LCOV - coverage report for abartlet/fix-coverage dd10fb34

LCOV - code coverage report

Current view:	top level - source4/heimdal/lib/hdb - keys.c (source / functions)		Hit	Total	Coverage
Test:	coverage report for abartlet/fix-coverage dd10fb34	Lines:	0	233	0.0 %
Date:	2021-09-23 10:06:22	Functions:	0	7	0.0 %

          Line data    Source code

       1             : 
       2             : /*
       3             :  * Copyright (c) 1997 - 2011 Kungliga Tekniska Högskolan
       4             :  * (Royal Institute of Technology, Stockholm, Sweden).
       5             :  * All rights reserved.
       6             :  *
       7             :  * Redistribution and use in source and binary forms, with or without
       8             :  * modification, are permitted provided that the following conditions
       9             :  * are met:
      10             :  *
      11             :  * 1. Redistributions of source code must retain the above copyright
      12             :  *    notice, this list of conditions and the following disclaimer.
      13             :  *
      14             :  * 2. Redistributions in binary form must reproduce the above copyright
      15             :  *    notice, this list of conditions and the following disclaimer in the
      16             :  *    documentation and/or other materials provided with the distribution.
      17             :  *
      18             :  * 3. Neither the name of the Institute nor the names of its contributors
      19             :  *    may be used to endorse or promote products derived from this software
      20             :  *    without specific prior written permission.
      21             :  *
      22             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      23             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      24             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      25             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      26             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      27             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      28             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      29             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      30             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      31             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      32             :  * SUCH DAMAGE.
      33             :  */
      34             : 
      35             : #include "hdb_locl.h"
      36             : 
      37             : /*
      38             :  * free all the memory used by (len, keys)
      39             :  */
      40             : 
      41             : void
      42           0 : hdb_free_keys(krb5_context context, int len, Key *keys)
      43             : {
      44             :     size_t i;
      45             : 
      46           0 :     for (i = 0; i < len; i++) {
      47           0 :         free(keys[i].mkvno);
      48           0 :         keys[i].mkvno = NULL;
      49           0 :         if (keys[i].salt != NULL) {
      50           0 :             free_Salt(keys[i].salt);
      51           0 :             free(keys[i].salt);
      52           0 :             keys[i].salt = NULL;
      53             :         }
      54           0 :         krb5_free_keyblock_contents(context, &keys[i].key);
      55             :     }
      56           0 :     free (keys);
      57           0 : }
      58             : 
      59             : /*
      60             :  * for each entry in `default_keys' try to parse it as a sequence
      61             :  * of etype:salttype:salt, syntax of this if something like:
      62             :  * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
      63             :  *      means all etypes, and if string is omitted is means the default
      64             :  * string (for that principal). Additional special values:
      65             :  *      v5 == pw-salt, and
      66             :  *      v4 == des:pw-salt:
      67             :  *      afs or afs3 == des:afs3-salt
      68             :  */
      69             : 
      70             : static const krb5_enctype des_etypes[] = {
      71             :     KRB5_ENCTYPE_DES_CBC_MD5,
      72             :     KRB5_ENCTYPE_DES_CBC_MD4,
      73             :     KRB5_ENCTYPE_DES_CBC_CRC
      74             : };
      75             : 
      76             : static const krb5_enctype all_etypes[] = {
      77             :     KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
      78             :     KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
      79             :     KRB5_ENCTYPE_DES3_CBC_SHA1
      80             : };
      81             : 
      82             : static krb5_error_code
      83           0 : parse_key_set(krb5_context context, const char *key,
      84             :               krb5_enctype **ret_enctypes, size_t *ret_num_enctypes,
      85             :               krb5_salt *salt, krb5_principal principal)
      86             : {
      87             :     const char *p;
      88             :     char buf[3][256];
      89           0 :     int num_buf = 0;
      90           0 :     int i, num_enctypes = 0;
      91             :     krb5_enctype e;
      92           0 :     const krb5_enctype *enctypes = NULL;
      93             :     krb5_error_code ret;
      94             : 
      95           0 :     p = key;
      96             : 
      97           0 :     *ret_enctypes = NULL;
      98           0 :     *ret_num_enctypes = 0;
      99             : 
     100             :     /* split p in a list of :-separated strings */
     101           0 :     for(num_buf = 0; num_buf < 3; num_buf++)
     102           0 :         if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
     103           0 :             break;
     104             : 
     105           0 :     salt->saltvalue.data = NULL;
     106           0 :     salt->saltvalue.length = 0;
     107             : 
     108           0 :     for(i = 0; i < num_buf; i++) {
     109           0 :         if(enctypes == NULL && num_buf > 1) {
     110             :             /* this might be a etype specifier */
     111             :             /* XXX there should be a string_to_etypes handling
     112             :                special cases like `des' and `all' */
     113           0 :             if(strcmp(buf[i], "des") == 0) {
     114           0 :                 enctypes = des_etypes;
     115           0 :                 num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
     116           0 :             } else if(strcmp(buf[i], "des3") == 0) {
     117           0 :                 e = KRB5_ENCTYPE_DES3_CBC_SHA1;
     118           0 :                 enctypes = &e;
     119           0 :                 num_enctypes = 1;
     120             :             } else {
     121           0 :                 ret = krb5_string_to_enctype(context, buf[i], &e);
     122           0 :                 if (ret == 0) {
     123           0 :                     enctypes = &e;
     124           0 :                     num_enctypes = 1;
     125             :                 } else
     126           0 :                     return ret;
     127             :             }
     128           0 :             continue;
     129             :         }
     130           0 :         if(salt->salttype == 0) {
     131             :             /* interpret string as a salt specifier, if no etype
     132             :                is set, this sets default values */
     133             :             /* XXX should perhaps use string_to_salttype, but that
     134             :                interface sucks */
     135           0 :             if(strcmp(buf[i], "pw-salt") == 0) {
     136           0 :                 if(enctypes == NULL) {
     137           0 :                     enctypes = all_etypes;
     138           0 :                     num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
     139             :                 }
     140           0 :                 salt->salttype = KRB5_PW_SALT;
     141           0 :             } else if(strcmp(buf[i], "afs3-salt") == 0) {
     142           0 :                 if(enctypes == NULL) {
     143           0 :                     enctypes = des_etypes;
     144           0 :                     num_enctypes = sizeof(des_etypes)/sizeof(des_etypes[0]);
     145             :                 }
     146           0 :                 salt->salttype = KRB5_AFS3_SALT;
     147             :             }
     148           0 :             continue;
     149             :         }
     150             : 
     151             :         {
     152             :             /* if there is a final string, use it as the string to
     153             :                salt with, this is mostly useful with null salt for
     154             :                v4 compat, and a cell name for afs compat */
     155           0 :             salt->saltvalue.data = strdup(buf[i]);
     156           0 :             if (salt->saltvalue.data == NULL) {
     157           0 :                 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
     158           0 :                 return ENOMEM;
     159             :             }
     160           0 :             salt->saltvalue.length = strlen(buf[i]);
     161             :         }
     162             :     }
     163             : 
     164           0 :     if(enctypes == NULL || salt->salttype == 0) {
     165           0 :         krb5_set_error_message(context, EINVAL, "bad value for default_keys `%s'", key);
     166           0 :         return EINVAL;
     167             :     }
     168             : 
     169             :     /* if no salt was specified make up default salt */
     170           0 :     if(salt->saltvalue.data == NULL) {
     171           0 :         if(salt->salttype == KRB5_PW_SALT)
     172           0 :             ret = krb5_get_pw_salt(context, principal, salt);
     173           0 :         else if(salt->salttype == KRB5_AFS3_SALT) {
     174           0 :             krb5_const_realm realm = krb5_principal_get_realm(context, principal);
     175           0 :             salt->saltvalue.data = strdup(realm);
     176           0 :             if(salt->saltvalue.data == NULL) {
     177           0 :                 krb5_set_error_message(context, ENOMEM,
     178             :                                        "out of memory while "
     179             :                                        "parsing salt specifiers");
     180           0 :                 return ENOMEM;
     181             :             }
     182           0 :             strlwr(salt->saltvalue.data);
     183           0 :             salt->saltvalue.length = strlen(realm);
     184             :         }
     185             :     }
     186             : 
     187           0 :     *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
     188           0 :     if (*ret_enctypes == NULL) {
     189           0 :         krb5_free_salt(context, *salt);
     190           0 :         krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
     191           0 :         return ENOMEM;
     192             :     }
     193           0 :     memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
     194           0 :     *ret_num_enctypes = num_enctypes;
     195             : 
     196           0 :     return 0;
     197             : }
     198             : 
     199             : 
     200             : /**
     201             :  * This function adds an HDB entry's current keyset to the entry's key
     202             :  * history.  The current keyset is left alone; the caller is responsible
     203             :  * for freeing it.
     204             :  *
     205             :  * @param context   Context
     206             :  * @param entry     HDB entry
     207             :  */
     208             : krb5_error_code
     209           0 : hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
     210             : {
     211           0 :     krb5_boolean replace = FALSE;
     212             :     krb5_error_code ret;
     213             :     HDB_extension *ext;
     214             :     hdb_keyset newkey;
     215             :     time_t newtime;
     216             : 
     217             : 
     218           0 :     ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys);
     219           0 :     if (ext == NULL) {
     220           0 :         replace = TRUE;
     221           0 :         ext = calloc(1, sizeof (*ext));
     222           0 :         if (ext == NULL)
     223           0 :             return krb5_enomem(context);
     224             : 
     225           0 :         ext->data.element = choice_HDB_extension_data_hist_keys;
     226             :     }
     227             : 
     228             :     /*
     229             :      * Copy in newest old keyset
     230             :      */
     231             : 
     232           0 :     ret = hdb_entry_get_pw_change_time(entry, &newtime);
     233           0 :     if (ret)
     234           0 :         goto out;
     235             : 
     236           0 :     memset(&newkey, 0, sizeof(newkey));
     237           0 :     newkey.keys = entry->keys;
     238           0 :     newkey.kvno = entry->kvno;
     239           0 :     newkey.set_time = &newtime;
     240             : 
     241           0 :     ret = add_HDB_Ext_KeySet(&ext->data.u.hist_keys, &newkey);
     242           0 :     if (ret)
     243           0 :         goto out;
     244             : 
     245           0 :     if (replace) {
     246             :         /* hdb_replace_extension() deep-copies ext; what a waste */
     247           0 :         ret = hdb_replace_extension(context, entry, ext);
     248           0 :         if (ret)
     249           0 :             goto out;
     250             :     }
     251             : 
     252           0 :  out:
     253           0 :     if (replace && ext) {
     254           0 :         free_HDB_extension(ext);
     255           0 :         free(ext);
     256             :     }
     257           0 :     return ret;
     258             : }
     259             : 
     260             : 
     261             : static krb5_error_code
     262           0 : add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
     263             :                        krb5_enctype enctype, krb5_salt *salt)
     264             : {
     265             :     krb5_error_code ret;
     266             :     Key key, *tmp;
     267             : 
     268           0 :     memset(&key, 0, sizeof(key));
     269             : 
     270           0 :     tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
     271           0 :     if (tmp == NULL)
     272           0 :         return ENOMEM;
     273             : 
     274           0 :     *key_set = tmp;
     275             : 
     276           0 :     key.key.keytype = enctype;
     277           0 :     key.key.keyvalue.length = 0;
     278           0 :     key.key.keyvalue.data = NULL;
     279             : 
     280           0 :     if (salt) {
     281           0 :         key.salt = calloc(1, sizeof(*key.salt));
     282           0 :         if (key.salt == NULL) {
     283           0 :             free_Key(&key);
     284           0 :             return ENOMEM;
     285             :         }
     286             : 
     287           0 :         key.salt->type = salt->salttype;
     288           0 :         krb5_data_zero (&key.salt->salt);
     289             : 
     290           0 :         ret = krb5_data_copy(&key.salt->salt,
     291           0 :                              salt->saltvalue.data,
     292             :                              salt->saltvalue.length);
     293           0 :         if (ret) {
     294           0 :             free_Key(&key);
     295           0 :             return ret;
     296             :         }
     297             :     } else
     298           0 :         key.salt = NULL;
     299             : 
     300           0 :     (*key_set)[*nkeyset] = key;
     301             : 
     302           0 :     *nkeyset += 1;
     303             : 
     304           0 :     return 0;
     305             : }
     306             : 
     307             : 
     308             : static
     309             : krb5_error_code
     310           0 : ks_tuple2str(krb5_context context, int n_ks_tuple,
     311             :              krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
     312             : {
     313             :         size_t i;
     314             :         char **ksnames;
     315             :         char *ename, *sname;
     316           0 :         krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
     317             : 
     318           0 :         *ks_tuple_strs = NULL;
     319           0 :         if (n_ks_tuple < 1)
     320           0 :                 return 0;
     321             : 
     322           0 :         if ((ksnames = calloc(n_ks_tuple, sizeof (*ksnames))) == NULL)
     323           0 :                 return (errno);
     324             : 
     325           0 :         for (i = 0; i < n_ks_tuple; i++) {
     326           0 :             if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
     327           0 :                 goto out;
     328           0 :             if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
     329           0 :                                         ks_tuple[i].ks_salttype, &sname))
     330           0 :                 goto out;
     331             : 
     332           0 :             if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
     333           0 :                     rc = errno;
     334           0 :                     free(ename);
     335           0 :                     free(sname);
     336           0 :                     goto out;
     337             :             }
     338           0 :             free(ename);
     339           0 :             free(sname);
     340             :         }
     341             : 
     342           0 :         *ks_tuple_strs = ksnames;
     343           0 :         rc = 0;
     344             : 
     345           0 : out:
     346           0 :         for (i = 0; i < n_ks_tuple; i++)
     347           0 :                 free(ksnames[i]);
     348           0 :         free(ksnames);
     349           0 :         return (rc);
     350             : }
     351             : 
     352             : /*
     353             :  * Generate the `key_set' from the [kadmin]default_keys statement. If
     354             :  * `no_salt' is set, salt is not important (and will not be set) since
     355             :  * it's random keys that is going to be created.
     356             :  */
     357             : 
     358             : krb5_error_code
     359           0 : hdb_generate_key_set(krb5_context context, krb5_principal principal,
     360             :                      int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
     361             :                      Key **ret_key_set, size_t *nkeyset, int no_salt)
     362             : {
     363           0 :     char **ktypes = NULL;
     364             :     char **kp;
     365             :     krb5_error_code ret;
     366             :     Key *k, *key_set;
     367             :     size_t i, j;
     368             :     char **ks_tuple_strs;
     369             :     static const char *default_keytypes[] = {
     370             :         "aes256-cts-hmac-sha1-96:pw-salt",
     371             :         "des3-cbc-sha1:pw-salt",
     372             :         "arcfour-hmac-md5:pw-salt",
     373             :         NULL
     374             :     };
     375             : 
     376           0 :     if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
     377           0 :             return ret;
     378             : 
     379           0 :     if (ks_tuple_strs == NULL)
     380           0 :         ktypes = krb5_config_get_strings(context, NULL, "kadmin",
     381             :                                          "default_keys", NULL);
     382           0 :     if (ktypes == NULL)
     383           0 :         ktypes = (char **)(intptr_t)default_keytypes;
     384             : 
     385           0 :     *ret_key_set = key_set = NULL;
     386           0 :     *nkeyset = 0;
     387             : 
     388           0 :     for(kp = ktypes; kp && *kp; kp++) {
     389             :         const char *p;
     390             :         krb5_salt salt;
     391             :         krb5_enctype *enctypes;
     392             :         size_t num_enctypes;
     393             : 
     394           0 :         p = *kp;
     395             :         /* check alias */
     396           0 :         if(strcmp(p, "v5") == 0)
     397           0 :             p = "pw-salt";
     398           0 :         else if(strcmp(p, "v4") == 0)
     399           0 :             p = "des:pw-salt:";
     400           0 :         else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
     401           0 :             p = "des:afs3-salt";
     402           0 :         else if (strcmp(p, "arcfour-hmac-md5") == 0)
     403           0 :             p = "arcfour-hmac-md5:pw-salt";
     404             : 
     405           0 :         memset(&salt, 0, sizeof(salt));
     406             : 
     407           0 :         ret = parse_key_set(context, p,
     408             :                             &enctypes, &num_enctypes, &salt, principal);
     409           0 :         if (ret) {
     410           0 :             krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
     411           0 :             ret = 0;
     412           0 :             continue;
     413             :         }
     414             : 
     415           0 :         for (i = 0; i < num_enctypes; i++) {
     416             :             /* find duplicates */
     417           0 :             for (j = 0; j < *nkeyset; j++) {
     418             : 
     419           0 :                 k = &key_set[j];
     420             : 
     421           0 :                 if (k->key.keytype == enctypes[i]) {
     422           0 :                     if (no_salt)
     423           0 :                         break;
     424           0 :                     if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
     425           0 :                         break;
     426           0 :                     if (k->salt->type == salt.salttype &&
     427           0 :                         k->salt->salt.length == salt.saltvalue.length &&
     428           0 :                         memcmp(k->salt->salt.data, salt.saltvalue.data,
     429             :                                salt.saltvalue.length) == 0)
     430           0 :                         break;
     431             :                 }
     432             :             }
     433             :             /* not a duplicate, lets add it */
     434           0 :             if (j == *nkeyset) {
     435           0 :                 ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i],
     436             :                                              no_salt ? NULL : &salt);
     437           0 :                 if (ret) {
     438           0 :                     free(enctypes);
     439           0 :                     krb5_free_salt(context, salt);
     440           0 :                     goto out;
     441             :                 }
     442             :             }
     443             :         }
     444           0 :         free(enctypes);
     445           0 :         krb5_free_salt(context, salt);
     446             :     }
     447             : 
     448           0 :     *ret_key_set = key_set;
     449             : 
     450           0 :  out:
     451           0 :     if (ktypes != (char **)(intptr_t)default_keytypes)
     452           0 :         krb5_config_free_strings(ktypes);
     453             : 
     454           0 :     if (ret) {
     455           0 :         krb5_warn(context, ret,
     456             :                   "failed to parse the [kadmin]default_keys values");
     457             : 
     458           0 :         for (i = 0; i < *nkeyset; i++)
     459           0 :             free_Key(&key_set[i]);
     460           0 :         free(key_set);
     461           0 :     } else if (*nkeyset == 0) {
     462           0 :         krb5_warnx(context,
     463             :                    "failed to parse any of the [kadmin]default_keys values");
     464           0 :         ret = EINVAL; /* XXX */
     465             :     }
     466             : 
     467           0 :     return ret;
     468             : }
     469             : 
     470             : 
     471             : krb5_error_code
     472           0 : hdb_generate_key_set_password(krb5_context context,
     473             :                               krb5_principal principal,
     474             :                               const char *password,
     475             :                               Key **keys, size_t *num_keys)
     476             : {
     477             :     krb5_error_code ret;
     478             :     size_t i;
     479             : 
     480           0 :     ret = hdb_generate_key_set(context, principal, 0, NULL,
     481             :                                 keys, num_keys, 0);
     482           0 :     if (ret)
     483           0 :         return ret;
     484             : 
     485           0 :     for (i = 0; i < (*num_keys); i++) {
     486             :         krb5_salt salt;
     487             : 
     488           0 :         salt.salttype = (*keys)[i].salt->type;
     489           0 :         salt.saltvalue.length = (*keys)[i].salt->salt.length;
     490           0 :         salt.saltvalue.data = (*keys)[i].salt->salt.data;
     491             : 
     492           0 :         ret = krb5_string_to_key_salt (context,
     493           0 :                                        (*keys)[i].key.keytype,
     494             :                                        password,
     495             :                                        salt,
     496           0 :                                        &(*keys)[i].key);
     497             : 
     498           0 :         if(ret)
     499           0 :             break;
     500             :     }
     501             : 
     502           0 :     if(ret) {
     503           0 :         hdb_free_keys (context, *num_keys, *keys);
     504           0 :         return ret;
     505             :     }
     506           0 :     return ret;
     507             : }

Generated by: LCOV version 1.13