search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()
[heimdal.git] / lib / hdb / keys.c
blob457e5daf7a7bd06054c67dd7766cc09289cb6002
1 /*
2 * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35 #include "hdb_locl.h"
36
37 #include <pkinit_asn1.h>
38 #include <base64.h>
39
40 /*
41 * free all the memory used by (len, keys)
42 */
43
44 void
45 hdb_free_keys(krb5_context context, int len, Key *keys)
46 {
47 size_t i;
48
49 for (i = 0; i < len; i++) {
50 free(keys[i].mkvno);
51 keys[i].mkvno = NULL;
52 if (keys[i].salt != NULL) {
53 free_Salt(keys[i].salt);
54 free(keys[i].salt);
55 keys[i].salt = NULL;
56 }
57 krb5_free_keyblock_contents(context, &keys[i].key);
58 }
59 free (keys);
60 }
61
62 /*
63 * for each entry in `default_keys' try to parse it as a sequence
64 * of etype:salttype:salt, syntax of this if something like:
65 * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
66 * means all etypes, and if string is omitted is means the default
67 * string (for that principal). Additional special values:
68 * v5 == pw-salt, and
69 * v4 == des:pw-salt:
70 * afs or afs3 == des:afs3-salt
71 */
72
73 static const krb5_enctype des_etypes[] = {
74 KRB5_ENCTYPE_DES_CBC_MD5,
75 KRB5_ENCTYPE_DES_CBC_MD4,
76 KRB5_ENCTYPE_DES_CBC_CRC
77 };
78
79 static const krb5_enctype all_etypes[] = {
80 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
81 KRB5_ENCTYPE_DES3_CBC_SHA1,
82 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
83 };
84
85 static krb5_error_code
86 parse_key_set(krb5_context context, const char *key,
87 krb5_enctype **ret_enctypes, size_t *ret_num_enctypes,
88 krb5_salt *salt, krb5_principal principal)
89 {
90 const char *p;
91 char buf[3][256];
92 int num_buf = 0;
93 int i, num_enctypes = 0;
94 krb5_enctype e;
95 const krb5_enctype *enctypes = NULL;
96 krb5_error_code ret;
97
98 p = key;
99
100 *ret_enctypes = NULL;
101 *ret_num_enctypes = 0;
102
103 /* split p in a list of :-separated strings */
104 for(num_buf = 0; num_buf < 3; num_buf++)
105 if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
106 break;
107
108 salt->saltvalue.data = NULL;
109 salt->saltvalue.length = 0;
110
111 for(i = 0; i < num_buf; i++) {
112 if(enctypes == NULL && num_buf > 1) {
113 /* this might be a etype specifier */
114 /* XXX there should be a string_to_etypes handling
115 special cases like `des' and `all' */
116 if(strcmp(buf[i], "des") == 0) {
117 enctypes = des_etypes;
118 num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
119 } else if(strcmp(buf[i], "des3") == 0) {
120 e = KRB5_ENCTYPE_DES3_CBC_SHA1;
121 enctypes = &e;
122 num_enctypes = 1;
123 } else {
124 ret = krb5_string_to_enctype(context, buf[i], &e);
125 if (ret == 0) {
126 enctypes = &e;
127 num_enctypes = 1;
128 } else
129 return ret;
130 }
131 continue;
132 }
133 if(salt->salttype == 0) {
134 /* interpret string as a salt specifier, if no etype
135 is set, this sets default values */
136 /* XXX should perhaps use string_to_salttype, but that
137 interface sucks */
138 if(strcmp(buf[i], "pw-salt") == 0) {
139 if(enctypes == NULL) {
140 enctypes = all_etypes;
141 num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
142 }
143 salt->salttype = KRB5_PW_SALT;
144 } else if(strcmp(buf[i], "afs3-salt") == 0) {
145 if(enctypes == NULL) {
146 enctypes = des_etypes;
147 num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
148 }
149 salt->salttype = KRB5_AFS3_SALT;
150 }
151 continue;
152 }
153
154 if (salt->saltvalue.data != NULL)
155 free(salt->saltvalue.data);
156 /* if there is a final string, use it as the string to
157 salt with, this is mostly useful with null salt for
158 v4 compat, and a cell name for afs compat */
159 salt->saltvalue.data = strdup(buf[i]);
160 if (salt->saltvalue.data == NULL)
161 return krb5_enomem(context);
162 salt->saltvalue.length = strlen(buf[i]);
163 }
164
165 if(enctypes == NULL || salt->salttype == 0) {
166 krb5_free_salt(context, *salt);
167 krb5_set_error_message(context, EINVAL, "bad value for default_keys `%s'", key);
168 return EINVAL;
169 }
170
171 /* if no salt was specified make up default salt */
172 if(salt->saltvalue.data == NULL) {
173 if(salt->salttype == KRB5_PW_SALT) {
174 ret = krb5_get_pw_salt(context, principal, salt);
175 if (ret)
176 return ret;
177 } else if(salt->salttype == KRB5_AFS3_SALT) {
178 krb5_const_realm realm = krb5_principal_get_realm(context, principal);
179 salt->saltvalue.data = strdup(realm);
180 if(salt->saltvalue.data == NULL) {
181 krb5_set_error_message(context, ENOMEM,
182 "out of memory while "
183 "parsing salt specifiers");
184 return ENOMEM;
185 }
186 strlwr(salt->saltvalue.data);
187 salt->saltvalue.length = strlen(realm);
188 }
189 }
190
191 *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
192 if (*ret_enctypes == NULL) {
193 krb5_free_salt(context, *salt);
194 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
195 return ENOMEM;
196 }
197 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
198 *ret_num_enctypes = num_enctypes;
199
200 return 0;
201 }
202
203 /**
204 * This function prunes an HDB entry's historic keys by kvno.
205 *
206 * @param context Context
207 * @param entry HDB entry
208 * @param kvno Keyset kvno to prune, or zero to prune all too-old keys
209 */
210 krb5_error_code
211 hdb_prune_keys_kvno(krb5_context context, hdb_entry *entry, int kvno)
212 {
213 HDB_extension *ext;
214 HDB_Ext_KeySet *keys;
215 hdb_keyset *elem;
216 time_t keep_time = 0;
217 size_t nelem;
218 size_t i;
219
220 /*
221 * XXX Pruning old keys for namespace principals may not be desirable, but!
222 * as long as the `set_time's of the base keys for a namespace principal
223 * match the `epoch's of the corresponding KeyRotation periods, it will be
224 * perfectly acceptable to prune old [base] keys for namespace principals
225 * just as for any other principal. Therefore, we may not need to make any
226 * changes here w.r.t. namespace principals.
227 */
228
229 ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
230 if (ext == NULL)
231 return 0;
232 keys = &ext->data.u.hist_keys;
233 nelem = keys->len;
234
235 /*
236 * Optionally drop key history for keys older than now - max_life, which is
237 * all the keys no longer needed to decrypt extant tickets.
238 */
239 if (kvno == 0 && entry->max_life != NULL && nelem > 0) {
240 time_t ceiling = time(NULL) - *entry->max_life;
241
242 /*
243 * Compute most recent key timestamp that predates the current time
244 * by at least the entry's maximum ticket lifetime.
245 */
246 for (i = 0; i < nelem; ++i) {
247 elem = &keys->val[i];
248 if (elem->set_time && *elem->set_time < ceiling
249 && (keep_time == 0 || *elem->set_time > keep_time))
250 keep_time = *elem->set_time;
251 }
252 }
253
254 if (kvno == 0 && keep_time == 0)
255 return 0;
256
257 for (i = 0; i < nelem; /* see below */) {
258 elem = &keys->val[i];
259 if ((kvno && kvno == elem->kvno) ||
260 (keep_time && elem->set_time && *elem->set_time < keep_time)) {
261 remove_HDB_Ext_KeySet(keys, i);
262 /*
263 * Removing the i'th element shifts the tail down, continue
264 * at same index with reduced upper bound.
265 */
266 --nelem;
267 continue;
268 }
269 ++i;
270 }
271
272 return 0;
273 }
274
275 /**
276 * This function prunes an HDB entry's keys that are too old to have been used
277 * to mint still valid tickets (based on the entry's maximum ticket lifetime).
278 *
279 * @param context Context
280 * @param entry HDB entry
281 */
282 krb5_error_code
283 hdb_prune_keys(krb5_context context, hdb_entry *entry)
284 {
285 if (!krb5_config_get_bool_default(context, NULL, FALSE,
286 "kadmin", "prune-key-history", NULL))
287 return 0;
288 return hdb_prune_keys_kvno(context, entry, 0);
289 }
290
291 /**
292 * This function adds a keyset to an HDB entry's key history.
293 *
294 * @param context Context
295 * @param entry HDB entry
296 * @param kvno Key version number of the key to add to the history
297 * @param key The Key to add
298 */
299 krb5_error_code
300 hdb_add_history_keyset(krb5_context context,
301 hdb_entry *entry,
302 const hdb_keyset *ks)
303 {
304 size_t i;
305 HDB_Ext_KeySet *hist_keys;
306 HDB_extension ext;
307 HDB_extension *extp;
308 krb5_error_code ret = 0;
309
310 memset(&ext, 0, sizeof (ext));
311
312 extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
313 if (extp == NULL) {
314 ext.mandatory = FALSE;
315 ext.data.element = choice_HDB_extension_data_hist_keys;
316 ext.data.u.hist_keys.len = 0;
317 ext.data.u.hist_keys.val = 0;
318 extp = &ext;
319 }
320 hist_keys = &extp->data.u.hist_keys;
321
322 for (i = 0; i < hist_keys->len; i++) {
323 if (hist_keys->val[i].kvno == ks->kvno) {
324 /* Replace existing */
325 free_HDB_keyset(&hist_keys->val[i]);
326 ret = copy_HDB_keyset(ks, &hist_keys->val[i]);
327 break;
328 }
329 }
330 if (i >= hist_keys->len)
331 ret = add_HDB_Ext_KeySet(hist_keys, ks); /* Append new */
332 if (ret == 0 && extp == &ext)
333 ret = hdb_replace_extension(context, entry, &ext);
334 free_HDB_extension(&ext);
335 return ret;
336 }
337
338 /**
339 * This function adds an HDB entry's current keyset to the entry's key
340 * history. The current keyset is left alone; the caller is responsible
341 * for freeing it.
342 *
343 * @param context Context
344 * @param entry HDB entry
345 *
346 * @return Zero on success, or an error code otherwise.
347 */
348 krb5_error_code
349 hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
350 {
351 krb5_error_code ret;
352 hdb_keyset ks;
353 time_t newtime;
354
355 if (entry->keys.len == 0)
356 return 0; /* nothing to do */
357
358 ret = hdb_entry_get_pw_change_time(entry, &newtime);
359 if (ret)
360 return ret;
361
362 ks.keys = entry->keys;
363 ks.kvno = entry->kvno;
364 ks.set_time = &newtime;
365
366 ret = hdb_add_history_keyset(context, entry, &ks);
367 if (ret == 0)
368 ret = hdb_prune_keys(context, entry);
369 return ret;
370 }
371
372 /**
373 * This function adds a key to an HDB entry's key history.
374 *
375 * @param context Context
376 * @param entry HDB entry
377 * @param kvno Key version number of the key to add to the history
378 * @param key The Key to add
379 *
380 * @return Zero on success, or an error code otherwise.
381 */
382 krb5_error_code
383 hdb_add_history_key(krb5_context context, hdb_entry *entry, krb5_kvno kvno, Key *key)
384 {
385 size_t i;
386 hdb_keyset keyset;
387 HDB_Ext_KeySet *hist_keys;
388 HDB_extension ext;
389 HDB_extension *extp;
390 krb5_error_code ret;
391
392 memset(&keyset, 0, sizeof (keyset));
393 memset(&ext, 0, sizeof (ext));
394
395 extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
396 if (extp == NULL) {
397 ext.data.element = choice_HDB_extension_data_hist_keys;
398 extp = &ext;
399 }
400
401 extp->mandatory = FALSE;
402 hist_keys = &extp->data.u.hist_keys;
403
404 for (i = 0; i < hist_keys->len; i++) {
405 if (hist_keys->val[i].kvno == kvno) {
406 ret = add_Keys(&hist_keys->val[i].keys, key);
407 goto out;
408 }
409 }
410
411 keyset.kvno = kvno;
412 ret = add_Keys(&keyset.keys, key);
413 if (ret)
414 goto out;
415 ret = add_HDB_Ext_KeySet(hist_keys, &keyset);
416 if (ret)
417 goto out;
418 if (extp == &ext) {
419 ret = hdb_replace_extension(context, entry, &ext);
420 if (ret)
421 goto out;
422 }
423
424 out:
425 free_HDB_keyset(&keyset);
426 free_HDB_extension(&ext);
427 return ret;
428 }
429
430 /**
431 * This function changes an hdb_entry's kvno, swapping the current key
432 * set with a historical keyset. If no historical keys are found then
433 * an error is returned (the caller can still set entry->kvno directly).
434 *
435 * @param context krb5_context
436 * @param new_kvno New kvno for the entry
437 * @param entry hdb_entry to modify
438 */
439 krb5_error_code
440 hdb_change_kvno(krb5_context context, krb5_kvno new_kvno, hdb_entry *entry)
441 {
442 HDB_extension ext;
443 HDB_extension *extp;
444 hdb_keyset keyset;
445 HDB_Ext_KeySet *hist_keys;
446 size_t i;
447 int found = 0;
448 krb5_error_code ret;
449
450 if (entry->kvno == new_kvno)
451 return 0;
452
453 extp = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
454 if (extp == NULL) {
455 memset(&ext, 0, sizeof (ext));
456 ext.data.element = choice_HDB_extension_data_hist_keys;
457 extp = &ext;
458 }
459
460 memset(&keyset, 0, sizeof (keyset));
461 hist_keys = &extp->data.u.hist_keys;
462 for (i = 0; i < hist_keys->len; i++) {
463 if (hist_keys->val[i].kvno == new_kvno) {
464 found = 1;
465 ret = copy_HDB_keyset(&hist_keys->val[i], &keyset);
466 if (ret)
467 goto out;
468 ret = remove_HDB_Ext_KeySet(hist_keys, i);
469 if (ret)
470 goto out;
471 break;
472 }
473 }
474
475 if (!found)
476 return HDB_ERR_KVNO_NOT_FOUND;
477
478 ret = hdb_add_current_keys_to_history(context, entry);
479 if (ret)
480 goto out;
481
482 /* Note: we do nothing with keyset.set_time */
483 entry->kvno = new_kvno;
484 entry->keys = keyset.keys; /* shortcut */
485 memset(&keyset.keys, 0, sizeof (keyset.keys));
486
487 out:
488 free_HDB_keyset(&keyset);
489 return ret;
490 }
491
492
493 static krb5_error_code
494 add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
495 krb5_enctype enctype, krb5_salt *salt)
496 {
497 krb5_error_code ret;
498 Key key, *tmp;
499
500 memset(&key, 0, sizeof(key));
501
502 tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
503 if (tmp == NULL)
504 return ENOMEM;
505
506 *key_set = tmp;
507
508 key.key.keytype = enctype;
509 key.key.keyvalue.length = 0;
510 key.key.keyvalue.data = NULL;
511
512 if (salt) {
513 key.salt = calloc(1, sizeof(*key.salt));
514 if (key.salt == NULL) {
515 free_Key(&key);
516 return ENOMEM;
517 }
518
519 key.salt->type = salt->salttype;
520 krb5_data_zero (&key.salt->salt);
521
522 ret = krb5_data_copy(&key.salt->salt,
523 salt->saltvalue.data,
524 salt->saltvalue.length);
525 if (ret) {
526 free_Key(&key);
527 return ret;
528 }
529 } else
530 key.salt = NULL;
531
532 (*key_set)[*nkeyset] = key;
533
534 *nkeyset += 1;
535
536 return 0;
537 }
538
539
540 static
541 krb5_error_code
542 ks_tuple2str(krb5_context context, int n_ks_tuple,
543 krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
544 {
545 size_t i;
546 char **ksnames;
547 krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
548
549 *ks_tuple_strs = NULL;
550 if (n_ks_tuple < 1)
551 return 0;
552
553 if ((ksnames = calloc(n_ks_tuple + 1, sizeof (*ksnames))) == NULL)
554 return (errno);
555
556 for (i = 0; i < n_ks_tuple; i++) {
557 char *ename, *sname;
558
559 if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
560 goto out;
561 if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
562 ks_tuple[i].ks_salttype, &sname)) {
563 free(ename);
564 goto out;
565 }
566
567 if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
568 rc = errno;
569 free(ename);
570 free(sname);
571 goto out;
572 }
573 free(ename);
574 free(sname);
575 }
576
577 ksnames[i] = NULL;
578 *ks_tuple_strs = ksnames;
579 return 0;
580
581 out:
582 for (i = 0; i < n_ks_tuple; i++)
583 free(ksnames[i]);
584 free(ksnames);
585 return (rc);
586 }
587
588 /*
589 *
590 */
591
592 static char **
593 glob_rules_keys(krb5_context context, krb5_const_principal principal)
594 {
595 const krb5_config_binding *list;
596 krb5_principal pattern;
597 krb5_error_code ret;
598
599 list = krb5_config_get_list(context, NULL, "kadmin",
600 "default_key_rules", NULL);
601 if (list == NULL)
602 return NULL;
603
604 while (list) {
605 if (list->type == krb5_config_string) {
606 ret = krb5_parse_name(context, list->name, &pattern);
607 if (ret == 0) {
608 ret = krb5_principal_match(context, principal, pattern);
609 krb5_free_principal(context, pattern);
610 if (ret) {
611 return krb5_config_get_strings(context, list,
612 list->name, NULL);
613 }
614 }
615 }
616 list = list->next;
617 }
618 return NULL;
619 }
620
621 /*
622 * NIST guidance in Section 5.1 of [SP800-132] requires that a portion
623 * of the salt of at least 128 bits shall be randomly generated.
624 */
625 static krb5_error_code
626 add_random_to_salt(krb5_context context, krb5_salt *in, krb5_salt *out)
627 {
628 krb5_error_code ret;
629 char *p;
630 unsigned char random[16];
631 char *s;
632 int slen;
633
634 krb5_generate_random_block(random, sizeof(random));
635
636 slen = rk_base64_encode(random, sizeof(random), &s);
637 if (slen < 0)
638 return ENOMEM;
639
640 ret = krb5_data_alloc(&out->saltvalue, slen + in->saltvalue.length);
641 if (ret) {
642 free(s);
643 return ret;
644 }
645
646 p = out->saltvalue.data;
647 memcpy(p, s, slen);
648 memcpy(&p[slen], in->saltvalue.data, in->saltvalue.length);
649
650 out->salttype = in->salttype;
651 free(s);
652
653 return 0;
654 }
655
656 /*
657 * Generate the `key_set' from the [kadmin]default_keys statement. If
658 * `no_salt' is set, salt is not important (and will not be set) since
659 * it's random keys that is going to be created.
660 */
661
662 krb5_error_code
663 hdb_generate_key_set(krb5_context context, krb5_principal principal,
664 krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
665 Key **ret_key_set, size_t *nkeyset, int no_salt)
666 {
667 char **ktypes = NULL;
668 char **kp;
669 krb5_error_code ret;
670 Key *k, *key_set;
671 size_t i, j;
672 char **ks_tuple_strs;
673 char **config_ktypes = NULL;
674 static const char *default_keytypes[] = {
675 "aes256-cts-hmac-sha1-96:pw-salt",
676 "des3-cbc-sha1:pw-salt",
677 "arcfour-hmac-md5:pw-salt",
678 NULL
679 };
680
681 if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
682 return ret;
683
684 ktypes = ks_tuple_strs;
685 if (ktypes == NULL) {
686 config_ktypes = glob_rules_keys(context, principal);
687 ktypes = config_ktypes;
688 }
689 if (ktypes == NULL) {
690 config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
691 "default_keys", NULL);
692 ktypes = config_ktypes;
693 }
694 if (ktypes == NULL)
695 ktypes = (char **)(intptr_t)default_keytypes;
696
697 *ret_key_set = key_set = NULL;
698 *nkeyset = 0;
699
700 for(kp = ktypes; kp && *kp; kp++) {
701 const char *p;
702 krb5_salt salt;
703 krb5_enctype *enctypes;
704 size_t num_enctypes;
705
706 p = *kp;
707 /* check alias */
708 if(strcmp(p, "v5") == 0)
709 p = "pw-salt";
710 else if(strcmp(p, "v4") == 0)
711 p = "des:pw-salt:";
712 else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
713 p = "des:afs3-salt";
714 else if (strcmp(p, "arcfour-hmac-md5") == 0)
715 p = "arcfour-hmac-md5:pw-salt";
716
717 memset(&salt, 0, sizeof(salt));
718
719 ret = parse_key_set(context, p,
720 &enctypes, &num_enctypes, &salt, principal);
721 if (ret) {
722 krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
723 ret = 0;
724 krb5_free_salt(context, salt);
725 continue;
726 }
727
728 for (i = 0; i < num_enctypes; i++) {
729 krb5_salt *saltp = no_salt ? NULL : &salt;
730 krb5_salt rsalt;
731
732 /* find duplicates */
733 for (j = 0; j < *nkeyset; j++) {
734
735 k = &key_set[j];
736
737 if (k->key.keytype == enctypes[i]) {
738 if (no_salt)
739 break;
740 if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
741 break;
742 if (k->salt->type == salt.salttype &&
743 k->salt->salt.length == salt.saltvalue.length &&
744 memcmp(k->salt->salt.data, salt.saltvalue.data,
745 salt.saltvalue.length) == 0)
746 break;
747 }
748 }
749 /* not a duplicate, lets add it */
750 if (j < *nkeyset)
751 continue;
752
753 memset(&rsalt, 0, sizeof(rsalt));
754
755 /* prepend salt with randomness if required */
756 if (!no_salt &&
757 _krb5_enctype_requires_random_salt(context, enctypes[i])) {
758 saltp = &rsalt;
759 ret = add_random_to_salt(context, &salt, &rsalt);
760 }
761
762 if (ret == 0)
763 ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i],
764 saltp);
765 krb5_free_salt(context, rsalt);
766
767 if (ret) {
768 free(enctypes);
769 krb5_free_salt(context, salt);
770 goto out;
771 }
772 }
773 free(enctypes);
774 krb5_free_salt(context, salt);
775 }
776
777 *ret_key_set = key_set;
778
779 out:
780 if (config_ktypes != NULL)
781 krb5_config_free_strings(config_ktypes);
782
783 for(kp = ks_tuple_strs; kp && *kp; kp++)
784 free(*kp);
785 free(ks_tuple_strs);
786
787 if (ret) {
788 krb5_warn(context, ret,
789 "failed to parse the [kadmin]default_keys values");
790
791 for (i = 0; i < *nkeyset; i++)
792 free_Key(&key_set[i]);
793 free(key_set);
794 } else if (*nkeyset == 0) {
795 krb5_warnx(context,
796 "failed to parse any of the [kadmin]default_keys values");
797 ret = EINVAL; /* XXX */
798 }
799
800 return ret;
801 }
802
803
804 krb5_error_code
805 hdb_generate_key_set_password_with_ks_tuple(krb5_context context,
806 krb5_principal principal,
807 const char *password,
808 krb5_key_salt_tuple *ks_tuple,
809 int n_ks_tuple,
810 Key **keys, size_t *num_keys)
811 {
812 krb5_error_code ret;
813 size_t i;
814
815 ret = hdb_generate_key_set(context, principal, ks_tuple, n_ks_tuple,
816 keys, num_keys, 0);
817 if (ret)
818 return ret;
819
820 for (i = 0; i < (*num_keys); i++) {
821 krb5_salt salt;
822 Key *key = &(*keys)[i];
823
824 salt.salttype = key->salt->type;
825 salt.saltvalue.length = key->salt->salt.length;
826 salt.saltvalue.data = key->salt->salt.data;
827
828 ret = krb5_string_to_key_salt (context,
829 key->key.keytype,
830 password,
831 salt,
832 &key->key);
833 if(ret)
834 break;
835 }
836
837 if(ret) {
838 hdb_free_keys (context, *num_keys, *keys);
839 return ret;
840 }
841 return ret;
842 }
843
844
845 krb5_error_code
846 hdb_generate_key_set_password(krb5_context context,
847 krb5_principal principal,
848 const char *password,
849 Key **keys, size_t *num_keys)
850 {
851
852 return hdb_generate_key_set_password_with_ks_tuple(context, principal,
853 password, NULL, 0,
854 keys, num_keys);
855 }
Heimdal