 190             krb5_const_realm realm = krb5_principal_get_realm(context, principal);
 191             salt->saltvalue.data = strdup(realm);
 192             if(salt->saltvalue.data == NULL) {
 193                 krb5_set_error_message(context, ENOMEM,
 194                                        "out of memory while "
 195                                        "parsing salt specifiers");
 196                 return ENOMEM;
 197             }
 198             strlwr(salt->saltvalue.data);
 199             salt->saltvalue.length = strlen(realm);
 200         }
 201     }
 202
 203     *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
 204     if (*ret_enctypes == NULL) {
 205         krb5_free_salt(context, *salt);
 206         krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 207         return ENOMEM;
 208     }
 209     memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
 210     *ret_num_enctypes = num_enctypes;
 211
 212     return 0;
 213 }
 214
 215 /**
 216  * This function prunes an HDB entry's keys that are too old to have been used
 217  * to mint still valid tickets (based on the entry's maximum ticket lifetime).
 218  *
 219  * @param context   Context
 220  * @param entry     HDB entry
 221  */
 222 krb5_error_code
 223 hdb_prune_keys(krb5_context context, hdb_entry *entry)
 224 {
 225     HDB_extension *ext;
 226     HDB_Ext_KeySet *keys;
 227     size_t nelem;
 228
 229     ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
 230     if (ext == NULL)
 231         return 0;
 232     keys = &ext->data.u.hist_keys;
 233     nelem = keys->len;
 234
 235     /* Optionally drop key history for keys older than now - max_life */
 236     if (entry->max_life != NULL && nelem > 0
 237         && krb5_config_get_bool_default(context, NULL, FALSE,
 238                                         "kadmin", "prune-key-history", NULL)) {
 239         hdb_keyset *elem;
 240         time_t ceiling = time(NULL) - *entry->max_life;
 241         time_t keep_time = 0;
 242         size_t i;
 243
 244         /*
 245          * Compute most recent key timestamp that predates the current time
 246          * by at least the entry's maximum ticket lifetime.
 247          */
 248         for (i = 0; i < nelem; ++i) {
 249             elem = &keys->val[i];
 250             if (elem->set_time && *elem->set_time < ceiling
 251                 && (keep_time == 0 || *elem->set_time > keep_time))
 252                 keep_time = *elem->set_time;
 253         }
 254
 255         /* Drop obsolete entries */
 256         if (keep_time) {
 257             for (i = 0; i < nelem; /* see below */) {
 258                 elem = &keys->val[i];
 259                 if (elem->set_time && *elem->set_time < keep_time) {
 260                     remove_HDB_Ext_KeySet(keys, i);
 261                     /*
 262                      * Removing the i'th element shifts the tail down, continue
 263                      * at same index with reduced upper bound.
 264                      */
 265                     --nelem;
 266                     continue;
 267                 }
 268                 ++i;
 269             }
 270         }
 271     }
 272
 273     return 0;
 274 }
 275
 276 /**
 277  * This function adds an HDB entry's current keyset to the entry's key
 278  * history.  The current keyset is left alone; the caller is responsible
 279  * for freeing it.
 280  *
 281  * @param context   Context
 282  * @param entry     HDB entry
 283  */
 284 krb5_error_code
 285 hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
 286 {
 287     krb5_boolean replace = FALSE;
 288     krb5_error_code ret;
 289     HDB_extension *ext;
 290     HDB_Ext_KeySet *keys;
 291     hdb_keyset newkeyset;
 292     time_t newtime;
 293
 294     if (entry->keys.len == 0)
 295         return 0; /* nothing to do */
 296
 297     ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
 298     if (ext == NULL) {
 299         replace = TRUE;
 300         ext = calloc(1, sizeof (*ext));
 301         if (ext == NULL)
 302             return krb5_enomem(context);
 303
 304         ext->data.element = choice_HDB_extension_data_hist_keys;
 305     }
 306     keys = &ext->data.u.hist_keys;
 307
 308     ext->mandatory = FALSE;
 309
 310     /*
 311      * Copy in newest old keyset
 312      */
 313     ret = hdb_entry_get_pw_change_time(entry, &newtime);
 314     if (ret)
 315         goto out;
 316
 317     memset(&newkeyset, 0, sizeof(newkeyset));
 318     newkeyset.keys = entry->keys;
 319     newkeyset.kvno = entry->kvno;
 320     newkeyset.set_time = &newtime;
 321
 322     ret = add_HDB_Ext_KeySet(keys, &newkeyset);
 323     if (ret)
 324         goto out;
 325
 326     if (replace) {
 327         /* hdb_replace_extension() deep-copies ext; what a waste */
 328         ret = hdb_replace_extension(context, entry, ext);
 329         if (ret)
 330             goto out;
 331     }
 332
 333     ret = hdb_prune_keys(context, entry);
 334     if (ret)
 335         goto out;
 336
 337  out:
 338     if (replace && ext) {
 339         free_HDB_extension(ext);
 340         free(ext);
 341     }
 342     return ret;
 343 }
 344
 345 /**
 346  * This function adds a key to an HDB entry's key history.
 347  *
 348  * @param context   Context
 349  * @param entry     HDB entry
 350  * @param kvno      Key version number of the key to add to the history
 351  * @param key       The Key to add
 352  */
 353 krb5_error_code
 354 hdb_add_history_key(krb5_context context, hdb_entry *entry, krb5_kvno kvno, Key *key)
 355 {
 356     size_t i;
 357     hdb_keyset keyset;
 358     HDB_Ext_KeySet *hist_keys;
 359     HDB_extension ext;
 360     HDB_extension *extp;
 361     krb5_error_code ret;
 362
 363     memset(&keyset, 0, sizeof (keyset));
 364     memset(&ext, 0, sizeof (ext));
 365
 366     extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
 367     if (extp == NULL) {
 368         ext.data.element = choice_HDB_extension_data_hist_keys;
 369         extp = &ext;
 370     }
 371
 372     extp->mandatory = FALSE;
 373     hist_keys = &extp->data.u.hist_keys;
 374
 375     for (i = 0; i < hist_keys->len; i++) {
 376         if (hist_keys->val[i].kvno == kvno) {
 377             ret = add_Keys(&hist_keys->val[i].keys, key);
 378             goto out;
 379         }
 380     }
 381
 382     keyset.kvno = kvno;
 383     ret = add_Keys(&keyset.keys, key);
 384     if (ret)
 385         goto out;
 386     ret = add_HDB_Ext_KeySet(hist_keys, &keyset);
 387     if (ret)
 388         goto out;
 389     if (extp == &ext) {
 390         ret = hdb_replace_extension(context, entry, &ext);
 391         if (ret)
 392             goto out;
 393     }
 394
 395 out:
 396     free_hdb_keyset(&keyset);
 397     free_HDB_extension(&ext);
 398     return ret;
 399 }
 400
 401
 402 /**
 403  * This function changes an hdb_entry's kvno, swapping the current key
 404  * set with a historical keyset.  If no historical keys are found then
 405  * an error is returned (the caller can still set entry->kvno directly).
 406  *
 407  * @param context       krb5_context
 408  * @param new_kvno      New kvno for the entry
 409  * @param entry         hdb_entry to modify
 410  */
 411 krb5_error_code
 412 hdb_change_kvno(krb5_context context, krb5_kvno new_kvno, hdb_entry *entry)
 413 {
 414     HDB_extension ext;
 415     HDB_extension *extp;
 416     hdb_keyset keyset;
 417     HDB_Ext_KeySet *hist_keys;
 418     size_t i;
 419     int found = 0;
 420     krb5_error_code ret;
 421
 422     if (entry->kvno == new_kvno)
 423         return 0;
 424
 425     extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
 426     if (extp == NULL) {
 427         memset(&ext, 0, sizeof (ext));
 428         ext.data.element = choice_HDB_extension_data_hist_keys;
 429         extp = &ext;
 430     }
 431
 432     memset(&keyset, 0, sizeof (keyset));
 433     hist_keys = &extp->data.u.hist_keys;
 434     for (i = 0; i < hist_keys->len; i++) {
 435         if (hist_keys->val[i].kvno == new_kvno) {
 436             found = 1;
 437             ret = copy_hdb_keyset(&hist_keys->val[i], &keyset);
 438             if (ret)
 439                 goto out;
 440             ret = remove_HDB_Ext_KeySet(hist_keys, i);
 441             if (ret)
 442                 goto out;
 443             break;
 444         }
 445     }
 446
 447     if (!found)
 448         return HDB_ERR_KVNO_NOT_FOUND;
 449
 450     ret = hdb_add_current_keys_to_history(context, entry);
 451     if (ret)
 452         goto out;
 453
 454     /* Note: we do nothing with keyset.set_time */
 455     entry->kvno = new_kvno;
 456     entry->keys = keyset.keys; /* shortcut */
 457     memset(&keyset.keys, 0, sizeof (keyset.keys));
 458
 459 out:
 460     free_hdb_keyset(&keyset);
 461     return ret;
 462 }
 463
 464
 465 static krb5_error_code
 466 add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
 467                        krb5_enctype enctype, krb5_salt *salt)
 468 {
 469     krb5_error_code ret;
 470     Key key, *tmp;
 471
 472     memset(&key, 0, sizeof(key));
 473
 474     tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
 475     if (tmp == NULL)
 476         return ENOMEM;
 477
 478     *key_set = tmp;
 479
 480     key.key.keytype = enctype;
 481     key.key.keyvalue.length = 0;
 482     key.key.keyvalue.data = NULL;
 483
 484     if (salt) {
 485         key.salt = calloc(1, sizeof(*key.salt));
 486         if (key.salt == NULL) {
 487             free_Key(&key);
 488             return ENOMEM;
 489         }
 490
 491         key.salt->type = salt->salttype;
 492         krb5_data_zero (&key.salt->salt);
 493
 494         ret = krb5_data_copy(&key.salt->salt,
 495                              salt->saltvalue.data,
 496                              salt->saltvalue.length);
 497         if (ret) {
 498             free_Key(&key);
 499             return ret;
 500         }
 501     } else
 502         key.salt = NULL;
 503
 504     (*key_set)[*nkeyset] = key;
 505
 506     *nkeyset += 1;
 507
 508     return 0;
 509 }
 510
 511
 512 static
 513 krb5_error_code
 514 ks_tuple2str(krb5_context context, int n_ks_tuple,
 515              krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
 516 {
 517         size_t i;
 518         char **ksnames;
 519         char *ename, *sname;
 520         krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
 521
 522         *ks_tuple_strs = NULL;
 523         if (n_ks_tuple < 1)
 524                 return 0;
 525
 526         if ((ksnames = calloc(n_ks_tuple + 1, sizeof (*ksnames))) == NULL)
 527                 return (errno);
 528
 529         for (i = 0; i < n_ks_tuple; i++) {
 530             if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
 531                 goto out;
 532             if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
 533                                         ks_tuple[i].ks_salttype, &sname))
 534                 goto out;
 535
 536             if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
 537                     rc = errno;
 538                     free(ename);
 539                     free(sname);
 540                     goto out;
 541             }
 542             free(ename);
 543             free(sname);
 544         }
 545
 546         ksnames[i] = NULL;
 547         *ks_tuple_strs = ksnames;
 548         return 0;
 549
 550 out:
 551         for (i = 0; i < n_ks_tuple; i++)
 552                 free(ksnames[i]);
 553         free(ksnames);
 554         return (rc);
 555 }
 556
 557 /*
 558  *
 559  */
 560
 561 static char **
 562 glob_rules_keys(krb5_context context, krb5_const_principal principal)
 563 {
 564     const krb5_config_binding *list;
 565     krb5_principal pattern;
 566     krb5_error_code ret;
 567
 568     list = krb5_config_get_list(context, NULL, "kadmin",
 569                                 "default_key_rules", NULL);
 570     if (list == NULL)
 571         return NULL;
 572
 573     while (list) {
 574         if (list->type == krb5_config_string) {
 575             ret = krb5_parse_name(context, list->name, &pattern);
 576             if (ret == 0) {
 577                 ret = krb5_principal_match(context, principal, pattern);
 578                 krb5_free_principal(context, pattern);
 579                 if (ret) {
 580                     return krb5_config_get_strings(context, list,
 581                                                    list->name, NULL);
 582                 }
 583             }
 584         }
 585         list = list->next;
 586     }
 587     return NULL;
 588 }
 589
 590 /*
 591  * NIST guidance in Section 5.1 of [SP800-132] requires that a portion
 592  * of the salt of at least 128 bits shall be randomly generated.
 593  */
 594 static krb5_error_code
 595 add_random_to_salt(krb5_context context, krb5_salt *in, krb5_salt *out)
 596 {
 597     krb5_error_code ret;
 598     char *p;
 599     unsigned char random[16];
 600     char *s;
 601     int slen;
 602
 603     krb5_generate_random_block(random, sizeof(random));
 604
 605     slen = rk_base64_encode(random, sizeof(random), &s);
 606     if (slen < 0)
 607         return ENOMEM;
 608
 609     ret = krb5_data_alloc(&out->saltvalue, slen + in->saltvalue.length);
 610     if (ret) {
 611         free(s);
 612         return ret;
 613     }
 614
 615     p = out->saltvalue.data;
 616     memcpy(p, s, slen);
 617     memcpy(&p[slen], in->saltvalue.data, in->saltvalue.length);
 618
 619     out->salttype = in->salttype;
 620     free(s);
 621
 622     return 0;
 623 }
 624
 625 /*
 626  * Generate the `key_set' from the [kadmin]default_keys statement. If
 627  * `no_salt' is set, salt is not important (and will not be set) since
 628  * it's random keys that is going to be created.
 629  */
 630
 631 krb5_error_code
 632 hdb_generate_key_set(krb5_context context, krb5_principal principal,
 633                      krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
 634                      Key **ret_key_set, size_t *nkeyset, int no_salt)
 635 {
 636     char **ktypes = NULL;
 637     char **kp;
 638     krb5_error_code ret;
 639     Key *k, *key_set;
 640     size_t i, j;
 641     char **ks_tuple_strs;
 642     char **config_ktypes = NULL;
 643     static const char *default_keytypes[] = {
 644         "aes256-cts-hmac-sha1-96:pw-salt",
 645         "des3-cbc-sha1:pw-salt",
 646         "arcfour-hmac-md5:pw-salt",
 647         NULL
 648     };
 649
 650     if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
 651             return ret;
 652
 653     ktypes = ks_tuple_strs;
 654     if (ktypes == NULL) {
 655         ktypes = glob_rules_keys(context, principal);
 656     }
 657     if (ktypes == NULL) {
 658         config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
 659                                                 "default_keys", NULL);
 660         ktypes = config_ktypes;
 661     }
 662     if (ktypes == NULL)
 663         ktypes = (char **)(intptr_t)default_keytypes;
 664
 665     *ret_key_set = key_set = NULL;
 666     *nkeyset = 0;
 667
 668     for(kp = ktypes; kp && *kp; kp++) {
 669         const char *p;
 670         krb5_salt salt;
 671         krb5_enctype *enctypes;
 672         size_t num_enctypes;
 673
 674         p = *kp;
 675         /* check alias */
 676         if(strcmp(p, "v5") == 0)
 677             p = "pw-salt";
 678         else if(strcmp(p, "v4") == 0)
 679             p = "des:pw-salt:";
 680         else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
 681             p = "des:afs3-salt";
 682         else if (strcmp(p, "arcfour-hmac-md5") == 0)
 683             p = "arcfour-hmac-md5:pw-salt";
 684
 685         memset(&salt, 0, sizeof(salt));
 686
 687         ret = parse_key_set(context, p,
 688                             &enctypes, &num_enctypes, &salt, principal);
 689         if (ret) {
 690             krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
 691             ret = 0;
 692             continue;
 693         }
 694
 695         for (i = 0; i < num_enctypes; i++) {
 696             krb5_salt *saltp = no_salt ? NULL : &salt;
 697             krb5_salt rsalt;
 698
 699             /* find duplicates */
 700             for (j = 0; j < *nkeyset; j++) {
 701
 702                 k = &key_set[j];
 703
 704                 if (k->key.keytype == enctypes[i]) {
 705                     if (no_salt)
 706                         break;
 707                     if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
 708                         break;
 709                     if (k->salt->type == salt.salttype &&
 710                         k->salt->salt.length == salt.saltvalue.length &&
 711                         memcmp(k->salt->salt.data, salt.saltvalue.data,
 712                                salt.saltvalue.length) == 0)
 713                         break;
 714                 }
 715             }
 716             /* not a duplicate, lets add it */
 717             if (j < *nkeyset)
 718                 continue;
 719
 720             memset(&rsalt, 0, sizeof(rsalt));
 721
 722             /* prepend salt with randomness if required */
 723             if (!no_salt &&
 724                 _krb5_enctype_requires_random_salt(context, enctypes[i])) {
 725                 saltp = &rsalt;
 726                 ret = add_random_to_salt(context, &salt, &rsalt);
 727             }
 728
 729             if (ret == 0)
 730                 ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i],
 731                                              saltp);
 732             krb5_free_salt(context, rsalt);
 733
 734             if (ret) {
 735                 free(enctypes);
 736                 krb5_free_salt(context, salt);
 737                 goto out;
 738             }
 739         }
 740         free(enctypes);
 741         krb5_free_salt(context, salt);
 742     }
 743
 744     *ret_key_set = key_set;
 745
 746  out:
 747     if (config_ktypes != NULL)
 748         krb5_config_free_strings(config_ktypes);
 749
 750     for(kp = ks_tuple_strs; kp && *kp; kp++)
 751         free(*kp);
 752     free(ks_tuple_strs);
 753
 754     if (ret) {
 755         krb5_warn(context, ret,
 756                   "failed to parse the [kadmin]default_keys values");
 757
 758         for (i = 0; i < *nkeyset; i++)
 759             free_Key(&key_set[i]);
 760         free(key_set);
 761     } else if (*nkeyset == 0) {
 762         krb5_warnx(context,
 763                    "failed to parse any of the [kadmin]default_keys values");
 764         ret = EINVAL; /* XXX */
 765     }
 766
 767     return ret;
 768 }
 769
 770
 771 krb5_error_code
 772 hdb_generate_key_set_password(krb5_context context,
 773                               krb5_principal principal,
 774                               const char *password,
 775                               krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
 776                               Key **keys, size_t *num_keys)
 777 {
 778     krb5_error_code ret;
 779     size_t i;
 780
 781     ret = hdb_generate_key_set(context, principal, ks_tuple, n_ks_tuple,
 782                                 keys, num_keys, 0);
 783     if (ret)
 784         return ret;
 785
 786     for (i = 0; i < (*num_keys); i++) {
 787         krb5_salt salt;
 788         Key *key = &(*keys)[i];
 789
 790         salt.salttype = key->salt->type;
 791         salt.saltvalue.length = key->salt->salt.length;
 792         salt.saltvalue.data = key->salt->salt.data;
 793
 794         ret = krb5_string_to_key_salt (context,
 795                                        key->key.keytype,
 796                                        password,
 797                                        salt,
 798                                        &key->key);
 799         if(ret)
 800             break;
 801     }
 802
 803     if(ret) {
 804         hdb_free_keys (context, *num_keys, *keys);
 805         return ret;
 806     }
 807     return ret;
 808 }